Page 1 of 1

Stealing Data With CSS: Attack and Defense

Posted: Sat Feb 17, 2018 11:44 pm
by morganism
CSS exfil

this didn't come up in search, so will post ... nd-defense

"By utilizing CSS alone, browser protections like NoScript can't block the egress of data (although NoScript's XSS auditor is more effective than Chrome at blocking some of the injection Proof of Concept attacks detailed below).

While CSS injection is not a new vulnerability, using CSS as the sole attack vector to reliably exfiltrate data - to my knowledge - has never been presented. I am also not aware of any effective method previously documented to guard end users against such attack - other than to block CSS, which is not a practical solution.