The Phishing Guide: Cross-site Scripting Attacks & Hidden Attacks

Friday, June 30th, 2017

Cross-site scripting attacks (commonly referred to as CSS or XSS) make use of custom URL or code injection into a valid web-based application URL or imbedded data field. In general, these CSS techniques are the result of poor web-application development processes.

While there are numerous vectors for carrying out a CSS attack, Phishers must make use of URL formatted attacks. Typical formats for CSS injection into valid URL’s include:

• Full HTML substitution such as:

• Inline embedding of scripting content, such as:

In the example above, the customer has received the following URL via a Phishers email:

While the customer is indeed directed and connected to the real MyBank web application, due to poor application coding by the bank, the ebanking component will accept an arbitrary URL for insertion within the URL field the returned page.

Instead of the application providing a MyBank authentication form embedded within the page, the attacker has managed to reference a page under control on an external server (

Unfortunately, as with most CSS vulnerabilities, the customer has no way of knowing that this authentication page is not legitimate.

While the example URL may appear obvious, the attacker could easily obfuscate it using the techniques explained earlier.

For example,

may instead become: http%3A%2F%2F3515261219%2Fphishing%C0%AEfakepage%2Ehtm

Hidden Attacks

Extending beyond the obfuscation techniques discussed earlier, an attacker may make use of HTML, DHTML and other scriptable code that can be interpreted by the customers web browser and used to manipulate the display of the rendered information.

In many instances the attacker will use these techniques to disguise fake content (in particular the source of the page content) as coming from the real site – whether this is a man-in-the-middle attack, or a fake copy of the site hosted on the attackers own systems.

The most common vectors include:

• Hidden Frames

• Overriding Page Content

• Graphical Substitution

Hidden Frames

Frames are a popular method of hiding attack content due to their uniform browser support and easy coding style. In the following example, two frames are defined. The first frame contains the legitimate site URL information, while the second frame – occupying 0% of the browser interface – references the Phishers chosen content.

The page linked to within the hidden frame can be used to deliver additional content (e.g. overriding page content or graphical substitution), retrieving confidential information such as SessionID’s or some

Hidden frames may be used for:

• Hiding the source address of the attacker’s content server. Only the URL of the master frameset document will be visible from the browser interface unless the user follows a link with the target attribute site to “_top”.

• Used to provide a fake secure HTTPS wrapper (forcing the browser to display a padlock or similar visual security clue) for the sites content – while still using insecure HTTP for hidden page content and operations.

• Hiding HTML code from the customer. Customers will not be able to view the hidden pages code through the standard “View Source” functions available to them.

• “Page Properties” will only indicate the top most viewable page source in most browser software.

• Loading images and HTML content in the background for later use by a malicious application.

• Storing and implementing background code operations that will report back to the attacker what the customer does in the “real” web page.

• Combined with client-side scripting languages, it is possible to replicate functionality of the browser toolbar; including the representation of URL information and page headers.

Overriding Page Content

Several methods exist for Phishers to override displayed content. One of the most popular methods of inserting fake content within a page is to use the DHTML function – DIV. The DIV function allows an attacker to place content into a “virtual container” that, when given an absolute position and size through the STYLE method, can be positioned to hide or replace (by “sitting on top”) underlying content.

This malicious content may be delivered as a very long URL or by referencing a stored script. For example, the following code segment contains the first three lines of a small JavaScript file (e.g. fake.js) for overwriting a pages content.

This method allows an attacker to build a complete page (including graphics and auxiliary scripting code elements) on top of the real page.

Graphical Substitution

While it is possible to overwrite page content easily through multiple methods, one problem facing Phishers is that of browser specific visual clues to the source of an attack.

These clues include the URL presented within the browsers URL field, the secure padlock representing an HTTPS encrypted connection, and the Zone of the page source. A common method used to overcome these visual clues is through the use of browser scripting languages (such as JavaScript, VBScript and Java) to position specially created graphics over these key areas with fake information.

In the example below, the attacker uses carefully positioned fake address bar and padlock/zone images to hide the real information. While the Phisher must use graphics that are appropriate to the manufacturer of the browser software, it is a trivial exercise for the attackers fake web site to determine the browser type and exact version through simple code queries.

Therefore the attacker may prepare images for a range of common browsers and code their page in such a way that the appropriate images are always used.

It is important to note that Phishing attacks in the past have combined graphical substitution with additional scripting code to fake other browser functionality.

Examples include:

• Implementing “right-click” functionality and menu access,

• Presenting false popup messages just as the real browser or web application would,

• Displaying fake SSL certificate details when reviewing page properties or security settings – through the use of images. Using simple HTML embedded commands, an attacker can hijack the entire customer’s desktop (user interface) and construct a fake interface to capture and manipulate what the customer sees.This is done using the window.createPopup() and commands. For example:


Everything contained within this website is strictly provided for entertainment purposes only.


The website owner does not support ANY information posted on this website.

Nothing contained within this site should be construed as legal, medical, or any other professional advice, on any subject matter. does not assume and hereby disclaims any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from accident, negligence, or any other cause. You are taking full responsibility for your actions.  A visitor to this site uses the site at his or her own risk.

Ledger Wallet protects your bitcoins Buy Bitcoin at CEX.IO

Leave a Reply

Your email address will not be published. Required fields are marked *