Scriptless Attacks: Why CSS is My Favorite Programming Language

“Erm, actually CSS is not a programming language! ☝️🤓”

If that was your first reaction to this title, then you should definitely come and see what modern CSS has to offer for web attackers! If you stop pursuing XSS vulnerabilities when you see a sanitizer, then you’re missing out on the power of CSS. Using Scriptless Attacks, you will learn how to turn unexploitable HTML Injections into impactful findings with just CSS and HTML.

With the rise of XSS mitigations, scriptless attacks become more important for client-side web attacks. Sanitizers like DOMPurify are being used more widely, browsers are about to receive a built-in Sanitizer API, and Content Security Policies are getting stricter.

From the perspective of a pen-tester or bug bounty hunter, we’re going to explore different scenarios where XSS is impossible but HTML and CSS can be injected. We’re going to start with the past status quo, then learn techniques enabled by recent CSS features, and finally take a look into promising future CSS drafts. We will close off with some thoughts on defense and a fun twist.