150
Chapter 10
Figure 10-3: Credential harvester report
Tabnabbing
In a
tabnabbing
scenario, a target is caught while accessing a website with
multiple tabs open. When the target clicks a link, he is presented with a
“Please wait while the page loads” message. When the target switches tabs,
the website detects that a different tab has focus and rewrites the web page
that presented the “Please wait . . . ” message with a website you specify.
Eventually, the target clicks the tabnabbed tab, and, believing he is being
asked to sign in to his email program or business application, he enters his
credentials into the malicious look-alike site. The credentials are harvested,
and the target is redirected to the original website. You can access the tab-
nabbing attack vector through SET’s web attack vector interface.
Man-Left-in-the-Middle
A
man-left-in-the-middle
attack uses HTTP referers on an already compromised
site or a cross-site scripting (XSS) vulnerability to pass the target’s credentials
back to the HTTP server. If you find an XSS vulnerability and send the URL
to the target, who then clicks the link, the website will operate normally,
but when the target logs into the system, his credentials are passed to the
attacker. The man-left-in-the-middle attack vector can be accessed through
SET’s web attack vector interface.