[Owasp-delhi] Phishing with XSS

vaibhav aher vaibhavaher at gmail.com
Fri Feb 27 01:00:10 EST 2009


Hello friends,I dont think IE 7 will ask for the user to save the script. I
have been successfully tested XSS Phishing on Orkut.com with IE7. Seeing at
the Scenario of Nilesh performed, My be it depends on the script you are
using.


Regards
Vaibhav

On Thu, Feb 26, 2009 at 11:34 AM, <nileshkumar83 at gmail.com> wrote:

> Hi Parmendra!
>
> >Now my question is that for performing the abovesaid case this script
> needs to be executed by the browser without the user's >concent. In general
> scenerio while requesting for a script like this first a Pop up is given by
> the browser asking whether to run or to >save the script.
>
> I think it's the case regarding IE7 only,otherwise all major web browsers
> and their latest versions like FF 3.1,IE 6 and Opera 9.63 will not ask the
> user to save the script. However I have not tried all the browsers for your
> particular case but in other condtions (while I was doing some experiment
> with ClickJacking) they rarely show any warning except IE7 which shows that
> an ActiveX control or Popup needs to run.
> However the a normal user can accept to click Yes to run the popup.
>
> Wait for other expert comments too....
>
>
>
> --
> Thanks & Regards,
> Nilesh Kumar,
> Security Specialist | Governance Risk Compliance
> www.nileshkumar83.blogspot.com
> www.linkedin.com/in/nileshkumar83
> Mobile- +91-9891524880
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
Vaibhav Aher
ISO27001,C|EH
Security Consultant
+91 09225325661
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090227/4c9b32b3/attachment.html 


More information about the Owasp-delhi mailing list