External CSS Injection

  • CWE 601
  • WASC 38
  • PCI 3.2-6.5.1
  • OWASP 2017-A1

It is possible for an attacker to control href attribute of a link tag and load stylesheets from external resources. Crafted CSS stylesheets can execute unsanitized javascript in the global scope on some browsers.


With a properly defined CSP policy, the browser would not load external stylesheets.