Inline Style Exfiltration: New CSS Technique Steals Data Without External Stylesheets
PortSwigger Research has unveiled a novel CSS injection technique that uses inline style attributes and CSS conditionals to exfiltrate sensitive data from web pages without requiring external stylesheets.
PortSwigger Research has published a new technique for exfiltrating HTML attribute data using inline CSS style attributes, bypassing the traditional need for external stylesheets or CSS selectors. The method, discovered by researcher Gareth Heyes, chains CSS conditional statements within style attributes to leak sensitive information from web pages vulnerable to CSS injection. This expands the attack surface for CSS-based data theft, particularly in contexts where only inline styles are controllable.
The technique builds on earlier work by Slonser, who demonstrated how to use the `attr()` and `image-set()` functions to steal attribute data by importing a stylesheet from an attacker-controlled domain. Heyes sought to eliminate the dependency on external imports, leveraging CSS's relatively new `if()` conditional syntax. After initial struggles with quote formatting, Slonser provided a working snippet that used double quotes for comparisons, revealing a quirk in CSS parsing.
The proof-of-concept works by setting a custom property (`--val`) to the value of an attribute via `attr()`, then using nested `if()` statements to check each possible value. When a match is found, a background request is made to an attacker-controlled server via `image-set()`, effectively exfiltrating the data character by character. For example, a `data-uid` attribute containing a single digit from 1 to 10 can be stolen by chaining ten conditional checks.
Heyes demonstrated the attack by stealing usernames from a `data-username` attribute, using a Burp Suite Custom Action to brute-force values. The technique currently works only on Chromium-based browsers, limiting its immediate impact but still posing a significant threat to web applications that allow user-controlled inline styles, such as rich text editors or comment systems.
An update to the research, prompted by Luke Jahnke, revealed that the `url()` function is unnecessary; a plain string suffices for the background request, simplifying the vector further. This refinement makes the attack easier to deploy and harder to detect.
The implications are significant for web security. CSS injection vulnerabilities, often considered low-risk, can now be weaponized for data exfiltration without requiring external resources. Security teams should audit applications for CSS injection points, particularly in environments where inline styles are permitted, and consider Content Security Policy (CSP) restrictions to block outbound requests from style attributes.
This research underscores the evolving complexity of CSS as a vector for client-side attacks. As CSS gains more programming-like features, attackers are finding creative ways to abuse them, challenging traditional assumptions about what constitutes a safe styling language.