Cross site scripting vulnerabilities are mistakenly considered unimportant, but they could allow attackers to inject client-side script in web pages visited by victims.
A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions.
An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon. license.avira.com
But instead of exploiting it in a normal way "alert('MyName')" stuff and then reporting, He decided to demonstrate it to Avira security team in a different mode with the purposes to show how could an XSS vulnerability allows the hackers to steal user accounts with a clear text data!
To demonstrate this attack he has created 4 files:
- avira.html - the fake login page
- log.php - the logger which will log the credentials as clear text into txt file
- avira.txt - credentials will be found here
- done.html - will show a congratulation message to fool the users
In below video is the explanation of the attack methodology:
According to Ebrahim Hegazy, Avira team responded promptly and fixed the flaw in short time. For those who consider XSS vulnerability as low severity vulnerability, now you can change your opinion.
Credits: Ebrahim Hegazy is an information security advisor @Starware Group, acknowledged by Google, Microsoft and Ebay for finding and reporting multiple vulnerabilities in their applications.