This page provides a short and simple example of a JavaScript's capability to snoop on any form in the same browser instance (DOM).
This page provides two search forms that will open in new tabs when clicked. One form is left alone but the other is bugged by JavaScript and you will see your search arguments added to the calling page. In the case of an e-commerce skimmer the criminals would likely collect all elements of the form and forward them to another web server. For our demonstration purposes it is enough to show that the script can capture the data entered into the form use it for a side purpose.
Your results will be displayed in another tab.
Your results will be displayed in another tab. But come back here for the surprise ...
Notes: If you are using a Script blocker, e.g. NoScript, this will not operate as intended.
You can check out the link as follows:
This is not intended to be a full-function Form hijacker and omits many of the polish and evasion methods used by criminal gangs in e-commerce skimmers. Normally a skimmer would simply include a JavaScript via a link (below) - We've left this as inline script for clarity and simplicity:
<script src="any-third-party-script-site.org/package.js"></script>
Our example is deliberately minimalistic. We wanted an example that was clear, uncluttered, and free of excesses. This is provided on a stand-alone page without styles, branding, or other trappings of a modern web site. No server is needed and you could run this from a file on your desktop.
In the case of a real skimmer, no amount of inspection of your web host or your source will find the problem. You need to look at the third party site! Most shopping carts include third party scripts from dozens of URLs - every one a potential risk. Your entire site could be housed on an optical drive with continuous file integrity checking and you would not detect a change of code on a third party site. This effectively demonstrates the risks of using third party scripts you have no controls over.