Aim : To help you understand how your confidential details can be stolen with this new undetectable technique of phishing and how to be safe from it.
Being secure on the internet is one of the important issue these days. Companies are spending millions of dollars on making their web services more secure, Still, hundreds of vulnerabilities are discovered and exploited daily. This new method of phishing is done by exploiting one of the critical web vulnerability named Cross Site Scripting also known as XSS . It is undetectable by the major web browsers. This article will help you to understand more deeply about this new attack and will help you to be safe from this undetectable technique.
Since we are talking about web applications, there are many types of security vulnerabilities which are discovered in the past years. Regarding this article we are only concerned with the vulnerability named Cross Site Scripting or XSS .
What is Cross Site Scripting or XSS Vulnerability
Cross Site Scripting is a type of attack by which attacker injects malicious scripts into the legit website via vulnerable part of the website generally in the form of browser side script. XSS is at 3rd position in the OWASP Top Ten Web Vulnerabilities of 2013. By exploiting the XSS vulnerability the attacker can execute scripts in the victim browser to hijack user sessions , stealing the confidential details, redirecting to some malicious website and etc.
XSS is categorized into following main types:
• Stored XSS.
• Reflected XSS.
• DOM Based XSS
Phishing Next Level
What is Phishing ?
Phishing is method of attempting to steal confidential details like username/password, credit card numbers etc by posing a customized web page as a legit entity . When the victim fills in the details on the customized web page , their filled details will be sent to the attacker’s server.
How the old phishing method is performed ?
In the old method of phishing a duplicate web page is designed which looks exactly same as the original web page. This duplicate web page is then customized to steal the filled details . After customizing , its uploaded to some website whose domain name is different from the original website.
Since the domain name of the customized pages is always different so , there is a easy way to detect those websites by checking the domain name before clicking any link. Also this type of phishing is now detected automatically by some browsers.
Phishing : New Method or Next Level
The new method of phishing is:
• Totally undetectable by most of the browsers.
• Domain name is same as original website.
How it works
As we read above this phishing technique is done by exploiting Cross Site Scripting vulnerability. We are mainly concerned with Reflected XSS and DOM Based XSS of Cross Site Scripting types. Reflected XSS is most critical and widely exploited web vulnerability.Lets have brief information about Reflected XSS and DOM Based XSS.
What is Reflected XSS vulnerability or Non Persistent XSS
Reflected XSS attacks are those where the scripts are injected mostly through URL or the parameters in the URL of the website . The attack is injected in the URL itself, when the victim visits the malicious URL the attack gets executed. For example :
Fig 1(Before) : XSS Vulnerable Web Page Fig 2: After Injecting Script
As you can see in the Fig 2 the injected script or code in the user parameter of the URL is successfully executed which means the website is vulnerable to Reflected XSS .
What is DOM Based XSS
To understand DOM Based XSS , we must know what DOM means. Please read about DOM on the following website.
How the new method of phishing is performed. The new method of phishing is performed by exploiting the XSS(Reflected or DOM Based ) vulnerability and by using the Iframe object of HTML mostly. Lets understand it more clearly by a simple example .
Exactly as the Fig 2 , I changed the injected code to a html iframe code. Now take a look at the output below
I injected some text and the iframe code in the “user” parameter of the URL. If someone will fill the username and password in the input boxes, it will be sent to the attacker email address or server. As you can see the page is looking very realistic and the domain name is same , that’s the reason the victim can be easily trapped and their login details can be stolen easily. This is not automatically detectable by any of the web browser but at the end of the article , its explained how to detect it manually.
My finding related to this article on Nokia OVI Store Homepage
Being a security researcher I have reported major vulnerabilities to companies like Google,Facebook, Nokia, Microsoft etc. Last year I reported a critical Reflected DOM Based XSS to Nokia in their OVI store homepage. By exploiting this vulnerability I could steal login details of ovi store users by sending a simple URL to them. Lets have a look at the screenshot below:
As you can see the page is looking totally legit but if someone will fill in their details in the login area their details will be sent to my specified email address instantly. This vulnerability was fixed within some days after reporting to Nokia Security Team and they rewarded me with a Nokia handset.
How to be safe from this phishing method
•Analyze full URL
This is the only method to be safe from this phishing technique but remember the injected malicious code in the URL can be encoded too. So, before clicking or visting any URL make sure to analyze it properly. Always check
– Conclusion: To be secure on the internet these days is a challenge , but if you are aware of what is happening in the world of web application security then its easy to be safe. Daily tens of vulnerabilities are being discovered and exploited . I tried to include every aspect regarding this new phishing technique , but its not enough to be secure. Read more about the other top 10 web vulnerabilities of 2013 collected by OWASP at the following url.