[Owasp-delhi] Phishing with XSS

nileshkumar83 at gmail.com nileshkumar83 at gmail.com
Thu Feb 26 01:04:15 EST 2009


Hi Parmendra!

>Now my question is that for performing the abovesaid case this script needs
to be executed by the browser without the user's >concent. In general
scenerio while requesting for a script like this first a Pop up is given by
the browser asking whether to run or to >save the script.

I think it's the case regarding IE7 only,otherwise all major web browsers
and their latest versions like FF 3.1,IE 6 and Opera 9.63 will not ask the
user to save the script. However I have not tried all the browsers for your
particular case but in other condtions (while I was doing some experiment
with ClickJacking) they rarely show any warning except IE7 which shows that
an ActiveX control or Popup needs to run.
However the a normal user can accept to click Yes to run the popup.

Wait for other expert comments too....



-- 
Thanks & Regards,
Nilesh Kumar,
Security Specialist | Governance Risk Compliance
www.nileshkumar83.blogspot.com
www.linkedin.com/in/nileshkumar83
Mobile- +91-9891524880
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090226/c1eeb863/attachment.html 


More information about the Owasp-delhi mailing list