Skip to content

Instantly share code, notes, and snippets.

@kieranbarker
Created March 23, 2022 17:33
Show Gist options
  • Save kieranbarker/b95b591f24f5eefb3ba205e9e6e857bf to your computer and use it in GitHub Desktop.
Save kieranbarker/b95b591f24f5eefb3ba205e9e6e857bf to your computer and use it in GitHub Desktop.
A simple demo of a cross-site scripting (XSS) attack.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>XSS</title>
</head>
<body></body>
<script>
document.body.innerHTML = `
<img
src="x"
onerror="document.addEventListener('keydown', event => console.log(event.key))"
/>
`;
</script>
</html>
@kieranbarker
Copy link
Author

Open this HTML file in your browser and have a look at the JavaScript console. Every time you press a key, it will be logged to the console! Now imagine if, instead of just logging it to the console, the attacker sent everything you typed to a remote server...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment