⚠️ No CSP — this page is unprotected
← All demos · CSP Demo 3 of 4

Form Hijacking

A rogue script has redirected the login form to an attacker's server. Your credentials go straight to them — unless CSP is watching.

🔴 Unprotected ⚪ Protected
Form hijacked — credentials will be sent to the attacker

Sign in

Please enter your credentials to continue

🚨 Form action hijacked. The form below posts to https://evil-cyber-hacker.com/steal instead of this server. Any credentials you submit go directly to the attacker.

💡 Open DevTools → Network tab, submit the form, and watch the POST request go to evil-cyber-hacker.com.

What's happening

An injected script (or a server-side template injection) has changed the form's action attribute to point at evil-cyber-hacker.com. When the user submits, their username and password travel directly to the attacker — the browser has no way to know the destination isn't legitimate.

← Demo 2
1 2 3 4
Demo 4 →