XSS - KeyLogger with JavaScript: JS for Pentesters task 7 write up

Oct 27, 2014 • jsp, javascript, xss, security-tube

writeup for task-7 of the JS for pentesters series of security-tube - XSS keylogger

In the last write up we saw how we Capture all Mouse Clicks and Redirect user to a new webpage. This time what we should do is to capture all the keys that user clicks and we need to send it to the attacker machine.

JS for Pentesters task 7

Our objective is to Create a KeyLogger which posts Keystrokes live to an attacker server. So unlike the last write on Mouse Click capture, here, we need to capture the keys that user press and we should also post the same thing to an attacker server so that he can see it live what the user is typing. So the payload looks like this:

    function keyPressed(){
    alert("key pressed");
    window.captureEvents (Event.KEYPRESS); 

So what does this basically do ? window.captureEvents(Event.KEYPRESS) will actually log any keypress that is basically happening in the webpage and it can also trigger a function while each key is pressed. So here each time when a key is pressed, the function keyPressed() is getting executed and it is showing an alert(“keyPressed”). Instead of this alert message, you can modify the command to post it live to a server that you host in you localhost or somewhere else.


1) While cracking this challenge, I was on Windows  and its difficult to host an HTTP server in Windows than on Linux (atleast for me as I don;t like to use Windows much other than for gaming). This is the reason why instead of posting this key log live to our server, we just used an alert() message to confirm that the function is executing. You can modify the script to your needs.

2) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

3) You have to URL encode the payload before the injection via the url parameter or else this will fail to work.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Security Engineer @CRED | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | Certs - eWDP, OSCP