CSS Injection

Check List

Methodology

Black Box

Country Parameter

1

Log into the target site and intercept requests using the Bupr Suite tool

2

Then examine the requests and look for the country parameter, as shown below

https://example.com/search?q=a&country=BR
3

In the request, modify the country parameter to a random value and observe its reflection in a style attribute like this

<div class="language" style="background-image: url(/BR.svg)"><div>
4

If the parameter value was inside a (..) we can escape using the ; character and write a new style and send the following malicious request

https://example.com/search?q=a&country=BR'); width: 9999px; height: 9999px; background: red; //
5

And if the page changes, it is confirmed to be vulnerable and displayed in the html as follows

<div class="language" style="background-image: url(/BR.svg'); width: 9999px; height: 9999px; background: red; //)"><div>

Base CSS injection

1

Access the target application

2

Navigate to the target page by clicking the relevant button

3

Observe the HTTP GET for /Home/TargetPage, and inspect the rendered form where the user can change “Color” and “Tag” of a text in that page

4

Submit the form with benign inputs (Color = “green”, Tag = “h3”) and inspect the HTTP POST to /Home/TargetPage. Confirm that the submitted values are reflected in the response HTML

5

Test for injection by providing a payload like Test for injection by providing a payload like "><h1>CSSInjection in the Color and Tag fields. Observe that the Color field is used without validation, whereas Tag input is validated

6

Refine the payload to something like \" onclick=prompt(8)> in the Color field to verify reflective XSS within the CSS context or style attribute

7

Exploit the CSS injection, inject attacker‑controlled CSS via the Color or style field and observe its effect on page rendering (overriding styles, altering visual appearance)

Potential XSS

1

Identify the target resource and confirm that this URL accepts user-controlled input that could potentially lead to CSS injection. The test could be like this

https://example.com/landings/libs/alert/alerts/exitpopup74/exit-popup.php?root=https://+YOUR SERVER+/&lang=en
2

On the attacker’s server, create the exit-popup.css file and insert the following code to test the CSS injection

div {
 background-image: url("https://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif");
 background-color: #cccccc;
}
3

Observe whether custom CSS is applied or reflected back — check for injected styles altering page rendering

White Box

Cheat Sheet

PreviousClient Side URL RedirectNextClient Side Resource Manipulation

Last updated