It’s much later than I wanted to post this but finally here is my demonstration I’ve done for the Security-Zone 2008. Because there are so much resources about XSS and SQL Injections out there already, this posting is just about the hidden phishing method.

How it works:

1. Attacker needs a XSS vulnerability at example.com
2. Configuration of the hackIt.js and include it to example.com by inserting it through a script-Tag
3. hackIt.js knows because of it’s configuration where the login page of example.com is
4. The script replaces the content of the infected page at example.com with a copy of the login page which will be loaded through a XML HTTP Request
5. hackIt.js will automatically find the login form and it’s input fields in “faked” login page
6. The submit button of the login form will become a normal button without it’s submit functionality but it will now have a onclick-function
7. As soon as the user clicks on the submit button to login, an image will become dynamically added to the DOM tree, which points to a server side script at evil.com, including the values of the login fields as attributes.
8. Because of as soon as an image becomes loaded, a HTTP GET request will be sent to the image’s location, the attacked user’s login credentials will be sent to evil.com in cleartext, where an attacker can now store it
9. Last but not least, the hackIt.js normally submits the login form to it’s originally thought location.
10. If the user has no Proxy or other tamper mechanism in place, he/she will never find out, that the login credentials have been sent to evil.com

I know it sounds quiet complex but it’s really easy if you get the point. If there are any questions, I’m glad to answer these as a comment or in an email

Because of I’m not sure if it’s a good idea to post the source code (even if it’s really easy to write it on your own), I decided to not make it available through my blog but if you’d like to receive the code, just let me know directly. Anyway, below you can watch a small video which demonstrates the attack, performed by the script.

Get the Flash Player to see this player.