# Week 13 - XSS Keylogger

## Using XSS to Create a Keylogger

It’s already week 13 of the Web Hacking series, and today I’ll show you how to turn a simple Cross-Site Scripting vulnerability into a custom Keylogger!\
&#x20;\
Many people in the dev/sec industry see XSS as nothing more than an alert box. However, it can be used for so much more and can seriously impact the integrity of your application and safety of your user base. In the below screenshots, you can see how I used 14 lines of JavaScript to steal a user’s keystrokes.\
&#x20;\
In a real-world scenario, an attacker can inject this JavaScript into a page (using a Stored or Reflected XSS vulnerability) and steal any keystrokes the victim enters. Passwords, credit card numbers, social security numbers, etc could all be compromised due to a vulnerability that so many people reduce to just an alert box…\
&#x20;\
Stay tuned for more tips on how the impact of XSS can be escalated!\
&#x20;

![](/files/ZG6yQdQV5Ma5rjSLWWFP)

![SRC: https://github.com/JohnHoder/Javascript-Keylogger/blob/master/keylogger.js](/files/RVG3V3vWftnBA91vMbCN)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-13-xss-keylogger.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.