Ads Area

How to Retrieve User Information using CSS(Cascading Style Sheets)

Hi Guys, what's up. So I am back again with another blog you were waiting for.

Today's blog is going to be something special for you all because we would be accessing User Information via a small CSS code. But, before we get into its setup, let me warn you that the knowledge you get must never be used to inflict harm to an individual or an organization, and if that happens, we (thedecentshub) will not be held liable.

Lab Environment Configu


So let's start without wasting any further time...





Lab Environment Configuration:-

* First we need to have a code editor(for a better experience) or you can also use notepad. 
* Secondly, we need to host a small CSS code online. We can use any online free hosting service.
* The Third requirement just gets fulfilled if you have a browser, which you will definitely be having if you are reading this blog.


STEPS TO PROCEED:-

STEP1:- So Guys, in the first step I will create a normal HTML page, containing a button element in it. The code for that is as given -

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>

<body>
    <button class="button-content">Submit</button>
</body>

</html>

STEP2:- Now, we need to host some CSS online using any free hosting service.
The content needed to be hosted as given below.

.button-content{
color : red;
}

Here basically we want to set the color red to our button element and that's why we have also provided the same class to our button element in HTML code given above.

But guys, let me tell you that it's not our basic motto here. I will show you something special for which you have to wait till end.

STEP3:-  Now, we need to create a style.css file to import the content of our externally hosted stylesheet.

The content to be present in our style.css file is as follows- 

@import url(link to our externally hosted stylesheet);

But wait!

We are not going to provide the link directly. We will be using up a third party tool known by the name Grabify, which is basically a sort of IP Logger and also fetches metadata about the particular user.

We need to go to that Grabify url provided above and there we will provide our link to external stylesheet and it will provide us with a shortened Grabify link which is not only a link, but the most powerful weapon.


    Then, we will provide the obtained Grabify link in the above style.css file.


Before that also make sure that the smart logger is turned on.

Grabify Smart Logger


Also we also need to include the style.css file in our HTML page so that everything works properly.

As soon as we load the HTML Page our CSS gets loaded, this could be verified by seeing the red text on our button element.

This trick definitely works, but sometimes the CSS provided doesn't loads up because if the link provided takes too much time to load it breaks in between, but this problem can also be solved by using up the new AJAX technology, in which the page continuously keeps refreshing itself which causes the CSS to load up.

And hence on loading of the page if everything works fine, when you go back to the Grabify tracking page


you can see down below 



The results would be present and your data would be present there like your IP Address and much more like that.

If you click on more info much more details would be made available to you. 





Now Guys, the point comes is  what is it's use. So the basic use of it comes in the PenTesting process. If you have application which allow you to embed your own CSS in it. You can try this out because if it allows the link to load content from a third party domain, it must properly validate that the link provided must not return you with HTTP Status Code 301 which represents redirection. Because if it does so then in that case it can trick the user visiting the page to perform some unintended operations.

And hence, we must try to implement proper measures for it.

I have also created up a video on the same topic. If u have any doubts related to the Blog, u can also refer to the below provided YouTube video link -



My other posts -

https://www.thedecentshub.tech/2021/09/bug-bounty-series-subdomain-enumeration.html

https://www.thedecentshub.tech/2021/09/creating-deepfakes-first-order-motion-model-for-image-animation.html

https://www.thedecentshub.tech/2021/08/why-hacking-is-always-seen-from.html

https://www.thedecentshub.tech/2021/08/osintgram-perform-osint-on-instagram.html

https://www.thedecentshub.tech/2021/08/retrieve-user-information-using.html

https://www.thedecentshub.tech/2021/08/reverse-shell-using-excel.html

https://www.thedecentshub.tech/2021/08/reverse-shell-from-word-documents.html


So Guys, this much for this blog, if you like the content you can follow me up, can also subscribe to my YouTube channel. If you Guys want that I keep bringing this sort of Blogs and videos for you, you can show your support to me ...

Buy me a coffee and show your Support 😊 ----- PayPal ID - https://www.paypal.me/agthecoder UPI ID- apoorvgupta@kotak

Till Next Blog Guys, *TaTa*, Goodbye. I hope you enjoyed the Blog 😊 











Tags
The Decent's Blog

The Decent's Blog

Hi there, I'm Apoorv Gupta - aka Agisthemantobeat �� I'm a Senior Software Engineer, WhiteHat Hacker, Developer, and Youtuber!! | ⚡ Fun fact: I love to learn everything and solve problems of people. A small zest of Certifications - NSE1, NSE2 (Network Security Associate), CSFPC, Microsoft AI-900, DP-900 and rest on my LinkedIn profile.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.