Stealing Data With CSS: Attack and Defense

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Senior Member
Posts: 118
Joined: Tue Nov 26, 2013 9:44 pm

Stealing Data With CSS: Attack and Defense

Post by morganism » Sat Feb 17, 2018 11:44 pm

CSS exfil

this didn't come up in search, so will post ... nd-defense

"By utilizing CSS alone, browser protections like NoScript can't block the egress of data (although NoScript's XSS auditor is more effective than Chrome at blocking some of the injection Proof of Concept attacks detailed below).

While CSS injection is not a new vulnerability, using CSS as the sole attack vector to reliably exfiltrate data - to my knowledge - has never been presented. I am also not aware of any effective method previously documented to guard end users against such attack - other than to block CSS, which is not a practical solution.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0

Post Reply