Image

"Obviously the first step would be to obtain a copy of the website’s source for the login page," comments the researcher. "You could do this by saving the source code after viewing it manually, but this is time consuming and inefficient, as for the page to look identical you would need to individually download every single image that’s on the page and ensure that they are saved in the correct directories, as well as creating a bunch of relevant directories or altering the paths to images and other pages in the source code. Alternatively you can use some website mirroring software to automate this process, which is what I suggest doing."MLT details his use of the WebHTTrack software to save all of the necessary web files, which are downloaded into the correct directory. He next discusses how he changed the form inputs to direct to his PHP script rather than eBay's login script. After locally testing the forms, the researcher reveals how he was able to include the link to his phishing page in eBay's code.
"In the example of ebay, the XSS vulnerability was not tag-based but was rather pure javascript, so rather than including an iframe directly as input to the ?url= get param, the javascript document.write function needed to be used to write the HTML contents to the page and embed the iframe," he observes.Ultimately, he injected an iframe containing his phishing link into the code, thereby creating a very convincing fake eBay log-in page:
Image
