Cascading Style Sheet (CSS) Injection |
Overview Cascading style injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response with a style attribute. In other words, the attacker can send input which later is incorporated into the web page the user receives. Video Tutorials Discovery Methodology Inject all available parameters of the web page with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded in a style attribute. These locations may allow Cascading style injection. Hint: An example injection might be <CANARY={}""()'';#$--/>1. Adding a sequencial integer to the test input can help determine which of the inputs parameters resulted in the response string found. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically then add a payload between. Inject the exploit. Example Example Target:<body style="color:#{dynamic input}"> Possible Solution:style="<body color:#""><H1>HELLO WORLD</H1>< anything=""> Videos Cross-Site Scripting: Part 1- What is Reflected XSS? Cross-Site Scripting: Part 2 - What is DOM-based XSS? Cross-Site Scripting: Part 3 - What is Persistent XSS? Cross-Site Scripting: Part 4 - How Output Encoding Stops XSS Cross-Site Scripting: Part 5 - How to Test Output Encoding What is Content Security Policy? - Part 1 What is Content Security Policy? - Part 2 What is Content Security Policy? - Part 3 What is Content Security Policy? - Part 4 What is Content Security Policy? - Part 5 Content Security Policy: Script Source (script-src) How to Set HTTP Headers Using Apache Server Check HTTP Headers with cURL How to Check HTTP Headers (Command Line) How to Check HTTP Headers from Browser Cookies: Part 1 - How HTTPOnly Works What is the XSS Protection Header? Check for Vulnerable Libraries in Your Web Application How to Enable Apache Mod-Headers |