Open in app

Sign in

Write

Sign in

CSS Injection (Input)

Erdemstar
4 min readDec 5, 2024

--

Hello friends, today I will show you the steps of detecting a vulnerability that I encountered in Web Application Security Tests in my project named Saka CSS Injection (Input)and exploiting this vulnerability.

What’s CSS Injection

You can find detailed information about the CSS Injection vulnerability in the article below.

WSTG - v4.1

WSTG - v4.1 on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the…

owasp.org

Running the Application

Docker

docker pull erdemstar/saka:css-injection-input
docker run --rm -d -p 80:8080 erdemstar/saka:css-injection-input

Visual Studio 2022 IDE

git clone https://github.com/Erdemstar/Saka
cd Saka/css-injection-input
- mouse css-injection-input.sln
- devenv css-injection-input.sln (CMD)

Reconnaissance

When we first open the application, a page like the one below welcomes us. By pressing the Attack button on the page, we are directed to the part we will test.

The page encountered when redirected to the Attack page is as follows.

The HTTP GET request sent for the Attack page is as follows. When the details of the incoming response are checked, it has been determined that a form field is created by the application for the user to change the Color and Tag of the ‘Hello guys’ text.

In the relevant form, ‘green’ was selected for the Color field and ‘h3’ for the Tag field, and an HTTP POST request was sent to the ‘/Home/Attack’ endpoint. Upon examining the content of the received response, it was observed that the entered values were reflected in the areas highlighted in yellow within the response.

The screenshot of the sent request is as follows.

Mental Notes

  • The application is expecting an HTTP POST request from the user to the ‘/Home/Attack’ endpoint to change the color and tag format of the ‘Hello guys’ text.
  • After the application receives the information from the user, it is used to change the format of the ‘Hello guys’ text on the screen.

Exploitation

After obtaining sufficient information on the application, we add some characters to be interpreted by the browser to the Color and Tag value we will send in order to exploit the XSS vulnerability.

For this purpose, a standard payload was created as follows and added to the Color and Tag field.

"><h1>Erdemstar

The request sent to change the format of the text is as follows. When the received response was checked, it was determined that the value sent for the Color field was used without encountering any validation on the application side, whereas input validation was performed for the Tag field.

The screenshot of the sent request is as follows.

After we have obtained so much information about the application behavior, when we send a request like the one below to the Color field, we perform the Reflected XSS scenario on the application.

"onclick=prompt(8)>"

The final status after the request is as follows.

Thank you for reading my article, I hope it was useful for you. Below I leave the links of my other concepts that may be useful to you.

Click here to see my other articles about web vulnerabilities. Link

Cybersecurity
DevOps
Education
Programming
Software Development

--

--

Erdemstar
Erdemstar

Written by Erdemstar

161 Followers
5 Following

i do break my limits which i already have

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams