JavaScript: Proof of concept reddit phishing

WHat it does.
If you navigate to using IE and open in new window/tab the title J2P: JavaScript to PHP converter, the target page will show you nothing more than "Internal server error 500".
However returning to the original browser window, you will see a ALIKE page prompting for your username and password.

Haw it works
In IE you can get access to the opener window of the page being requested through window.opener property.
Now having the opener window onject you can navigate, in background, the original opener window to a phishing page resembling the look of the opener site just using window.opener.location

A strengthened attack could download the original opener page and generate dynamically the phishing one, so that the sole difference between the real and the fake one is the URL in the browser address and the box asking for user account.

Wednesday, July 18, 2007

© 2002 - 2008 Kroum Grigorov
This page is powered by Blogger. Isn't yours?