Input Validation / CSS Injection (Reflected)

Description

CSS Injection (reflected) is an input validation vulnerability that occurs when an application does not properly validate input from a web or API user. This type of attack allows malicious code to be injected into a web page such that it is reflected back to the user when it is rendered by their web browser. It is classified as a CWE-79 ‘Improper Neutralization of Input During Web Page Generation’ vulnerability and is stated as a ‘top 10’ risk in the OWASP Testing Guide. CSS injection can allow malicious users to manipulate the design elements of a web page, or even steal sensitive information such as user login credentials.

Risk

CSS Injection (reflected) is considered a high risk vulnerability as it can be used to manipulate the user interface of a web application, or even to steal sensitive information. It is important to ensure that all user input is validated to prevent malicious code from being inserted into a web page.

Solution

The solution to CSS Injection (reflected) is to ensure that all user input is properly validated. This can be done by using a whitelist to only allow certain characters to be used in a particular field, or by using regular expressions to verify that only valid input is accepted. Additionally, any user-supplied data should be encoded or escaped before being rendered in a web page.

Example

The following example is taken from CVE-2020-6483, where a reflected CSS injection vulnerability was found in a web application.

<html>
 <body>
  <script>
    document.write("<h1>Hello World</h1>");
  </script>
  
  <style>
    /* User supplied data */
    background-image: url('<?php echo $_GET['image']; ?>');
  </style>
 </body>
</html>

In this example, the application is using user-supplied data to set the background-image of the page. This can be exploited by a malicious user to inject malicious CSS code into the page, which can then be used to modify the page's design or even steal user credentials.