Question 1

How does CSS injection steal CSRF tokens without iFrames?

Accepted Answer

It uses CSS attribute selectors to match substrings of token values in HTML attributes, then triggers resource loads via pop-up windows to exfiltrate data, bypassing iFrame restrictions. Service Workers intercept these loads client-side, eliminating the need for a backend server.

Question 2

CSS injection vs XSS: which is more dangerous for data theft?

Accepted Answer

CSS injection can be more stealthy for stealing attribute data without executing JavaScript, but XSS offers broader control. This project shows CSS injection can be lethal for CSRF tokens, especially in reflected cases where execution is immediate.

Question 3

How to prevent CSS injection attacks on my website?

Accepted Answer

Sanitize user input that affects CSS, use Content Security Policy (CSP) to restrict stylesheet sources, and avoid storing sensitive data in HTML attributes. Regularly audit for injection points in features allowing custom CSS.

Question 4

Can this attack work without user interaction?

Accepted Answer

No, it requires a user to trigger the pop-up, as noted in the README where the attack starts 'after clicking somewhere on the page'. This limits it to scenarios where social engineering or other vectors initiate interaction.

Question 5

What browsers support the Service Worker part of this attack?

Accepted Answer

Currently, only Chrome fully supports the demo due to experimental features like foreign fetch for cross-origin requests. Other browsers may not intercept requests without same-origin constraints, as mentioned in the README.

Question 6

Is stored CSS injection less risky than reflected?

Accepted Answer

Yes, reflected CSS injection is more immediate and deadly because it executes on page load without server updates, whereas stored variants require server-side changes, as highlighted in the 'Final thoughts' section.

Stealing CSRF tokens with CSS injection (without iFrames)

What is Stealing CSRF tokens with CSS injection (without iFrames)?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions