Input Validation / CSS Injection (Reflected)
CSS Injection (reflected) is an input validation vulnerability that occurs when an application does not properly validate input from a web or API user. This type of attack allows malicious code to be injected into a web page such that it is reflected back to the user when it is rendered by their web browser. It is classified as a CWE-79 ‘Improper Neutralization of Input During Web Page Generation’ vulnerability and is stated as a ‘top 10’ risk in the OWASP Testing Guide. CSS injection can allow malicious users to manipulate the design elements of a web page, or even steal sensitive information such as user login credentials.
CSS Injection (reflected) is considered a high risk vulnerability as it can be used to manipulate the user interface of a web application, or even to steal sensitive information. It is important to ensure that all user input is validated to prevent malicious code from being inserted into a web page.
The solution to CSS Injection (reflected) is to ensure that all user input is properly validated. This can be done by using a whitelist to only allow certain characters to be used in a particular field, or by using regular expressions to verify that only valid input is accepted. Additionally, any user-supplied data should be encoded or escaped before being rendered in a web page.
The following example is taken from CVE-2020-6483, where a reflected CSS injection vulnerability was found in a web application.
<html> <body> <script> document.write("<h1>Hello World</h1>"); </script> <style> /* User supplied data */ background-image: url('<?php echo $_GET['image']; ?>'); </style> </body> </html>
In this example, the application is using user-supplied data to set the
background-image of the page. This can be exploited by a malicious user to inject malicious CSS code into the page, which can then be used to modify the page's design or even steal user credentials.