Week 13 - XSS Keylogger
Last updated
Last updated
It’s already week 13 of the Web Hacking series, and today I’ll show you how to turn a simple Cross-Site Scripting vulnerability into a custom Keylogger! Many people in the dev/sec industry see XSS as nothing more than an alert box. However, it can be used for so much more and can seriously impact the integrity of your application and safety of your user base. In the below screenshots, you can see how I used 14 lines of JavaScript to steal a user’s keystrokes. In a real-world scenario, an attacker can inject this JavaScript into a page (using a Stored or Reflected XSS vulnerability) and steal any keystrokes the victim enters. Passwords, credit card numbers, social security numbers, etc could all be compromised due to a vulnerability that so many people reduce to just an alert box… Stay tuned for more tips on how the impact of XSS can be escalated!