Photo by FIN on Unsplash

Unleashing the power of CSS injection: The access key to an internal API

In this write-up, we will be explaining a vulnerability that was discovered in an online accounting application. The vulnerability was a CSS injection flaw that could be exploited in the application’s PDF generator. We will explain to you how we discovered the vulnerability and how we were able to exploit it to get internal API access.

Temporarily unavailable…

We hope you found this write-up entertaining, informative and interesting to read. Thank you for your attention.

Don’t forget to share your thoughts, feedback or even your own endeavours with CSS injections!

— The Vismagicians 🪄 (bandjes, floerer, holme and iQimpz)

Sander Wind

Security researcher at Mission CTRL. Developer at Alserda. Bug bounty hunter on Intigriti.