Jump to content

Passive HTML Injection?


Recommended Posts

there certainly are ways... sure that this is not the space to be asking..... perhaps one of the mods can clarify.

Link to comment
Share on other sites

@Mr-Protocol

It is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something?

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

With Google and a libary, you can be anything you want.

Link to comment
Share on other sites

You could do something like DNS spoofing all domains and then load the actual domain they requested in an iframe and you can add any code to the page containing the iframe.

I don't think your Bitcoin mining has any useful pen-testing purpose though

Link to comment
Share on other sites

@Mr-Protocol

It is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something?

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

With Google and a libary, you can be anything you want.

I think you would have to give out your wallet credentials to the users in some way, which is never good.

You could do something like DNS spoofing all domains and then load the actual domain they requested in an iframe and you can add any code to the page containing the iframe.

I don't think your Bitcoin mining has any useful pen-testing purpose though

And yes, I'm pretty sure doing something like that is a form of theft. Not 100% and IANAL (I Am Not A Lawyer).

Link to comment
Share on other sites

@Mr-Protocol

It is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something?

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

With Google and a libary, you can be anything you want.

You can use dnsspoof to send them to browser based miner. Or maybe inject iframe using the following litecoin miner. Change the auth value to your worker if you plan to use this pool.

Edited by Mr-Protocol
Let's not encourage code to perform illegal activities.
Link to comment
Share on other sites

I've been looking at something like this my self. Koto's fork of sslstrip has been modified so you can change the response, i.e. inject HTML. It also makes use of HTML5s AppCache thus attacks will continue to work even if the user has disconnected from your network. I've not got around to getting a PoC setup on the pineapple yet but I would recommend checking it out and having a play with it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...