writeup for task-7 of the JS for pentesters series of security-tube - XSS keylogger
In the last write up we saw how we Capture all Mouse Clicks and Redirect user to a new webpage. This time what we should do is to capture all the keys that user clicks and we need to send it to the attacker machine.
JS for Pentesters task 7
Our objective is to Create a KeyLogger which posts Keystrokes live to an attacker server. So unlike the last write on Mouse Click capture, here, we need to capture the keys that user press and we should also post the same thing to an attacker server so that he can see it live what the user is typing. So the payload looks like this:
So what does this basically do ?
window.captureEvents(Event.KEYPRESS) will actually log any keypress that is basically happening in the webpage and it can also trigger a function while each key is pressed. So here each time when a key is pressed, the function keyPressed() is getting executed and it is showing an alert(“keyPressed”). Instead of this alert message, you can modify the command to post it live to a server that you host in you localhost or somewhere else.
1) While cracking this challenge, I was on Windows and its difficult to host an HTTP server in Windows than on Linux (atleast for me as I don;t like to use Windows much other than for gaming). This is the reason why instead of posting this key log live to our server, we just used an alert() message to confirm that the function is executing. You can modify the script to your needs.
3) You have to URL encode the payload before the injection via the url parameter or else this will fail to work.
We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..