Skip to main content

New Attack Called “XSSJacking” Discovered That Combined of Clickjacking, Pastejacking and Self-XSS Attacks

By

New Attack Called “XSSJacking” Discovered That Combined of Clickjacking, Pastejacking and Self-XSS Attacks


A New Attack method called “XSSJacking” a type of Web application Clickjacking, Pastejacking and Self-XSS Web application based Attack Discovered by the Security Researcher Dylan Ayrey.
While Clickjacking vulnerability existing in particular page, this attack will trigger Self-XSS.

“SelfXSS is a social engineering attack used to gain control of victims’ web accounts.In a selfXSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker
Clickjacking Attack performs when an attacker to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

How “XSSJacking” Works

Researcher Explained About the “XSSJacking”,
This attack leverages Pastejacking to force users to paste XSS payloads into text fields framed from other domains. These frames can be redressed, made invisible, and overlayed on top of other UI elements, making the user think they’re interacting with another website.

Pastejacking

We Testing this vulnerability by “Pastejacking Attack” that allow to victim copy the email address instead of typing and past it in the Test forum registration page, you place an “Enter your email” field and a “Retype your email” field.

Try This Demo



Most of the people, “copy-paste it in the second field” unknowingly malicious website has appended malicious code after his copy-paste text and inserted it into his Good Website settings page.
“After the copy, the contents of their clipboard get overwritten with

 <script>alert(1)</script>

This method can be combined with a phishing attack to entice users into running seemingly innocent commands.
The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal, researcher Said
XSSJacking attacks, a malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), to steal profile details, or perform other malicious actions.
“XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves,” Ayrey said.

Comments

Post a Comment

Popular posts from this blog

Find Identifying Information from a Phone Number Using OSINT Tools

By
Find Identifying Information from a Phone Number Using OSINT Tools Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts. While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad,
Post a Comment
Read more

setting up persistent connection using meterpreter

By
setting up persistent connection using meterpreter expert metasploit penetration testing course episode 26 for all course please follow this link expert metasploit penetration testing course
Post a Comment
Read more

Learn Website Hacking Penetration Testing From Scratch

By
       Learn Website Hacking Penetration Testing From Scratch     lesson 4 what is the website    
Post a Comment
Read more