
Figure 5.29 American Stock Exchange—There Are Others
A Web Site Full of Secrets
Dynamic HTML is quite powerful, and so far we haven’t done anything severely
complicated to obtain our objective for performing our trickery. But what hap-
pens when the phisher wants more than just a login? Can they only exercise
maliciousness within the Web site to gain access to user credentials, or is there
something more to be capitalized on with these cross-user attacks? Anton Rager
introduced his XSS-Proxy (http://xss-proxy.sourceforge.net/) proof of concept
code at Shmoocon 2005 (www.shmoocon.org), demonstrating the possibilities of
advanced XSS techniques, including ...