CSS Injection
detect, understand, remediate

Attribute selector exfiltration

A selector of the form input[name=token][value^=a] paired with background-image: url(callback?prefix=a) triggers a network request to the attacker endpoint when an element matches the prefix. Iterating prefix characters one at a time recovers the attribute value. This is the canonical CSS keylogger pattern against form inputs that render with their value attribute populated server-side.

Sequential CSS exfiltration

Pepe Vila's 2018 research showed that a single style sheet can recover a hidden token end-to-end by chaining attribute selectors and animation delays so each iteration triggers the next without reloading the page. Modern variants use @import to fetch the next stage of the attack from an attacker server based on the previously leaked character.

Keyframes and transition side channels

CSS animations with timing functions and transition events can be observed by the attacker when paired with url() callbacks. The presence or absence of a transition reveals whether a selector matched, which leaks classes, attribute values, and visibility state.

Font ligature timing

Custom @font-face descriptors with unicode-range entries that map specific character combinations to network-fetched glyphs let the attacker observe which character pairs the victim renders. The technique was demonstrated against password fields rendered with browser autofill values.

Dangling markup with trailing url()

A reflection that does not close cleanly can leave a trailing url( open. Any subsequent content on the page (CSRF tokens, session metadata, user PII rendered after the injection point) is captured by the browser as part of the URL the browser fetches, leaking the trailing markup to the attacker endpoint.

content-visibility and quotes() side channels

Newer CSS features such as content-visibility, quotes(), and counter() expose previously inaccessible data through paint or layout side effects. A counter that increments only on matching elements paired with a url() callback reveals whether the element rendered. Defensive review must include the newer specifications, not only legacy CSS 2.

User-controlled values interpolated into style tags

A server-side renderer builds the <style> block from theme settings, tenant configuration, or campaign records and interpolates raw strings without context-aware encoding. The encoding required for CSS context is not the same as the encoding required for HTML or JavaScript contexts; an HTML-encoder applied to CSS still allows quotes and braces.

Style attribute allowlist in a rich-text sanitiser

A markdown or rich-text editor strips script tags and event handlers but allows style= on certain elements (commonly anchors, images, and inline text). The allowlist is the injection vector. DOMPurify, sanitize-html, and similar libraries require explicit style= enforcement and a CSS parser to be safe.

CSS variable assignment from untrusted input

A design system sets --brand-colour or --theme-accent from a tenant profile colour string. The browser accepts any valid CSS value, so an attacker assigns a value like red; --x: url(callback) and lands a rule the rest of the cascade references. The fix is parsing and validating the colour value, not concatenating the string.

SVG uploads preserved with inline markup

A profile avatar uploader accepts SVG and preserves the file as-is for inline rendering. The SVG carries a <style> element or style= attributes the browser parses on render. An HTML-only sanitiser that does not understand SVG passes the file through, and the next page render parses the attacker rule.

Email and PDF renderers reading user fields

Outbound email templates, invoice generators, AI report templates, and PDF exporters interpolate user-controlled fields into inline style blocks for branding. The same encoding gap that surfaces in the web tier appears here, often without a CSP to dampen the consequences and often outside the security team coverage scope by default.

CSS-in-JS template literals with raw interpolation

Styled-components, Emotion, and similar libraries support template-literal interpolation. A developer writes ${userColour} or ${tenantTheme} inside a styled.div template without sanitisation. The library writes the resulting string into a style sheet or style attribute, and the injection lands.

Theme-colour query parameters and personalisation links

Marketing personalisation links carry theme parameters (?primary=blue&accent=red) that the page reads and applies to a CSS variable or a generated style block. The attacker controls the query parameter, the page applies it, and the rule lands. Pre-defined enumerated theme keys are the safe alternative; raw colour strings are not.

Permissive style-src in the Content Security Policy

A CSP with style-src 'self' 'unsafe-inline' or with no style-src-attr enforcement is the rule that allows the parsed rule to take effect. A strict CSP cannot prevent the encoding gap at the sink, but it can disable inline style attributes and require nonces on style elements, removing entire payload classes from the attack surface.

Active testing signals

• SecPortal authenticated scanning probes inputs that surface inside style sheets, style tags, style attributes, and CSS custom properties, injects benign rules that should not parse, and validates whether selector exfiltration or dangling-markup channels survive output encoding and the deployed CSP. The finding lands with the affected route, the sink class, the rule that parsed, and the exfiltration channel observed.
• External scanning fingerprints style-context reflection on unauthenticated pages, error templates, marketing surfaces, and embedded widgets where user-controlled values land inside style attributes or CSS variables, and tests the page-level CSP for permissive style-src and missing style-src-attr coverage.
• Code scanning executes Semgrep rule packs against connected GitHub, GitLab, and Bitbucket repositories for unsafe interpolation of user data into style tags, inline style attributes, CSS-in-JS template literals, framework theme-colour helpers, server-side rendered style blocks, and CSS custom property assignments without context-aware encoding.
• Findings management captures the CWE-79 (and CWE-94 cross-reference) mapping, the OWASP A03 category, the sink class, the rule that landed, the exfiltration primitive, the evidence (request/response captures, rendered DOM snapshot, callback log), and a CVSS 3.1 vector calibrated for the realistic blast radius rather than the generic XSS base score.

Configuration review signals

• Inspect the deployed CSP for style-src, style-src-attr, and style-src-elem. A directive of style-src 'self' 'unsafe-inline' or a missing style-src-attr is a finding worth recording even before a confirmed sink exploit; the CSP is the second line of defence and a permissive directive collapses the layered model.
• Audit the sanitiser configuration. DOMPurify, sanitize-html, bleach, and similar libraries each require an explicit policy for style= attributes and for SVG content. Confirm the policy strips style= unless a CSS parser validates the declarations. Default configurations frequently allow style= on a subset of elements that is the practical injection vector.
• Review every server-side renderer that builds a style block. Theme-colour services, tenant theming templates, marketing personalisation pipelines, email template renderers, and AI report PDF generators are the recurring sinks. Confirm each renderer parses and validates the colour or URL before interpolation rather than concatenating the raw string.
• Test SVG upload pipelines. Upload an SVG that carries a <style> element with a known url() callback. Render the SVG inline through every consumer (profile avatar, document preview, branding asset, marketing widget) and confirm the callback does not fire. A callback firing is a confirmed CSS injection through the SVG sink.
• Subscribe to security advisories for theme renderers and CMS personalisation plugins. WordPress theme customiser, Drupal asset libraries, Magento email templates, HubSpot and Marketo template renderers, and design-system theme helpers have historically shipped advisories that map to CSS injection variants.