# CSS Injection

Functionally the same as [XSS](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/user-attacks/xss-cross-site-scripting), but with CSS.

You can steal CSRF tokens by bruteforcing using this method.

{% embed url="<https://www.curesec.com/blog/article/blog/Reading-Data-via-CSS-Injection-180.html>" %}