The sentence in Qiu's article is very good. Now many technologies are used for cookie restrictions, such as token verification, such as session expiration time. If the card is relatively dead, it is httponly. Once used, if it is a global domain restriction, the whole pain point is reached!
As a result, phishing is a conservative practice with low permissions and has a certain degree of reliability. After obtaining the real account password, it also saves the trouble of complicated encryption. Of course, the premise is that you can understand the art of deception-see the masterpiece of Kevin Mitnick.
At present, there are many xss phishing techniques circulating on the market. Originally, in the era of Internet popularization, there is nothing you can't do, just what you can't think. Many traditional Internet phishing techniques can be converted and applied to xss.
First, redirection and forgery. These two younger siblings think that they are not very attractive. Generally, they can only lie to the careless child paper. In the face of increasing awareness of netizens, if you are not familiar with the website, it is very likely that I did not know anything about it.
Here, the younger brother adds his own opinion. For example, clickjacking is a good method. He will use some temptation, such as using the gentle and soft home of Cang and Wu Er as a guise, cheat you to click something you cannot see and shouldn't click. The same is true for input spoofing in the Form box. After obtaining your input, he may try to pass the image value, post it to the real login page, and then return the orientation. You will find that you have logged on. However, your personal privacy and account secret have been quietly copied somewhere, waiting for the occurrence of evil.
Second, for "advanced" phishing, Qiu GE's philosophy is to hijack and record it at a more concealed level (in other words, Qiu GE seems to have deleted a relatively complete part of it, i'm sorry I didn't see the original article ). One of the methods is to intercept data when the form is submit and obtain the required value through the node. Of course, we can change the trigger and timing of data acquisition. For example, you can perform a fast traversal after entering the last login box (you can avoid intentionally inputting errors or intercepting data integrity), because local JS execution takes precedence over responses from the server. On the other hand, the younger brother doesn't like it too much, that is, the keyboard record hijacking and phishing (I don't know if the soft killer will report the virus based on the characteristics and behavior in the future ), using the built-in triggers of JS can do a lot of things.
The younger brother tried to write down click hijacking, and 360 did not report any danger. It seems that the feature behavior of the soft BS mode may need to be improved, but the browser with a slightly newer version will prompt or directly filter.
In the code, the local path may be configured as the remote path of the Internet zombie, so that the write unexecutable permission can be configured? Smart friends should be able to make more attempts.
The above is the idea of the younger brother. Qiu Ge meant to capture the form or listen to the keyboard and send the form dynamically generated by JS,
The above should be regarded as the box principle. The more powerful script language dynamically accepts parameters, generates entries, and can be stored in the database, reducing the intermediary part, which is also a more common and stable approach.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
