Cross Site Scripting in CSS Stylesheets

Cross-site scripting (XSS) is a technique that allows an attacker to inject malicious code into a web page, which can then be executed by users who visit the page. CSS stylesheets are typically used to define the visual appearance of a page, but it is possible to use them to inject malicious code as well.

How is XSS possible in a CSS stylesheet?

There are a few ways to inject malicious code into a CSS stylesheet. One way is to use the expression(...) directive, which allows you to evaluate arbitrary JavaScript statements and use their value as a CSS parameter. Another way is to use the url('javascript:...') directive on properties that support it. Finally, you can also invoke browser-specific features, such as the -moz-binding mechanism of Firefox, to inject malicious code.

What are the risks of XSS in CSS stylesheets?

XSS in CSS stylesheets can be used to carry out a variety of attacks, including:

• Stealing user credentials
• Redirecting users to malicious websites
• Defacing websites
• Launching denial-of-service attacks

How can you prevent XSS in CSS stylesheets?

There are a few things you can do to prevent XSS in CSS stylesheets, including:

• Validate CSS stylesheets to ensure that they do not contain malicious code.
• Disable the expression(...) directive in your browser.
• Set the Content-Security-Policy header on your website to restrict the execution of inline scripts.
• Use a web application firewall to block malicious requests.

Additional resources

• [Browser Security Handbook: JavaScript Execution from CSS](https://www.owasp.org/index.php/Browser_Security_Handbook#JavaScript_execution_from_CSS)
• [Using Javascript in CSS](https://stackoverflow.com/questions/1204273/using-javascript-in-css)
• [Generic Cross-Browser Cross-Domain CSS Request Deception](http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html)