-
Get hidden content from password fields Scenario: Use JavaScript for extraction. Copy and pase the following into the web browser’s console: Extract keystrokes live from a Browser Scenario: Do: Extract Cookies Scenario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Scenario: Then, inject JS which adds an invisible user/username/name text field and…
-
Short: A user opens a link (e.g. from a phishing email) which has a injection in the URL which is then executed on the site as long as the user is logged in. See also command injections post. Classes: Tip: