New Phishing Technique Works on Multiple BrowsersBy Larry Seltzer | Posted 2004-07-19 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Multiple financial and other sites are subject to a cross-site scripting attack. HTTPS sites reportedly are just as vulnerable.A British Web developer has revealed a new form of a cross-site scripting, or XSS, attack that facilitates phishing activities.
The attack, demonstrated by the developer on his own site, allows an attacker to execute scripts in the context of another Web site. Testing by eWEEK.com indicates that the attack works on both Internet Explorer on Windows XP with Service Pack 2 (Release Candidate 2) and on the Mozilla Firefox 0.9.1 browser.
After executing the attack, the user is brought to a Web page running on the victim site (a banking site, for example), but incorporating script from the attacker site. The main, obvious effect of the attack is that the page appears to be running in the victim site, but is incorporating elements from the attacker site. An attacker could therefore use the technique to persuade a user to provide personal information. The effect is more difficult to detect by casual observation than many other previous phishing techniques.
Cross-site scripting attacks have been a hot item recently in security circles, but usually as a way to run scripts in the local machine context for a browser user and attack that computer. Using it against a Web site to spoof that site is new.
Netcraft adds: "Although cross-site scripting has been a well known technique for over four years, it is an easy mistake for programmers to make, and can be an awkward one to test thoroughly."