Google Docs - a great hosting for Phishing forms

Google docs is a powerful service for creating and sharing online documents such as documents, spreadsheets, presentations and forms which are stored in the cloud. Creating forms that are stored and presented in google's domain, makes this service useful for Phishers that can create phishing forms in order to steal user credentials, credit card numbers, etc. Innocent victims would trust the form due to theact that these forms are stored and presented in google's domain.

In the following images it is possible to see a POC of such attack: Step 1: The attacker creates a phishing form, using google forms in order to steal vitctims' sensitive information such as user credentials, credit card numbers etc. It is possible to see that this form is running under google's domain.This form will submit victims' credentials to google docs server.

Step 2: In the following image it is possible to see that the attacker now is able to see victim's credentials.

HTML 5 - XSSQL attack

Html 5 brings a lot of new features to the web. One of its features is SQLite - a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store their sensitive information such us user passwords, session ids, credit card numbers etc.
In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack - XSSQL :-) funny as well as concerning ...

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

HTML 5 - SQLite Example

function db1()
{

if (window.openDatabase)
var db = openDatabase('yossidb', '1.0', 'attack this db', 2 * 1024 * 1024);

db.transaction(function (tx) {
tx.executeSql('CREATE TABLE IF NOT EXISTS users (id unique, username, password)');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (1, "user1","bbbbb")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (2, "user2","password")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (3, "user3","username")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (4, "user4","another")');
tx.executeSql('INSERT INTO users (id, username, password) VALUES (5, "user5","fighter")');
//tx.executeSql('DROP TABLE users');//SELECT * FROM users
});
db.transaction(function (tx) {
tx.executeSql(sql.value, [], function (tx, results){

var len = results.rows.length, i, resultsOutputUsers="",resultsOutputPasswords="";
for (i = 0; i < len; i++) { if (results.rows.item(i).username!=null) { resultsOutputUsers = resultsOutputUsers + results.rows.item(i).username + " " resultsOutputPasswords = resultsOutputPasswords + results.rows.item(i).password + " " } document.getElementById("div1").innerHTML = resultsOutputUsers; document.getElementById("div2").innerHTML = resultsOutputPasswords; } } )}); }