The
script would search the victim??™s contact list and send e-mails to each contact on the victim??™s
list. Each contact would receive an e-mail from a reputable source (the victim),
asking the contact to click some link. Once the person clicked the link, the contact becomes
the victim, and the process repeats with his or her contacts list.
XSS worms grow at extremely fast speeds, infecting many users in a short period
of time and causing large amounts of network traffic. XSS worms are effective for
Chapter 2: Cross-Site Scripting 47
transporting other attacks, such as phishing attacks, as well. Interestingly, attackers
sometimes add hidden HTML content to the web application that runs a plethora of
browser attacks. If the user is not running an up-to-date web browser, the attacker can
take complete control of the user??™s machine. In this instance, XSS is used to transport
some other vulnerability.
Step 3: Luring the Victim
At this point, you know how to find an HTML injection and know the evil things an attacker
can do if he can get a user to click an link leading to an HTML injection. Sometimes
the HTML injection will activate during typical user interaction. Those are the most
effective methods.
Pages:
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127