0x22 - Phishing via Signup Forms
Did you know that in most cases you can abuse the registration forms to send phishing links to arbitrary addresses?
Most of the applications that I've tested are vulnerable to this.
Phishing emails exploiting this technique have a high rate of success because:
Emails end up in inbox
The sender is legitimate
Abuses the victim's curiosity
How to do it
Navigate to the registration form
Fill in the email address of the victim
Set the
firstname
andlastname
to a phishing URL that you control i.e:attacker.com
hosting EvilNginx-
Victim receives a confirmation email such as "Welcome,
attacker.com
.."