IMDEA Software

IMDEA initiative

Home > Events > Software Seminar Series > 2019 > CSS Injection Attacks: or how to leak content with <style>

Pepe Vila

Tuesday, January 29, 2019

10:45am Lecture hall 1, level B

Pepe Vila, PhD Student, IMDEA Software Institute

CSS Injection Attacks: or how to leak content with <style>

Abstract:

In this talk we’ll discuss the impact of CSS (or stylesheet) injection attacks on web security. For that, we’ll first present some historical notes about CSS injections and related research. Then we’ll show and explain two working demos that leak HTML attributes and text nodes using only CSS (no JavaScript) from a vulnerable web page. Finally, we’ll show a recursion trick that allows these attacks to work w/o need of iframes or redirections, enabling them in isolated environments like Electron apps.