Monday, November 25, 2024
HomePhishingNew Attack Called "XSSJacking" Discovered That Combined of Clickjacking, Pastejacking and...

New Attack Called “XSSJacking” Discovered That Combined of Clickjacking, Pastejacking and Self-XSS Attacks

Published on

A New Attack method called “XSSJacking” a type of Web application Clickjacking, Pastejacking and Self-XSS Web application based Attack Discovered by the Security Researcher Dylan Ayrey.

While Clickjacking vulnerability existing in particular page, this attack will trigger Self-XSS.

“SelfXSS is a social engineering attack used to gain control of victims’ web accounts.In a selfXSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker

- Advertisement - SIEM as a Service
Clickjacking Attack performs when an attacker to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

How “XSSJacking” Works

Researcher Explained About the “XSSJacking”,

This attack leverages Pastejacking to force users to paste XSS payloads into text fields framed from other domains.These frames can be redressed, made invisible, and overlayed on top of other UI elements, making the user think they’re interacting with another website.

Pastejacking

We Testing this vulnerability by “Pastejacking Attack” that allow to victim copy the email address instead of typing and past it in the Test forum registration page, you place an “Enter your email” field and a “Retype your email” field.

Try This Demo

Most of the people, “copy-paste it in the second field” unknowingly malicious website has appended malicious code after his copy-paste text and inserted it into his Good Website settings page.

“After the copy, the contents of their clipboard get overwritten with <script>alert(1)</script>

This method can be combined with a phishing attack to entice users into running seemingly innocent commands.

The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal, researcher Said

XSSJacking attacks, a malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), to steal profile details, or perform other malicious actions.

“XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves,” Ayrey said.

Also Read:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

5 Hackers Charged for Attacking Companies via Phishing Text Messages

Federal authorities have unsealed charges against five individuals accused of orchestrating sophisticated phishing schemes...