I'm looking for a way to create a CSS injection proof-of-concept. I can insert the following and it gets reflected in the browser:
<style>body{background-color:red}</style>
The only issue is that the colon gets URL encoded, which prevents the css from rendering.
The reflected output looks like this:
<style>body{background-color%3Ared}<%2Fstyle>
I've tried common XSS attacks, but a WAF seems to block most event handlers.
Is there a way to get CSS injection without the colon or with an alternative character?