new icn messageflickr-free-ic3d pan white
A possible attack | by Terriko
Back to photostream

A possible attack

But what if one of those people answering wasn't interested in being helpful so much as gaining control over other users? Suppose this person was able to inject a little bit of code (and remember, with over 80% of sites vulnerable at some point in their lifetimes, it may just be a matter of waiting).

 

So here, let's suppose poster #2 has injected some code that changes the login box so that it sends usernames and passwords out to attacker.com.

  

Note: This is part of my presentation on Visual Security Policy for the Web.

 

Note 2: As far as i know, there is no such attack possible on the Drupal forums; I just used them because they made a nice screenshot.

148 views
0 faves
0 comments
Uploaded on August 23, 2010