serhii.net LINKS BLOG!

In the middle of the desert you can say anything you want

03 Mar 2017

Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP

Categories:
  • Infosec/Web security
  • (show all) All categories:
  • Infosec
  • Infosec/Web security

  • Tags:
  • Sniffing
  • Ssl
  • Https
  • Man-in-the-middle
  • Key-logging
  • Keylogger
  • Xss

  • Rating: 8; Complexity: 6
    Title: Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
    Link: https://www.troyhunt.com/your-login-form-posts-to-https-but-you/

    The fact that it’s loaded via https allows us to change it, in this case using a Javascript keylogger to post to another website every time a character is typed. For example: https://wiremask.eu/articles/xss-keylogger-turorial/,