Wednesday, May 9, 2012
How To perform phishing attack with XSS Vulnerability | Advanced method of phishing
Do you like this story?
Advantages over normal phishing:
In Normal phishing the victim will be given a link which is made by the hacker. A person with basic knowledge can recognize that it was a fake link.But in XSS the victim cannot suspect the link because it contains a trusted URL.Now lets start , in this article i will be showing you that how you will craft your link into A Clint side script link of a XSS vulnerable website. which will confuse even a Smart victim to click on the link & enter private data like emails,password because the phisher link will be crafted in the original link of Xss vulnerable website.
XSS Dorks download here: http://www.mediafire.com/?e76ldj0dw78g4uj
It is a vulnerability typically found in web applications.A hacker can use this vulnerability to inject client-side script into web pages viewed by other users.
What can an attacker do with this?
Attackers can do the following things
- Steal user cookies and can take complete account takeover
- Steal data on web pages viewed by victim
- Deface pages viewed by victim
- Use web pages for phishing
In this article i am going to explain how phishing can be done using XSS vulnerability in web applications.To understand this, you need to have the knowledge of normal phishing.
Advantages over normal phishing:
In Normal phishing the victim will be given a link which is made by the hacker. A person with basic knowledge can recognize that it was a fake link.But in XSS the victim cannot suspect the link because it contains a trusted URL.
Steps involved in the attack
First we need to find a vulnerable website. This can be done using google. Go to google and search using the following Dork.
- Finding a XSS vulnerability
- Craft your link.
- Send the link to your victim
First we need to find a vulnerable website. This can be done using google. Go to google and search using the following Dork.
If it returns an alert box showing “you are hacked”, That site is vulnerable to XSS.
Step 2: Craft your link.
In this step we have to craft a link from the vulnerability of the website.
Your link will look like:
click here to see
You can use your specially crafted link to steal your victim’s information just as in phishing.
EXAMPLE:
You can replace You can replace “http://shreyashcyberworld.blogspot.com/” with your fake login page’s link.Then it takes the victim to your fake login page.
Step 3:Send the link to your victim
Now you can send your specially crafted link to the victim by any means as you do in normal phishing.
Step 2: Craft your link.
In this step we have to craft a link from the vulnerability of the website.
Your link will look like:
click here to see
You can use your specially crafted link to steal your victim’s information just as in phishing.
EXAMPLE:
I am showing you an example with vulnerable link found in google.
Note:
This link is kept here for demonstration purpose only. I will not be held responsible if you do any thing illegal with this and this bug is not fixed yet. If google fixes it,it may not work.
http://www.google.com/search?btnI&q=allinurl:http://shreyashcyberworld.blogspot.com/
When the victim clicks this link,he will be redirected to http://shreyashcyberworld.blogspot.com/ Note:
This link is kept here for demonstration purpose only. I will not be held responsible if you do any thing illegal with this and this bug is not fixed yet. If google fixes it,it may not work.
http://www.google.com/search?btnI&q=allinurl:http://shreyashcyberworld.blogspot.com/
You can replace You can replace “http://shreyashcyberworld.blogspot.com/” with your fake login page’s link.Then it takes the victim to your fake login page.
Step 3:Send the link to your victim
Now you can send your specially crafted link to the victim by any means as you do in normal phishing.
