CSS-injection exfiltration TL;DR: Attribute-selector and @import chains exfil CSRF tokens / DOM secrets via CSS alone — no JS, defeats most CSP setups. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://hacktricks.wiki/en/pentesting-web/xs-search/css-injection/index.html