Ethical Hacking and Penetration Testing Guide – [PDF]

Summary
Here on this page, we have provided the latest download link for Ethical Hacking and Penetration Testing Guide PDF. Please feel free to download it on your computer/mobile. For further reference, you can go to rafaybaloch.com

Ethical Hacking and Penetration Testing Guide

Exploiting XSS for Conducting Phishing Attacks: Let’s assume that you have managed to find an XSS in paypal.com and they are using an HTTP-only cookie flag to prevent JavaScript from accessing their authentication cookie. Hence, you are not able to steal cookies; however, you can still conduct other attacks such as phishing attack.

In a phishing attack, an attacker creates a fake page of a website that looks exactly similar to the original page and then tricks the victim into logging in to that page.

With XSS, you can launch a phishing attack by redirecting the users to your fake page by using the location property. Here is the code you would inject in the input vulnerable to XSS; which would simply redirect the victim to your own page

This attack is however not stealthy; a slightly advanced version of this attack would be to load an external js that would automatically manipulate the location that the log-in form would redirect to after the victim enters the credentials; in this way, you can manipulate the forms to redirect to a location that you control, and hence anything that the victim passes through the form would be saved.