Before i start my Article first i would like to tell if your a newbie or you r new to then you can lrn phishing here in my previous articles:
facebook phishing , How to perform phishing manually
Advantages over normal phishing:
In Normal phishing the victim will be given a link which is made by the . A person with basic knowledge can recognize that it was a fake link.But in XSS the victim cannot suspect the link because it contains a trusted URL.
Now lets start , in this article i will be showing you that how you will craft your link into A Clint side script link of a XSS vulnerable website. which will confuse even a Smart victim to click on the link & enter private data like emails, because the phisher link wiill be crafted in the original link of Xss vulnerable website.
What is Cross site Scripting(XSS)?
It is a vulnerability typically found in web appliions.A can use this vulnerability to inject client-side script into web pages viewed by other users.
A Web appliion vulnerable to XSS allows a user to inadvertently send malicious data to self through that appliion.
Attackers often perform XSS ation by crafting malicious URLs and tricking users into clicking on them.
These links cause client side scripting languages )VBScript, JavaScript etc,) of the attacker s choice to execute on the victim's browser.
XSS vulnerabilities are caused by a failure in the web appliion to properly validate user input.What can an attacker do with this?
Stl user cookies and can take complete account takeoverStl data on web pages viewed by victimDeface pages viewed by victimUse web pages for phishing
Lets Start Our Attack Demonstration:
1. The very firs thing you have to do is, find An Xss Vulnerable Website
This can be done using google.Go to google and srch using the following Dork.
inurl: "srch.p?q="
To test the vulnerability you can inject the following in srch fields,comment fields of your website.
<script>alert(" dev")</script>If it returns an alert box showing “ dev”, That site is vulnerable to XSS.
2. this is a very main part , how to craft your link:
Your link will look like
http://site.com/srch.p?q=<script>alert("you are ")</script>
You can use your specially crafted link to stl your victim’s information just as in phishing|
EXAMPLE:
I am showing you an example with vulnerable link found in google.
Note:
This link is kept here for demonstration purpose only. I will not be held responsible if you do any thing illegal with this and this bug is not fixed yet. If google fixes it,it may not work.
http://www.google.com/srch?btnI&q=allinurl:http://www.devzcyberarena.blogspot.com/You can replace“http://www.devzcyberarena.blogspot.com/”with your fake login page’s link.Then it takes the victim to your fake login page.
Step 3:Send the link to your victim
Now you can send your specially crafted link to the victim by any mns as you do in normal phishing.
This is such a dangerous vulnerability in web appliions. It got2nd rankinOWASPtop10 vulnerabilities.If a finds thisvulnerabilityin any of the bank websites, he can attempt a malicious attack against the customers of thebankand stl lots of information likecredit cards, account s, s etc by simplysending a group mailto the customers of the bank.
No comments:
Post a Comment