Web application security - the fast guide 1.1 | Page 94

Chapter 5 - Attack Execution the client
P a g e | 94
Example:
A. An example is pushing the victim to purchase a product from a site
without his knowledge.
B. The victim is logged in to the ecommerce site.
C. The attacker creates a fake page that has the same layout with the first
catalogue.
D. The attacker loads the first catalogue in a hidden iframe using the CSS
opacity property.
E. The victim clicks the button on the fake page.
F. The user purchases the product specially if he has the one click purchase
activated on default payment method.
5.8 client SQLlight
Figure 36: SQL Light DB Browser
Recently and as part of HTML5 specification local storage DOM Storage were
used to store local information Attacker can access data stored as JavaScript, this
object uses an underlying sqllight data base on the client machine.
Any unencrypted contents can be viewed through sql light database browser.
SQLLight data can come of one of two sources the first is local stored info by a
specific application or those created automatically by the browser.
Attack requirement:
Store data are not encrypted
Attacker has access to client machine.