Keylogger Cross-Site Scripting (XSS) vulnerability

[yankejustin]

Background

• Cross-Site Scripting is a common issue with websites of today. Consider a comment box that receives the following comment by a user: "Hello, everyone! I am just a >script>alert('xss')>/script>normal user". (Note: I have inverted the beginning and ending < tag because of Github's filter)
• The situation above, if done on a vulnerable website, would cause anyone viewing the website to see: "Hello, everyone! I am just a normal user." in the comment section. An additional effect would be the browser rendering the script literally, causing a message box to open up (seen on Figure 1 below).
• This affect is extremely dangerous because one exploiting such a vulnerability can redirect users to cause execution of arbitrary code.

Attack Vector (steps for exploitation)

1. Build client files, initialize the server, and build a client with keylogging enabled.
2. Initialize the client. On the client machine, type the following:
3. On the server, get the logs from the client and open the file. Notice the message box popup.

Additional Notes

Does this cause an adverse affect on the accuracy of the keylogger? No. The log file is unaffected; opening the log file in something like Notepad would reveal that it is accurate. However, because the log file is parsed by the WebBrowser control on the FrmKeylogger Form, these tags will be translated literally by the WebBrowser, so the log file will not appear on the Form to be as it is on the actual file. What other inputs will be affected by this issue? All HTML tags. These tags are rendered literally. Try to type >hr /> (Note: Type a < for the beginning of the hr tag).

---

Figure 1

[yankejustin]

@MaxXor This is also a high priority issue that must be fixed before we merge dev into master... I just felt it deserved to be in its own issue. :hankey:

[MaxXor]

This should be fixed in the latest commit.