CSS injection: what's the worst that can happen?

Question

We are doing a security evaluation.

There is a chance that a malicious user can inject arbitrary CSS into another user\'s web pages, although we are not sure it can

Answer 1

Yes to all of the above. Injection of arbitrary CSS can lead to javascript execution. Look at:

• XSS Cheat Sheet

The worst thing that could happen is dependent on the environment. In some cases stealing a session cookie and accessing the users session maybe the worst thing to happen (e.g., banks, online stock trading) this may not be the case for your situation. Other examples of attacks would be gaining control of the browser, gaining access to the client's machine, etc.