Stealing Data With CSS: Attack and Defense

Talk about internet security, computer security, personal security, your social security number...

Stealing Data With CSS: Attack and Defense

Postby morganism » Sat Feb 17, 2018 11:44 pm

CSS exfil

this didn't come up in search, so will post

"By utilizing CSS alone, browser protections like NoScript can't block the egress of data (although NoScript's XSS auditor is more effective than Chrome at blocking some of the injection Proof of Concept attacks detailed below).

While CSS injection is not a new vulnerability, using CSS as the sole attack vector to reliably exfiltrate data - to my knowledge - has never been presented. I am also not aware of any effective method previously documented to guard end users against such attack - other than to block CSS, which is not a practical solution.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0
Senior Member
Posts: 107
Joined: Tue Nov 26, 2013 9:44 pm

Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest