Symbol:[ user input ]
Shares:[ user input ]
// Client Side Code
<form action="buy.jsp" method="POST">
<p>Symbol: <input type="text" name="symbol" /></p>
<p>Shares: <input type="text" name="shares" /></p>
<P><input type="submit" value="Buy" /></p>
</form>
- User logs into trusted server using his/her credentials
<%// Trused ServerString symbol = null;
String shares = null;
symbol = request.getParameter("symbol");
shares = request.getParameter("shares");
if (!symbol != "" && shares != "") {
session.setAttribute("buy_stocks" , symbol);
}%> - Server sets a session cookie in the user’s browser
- Attacker sends a phishing mail tricking user to send a request to a malicious site (Attacker)
- User request a page from the malicious server
// Malicious Code
<img src="http://example.com/myshop.jsp?symbol=MSFT&=shares=1000"> - Response page contains malicious code
- Malicious code is executed in the trusted server
Cheng® 