Input Validation / CSS Injection (Reflected)

Description

CSS Injection (reflected) is an input validation vulnerability that occurs when an application does not properly validate input from a web or API user. This type of attack allows malicious code to be injected into a web page such that it is reflected back to the user when it is rendered by their web browser. It is classified as a CWE-79 ‘Improper Neutralization of Input During Web Page Generation’ vulnerability and is stated as a ‘top 10’ risk in the OWASP Testing Guide. CSS injection can allow malicious users to manipulate the design elements of a web page, or even steal sensitive information such as user login credentials.

Risk

CSS Injection (reflected) is considered a high risk vulnerability as it can be used to manipulate the user interface of a web application, or even to steal sensitive information. It is important to ensure that all user input is validated to prevent malicious code from being inserted into a web page.

Solution

The solution to CSS Injection (reflected) is to ensure that all user input is properly validated. This can be done by using a whitelist to only allow certain characters to be used in a particular field, or by using regular expressions to verify that only valid input is accepted. Additionally, any user-supplied data should be encoded or escaped before being rendered in a web page.