[GH-ISSUE #167] Keylogger Cross-Site Scripting (XSS) vulnerability #72

New issue

Closed

opened 2026-02-27 15:48:36 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 15:48:36 +03:00

Owner

Originally created by @yankejustin on GitHub (May 23, 2015).
Original GitHub issue: https://github.com/quasar/Quasar/issues/167

Originally assigned to: @MaxXor on GitHub.

Background

- Cross-Site Scripting is a common issue with websites of today. Consider a comment box that receives the following comment by a user: "Hello, everyone! I am just a >script>alert('xss')>/script>normal user". (Note: I have inverted the beginning and ending < tag because of Github's filter) - The situation above, if done on a vulnerable website, would cause anyone viewing the website to see: "Hello, everyone! I am just a normal user." in the comment section. An additional effect would be the browser rendering the script literally, causing a message box to open up (seen on Figure 1 below). - This affect is extremely dangerous because one exploiting such a vulnerability can redirect users to cause execution of arbitrary code.

Attack Vector (steps for exploitation)

1. Build client files, initialize the server, and build a client with keylogging enabled. 2. Initialize the client. On the client machine, type the following: ![capture2](https://cloud.githubusercontent.com/assets/9338742/7782228/a4cf6e94-00d8-11e5-95a9-353b77d7cf6a.PNG) 3. On the server, get the logs from the client and open the file. Notice the message box popup.

Additional Notes

Does this cause an adverse affect on the accuracy of the keylogger?
No. The log file is unaffected; opening the log file in something like Notepad would reveal that it is accurate. However, because the log file is parsed by the WebBrowser control on the FrmKeylogger Form, these tags will be translated literally by the WebBrowser, so the log file will not appear on the Form to be as it is on the actual file.
What other inputs will be affected by this issue?
All HTML tags. These tags are rendered literally. Try to type >hr /> (Note: Type a < for the beginning of the hr tag).

Figure 1

Originally created by @yankejustin on GitHub (May 23, 2015). Original GitHub issue: https://github.com/quasar/Quasar/issues/167 Originally assigned to: @MaxXor on GitHub. <h1>Background</h1> - Cross-Site Scripting is a common issue with websites of today. Consider a comment box that receives the following comment by a user: "Hello, everyone! I am just a <code>>script>alert('xss')>/script></code>normal user". (Note: I have inverted the beginning and ending <code><</code> tag because of Github's filter) - The situation above, if done on a vulnerable website, would cause anyone viewing the website to see: "Hello, everyone! I am just a normal user." in the comment section. An additional effect would be the browser rendering the script literally, causing a message box to open up (seen on <b>Figure 1</b> below). - This affect is extremely dangerous because one exploiting such a vulnerability can redirect users to cause execution of arbitrary code. <h1>Attack Vector (steps for exploitation)</h1> 1. Build client files, initialize the server, and build a client with keylogging enabled. 2. Initialize the client. On the client machine, type the following: ![capture2](https://cloud.githubusercontent.com/assets/9338742/7782228/a4cf6e94-00d8-11e5-95a9-353b77d7cf6a.PNG) 3. On the server, get the logs from the client and open the file. Notice the message box popup. <h1>Additional Notes</h1> <i>Does this cause an adverse affect on the accuracy of the keylogger?</i> <b>No.</b> The log file is unaffected; opening the log file in something like Notepad would reveal that it is accurate. However, because the log file is parsed by the WebBrowser control on the FrmKeylogger Form, these tags will be translated literally by the WebBrowser, so the log file will not appear on the Form to be as it is on the actual file. <i>What other inputs will be affected by this issue?</i> <b>All HTML tags.</b> These tags are rendered literally. Try to type <code>>hr /></code> (Note: Type a <code><</code> for the beginning of the <code>hr</code> tag). <br /><hr /><br /> <h5>Figure 1</h5> ![capture](https://cloud.githubusercontent.com/assets/9338742/7782220/11776d86-00d8-11e5-932b-d3069c6a20d4.PNG)

kerem

2026-02-27 15:48:36 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-27 15:48:36 +03:00

Author

Owner

@yankejustin commented on GitHub (May 23, 2015):

@MaxXor This is also a high priority issue that must be fixed before we merge dev into master... I just felt it deserved to be in its own issue. 💩

@yankejustin commented on GitHub (May 23, 2015): @MaxXor This is also a <i>high</i> priority issue that must be fixed before we merge <code>dev</code> into <code>master</code>... I just felt it deserved to be in its own issue. :hankey:

kerem commented

2026-02-27 15:48:36 +03:00

Author

Owner

@MaxXor commented on GitHub (May 23, 2015):

This should be fixed in the latest commit.

@MaxXor commented on GitHub (May 23, 2015): This should be fixed in the latest commit.