Form Data Theft
A similar approach to the one demonstrated for URL session theft can be used to modify the
document.forms identifier, and the list can be iterated just as easily as links. By changing the
value of each action attribute, the attacker can transparently force the form content to be sent
to a third-party site:
for (i=0; i<document.forms.length; i++)
be greatly simplified, making it far easier to generate and place on a victim site. Since most
In this instance, the credit card information form, which goes by the name of cc_details, is
specifically targeted. As in the previous example, its action tag is modified to point at a thirdparty
location, but unlike the previous exploit, it only requires one line of very simple code.
The one thing that may make injection difficult is that quotes must encompass the argument.
Single and double quotes are generally escaped or stripped and may make the XSS attack
But even if you have validation routines to encode or remove quotes,
you still may be
vulnerable to an XSS attack. Unlike strings, numbers do not need to be quoted. By using the