0x22 - Phishing via Signup Forms

Did you know that in most cases you can abuse the registration forms to send phishing links to arbitrary addresses?

Most of the applications that I've tested are vulnerable to this.

Phishing emails exploiting this technique have a high rate of success because:

  • Emails end up in inbox

  • The sender is legitimate

  • Abuses the victim's curiosity


How to do it

  1. Navigate to the registration form

  2. Fill in the email address of the victim

  3. Set the firstname and lastname to a phishing URL that you control i.e: attacker.com hosting EvilNginx

  4. Victim receives a confirmation email such as "Welcome, attacker.com .."