Javascript browser keylogger

[DukeSe]

I just wondered if anyone can take a look at this simple javascript code and tell me if could be used as a browser keylogger, by running the script on the target's browser without his/her consent! The problem is how the contents of  variable 'sen' could be recieved by the attacker?

Code: [Select]

<html>
<head>
<title>
notepad
</title>
<script>
sen="";
function display(eve) {
if (eve.keycode) key=eve.keycode;
else key=eve.which;
k=String.fromCharCode(key);
sen=sen+k;
}
</script>
</head>
<body onKeyPress="display(event)">
</body>
</html>

[LsD]

Where is this logging the keystrokes?

[DukeSe]

If i am right 'Sen' variable stores the keystrokes!

[InfosecFurry]

Storing data in a variable is all fine and well, but it's not logging anything. Logging -> writing to persistent storage (on disk, shm, sqlite db in RAM, sending it over a network, etc)

Also, this will only log what is being typed within the context of a browser window and has no bearing on what users type in other applications.

[DukeSe]

Thnx fr that man, I misundrstd that code!

[m0l0ko]

Storing data in a variable is all fine and well, but it's not logging anything. Logging -> writing to persistent storage (on disk, shm, sqlite db in RAM, sending it over a network, etc)

Also, this will only log what is being typed within the context of a browser window and has no bearing on what users type in other applications.

Context of a browser window if run in an iframe, context of the browser if installed as a user script. As for storing data, I can think of a way to do that but I don't wanna be arming script kiddies with knowledge that will help them invade peoples privacy (not saying the OP is, but skiddies may come across the thread) so I'll just say this: AJAX same-domain-policy only prohibits receiving data. Doesn't block the request itself.