exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Self-Bank Cross Site Scripting

Self-Bank Cross Site Scripting
Posted Jun 10, 2013
Authored by Juan Carlos Garcia

Selfbank.es suffers from multiple cross site scripting vulnerabilities. The author has tried to contact them multiple times but they still have not addressed the issue.

tags | exploit, vulnerability, xss
SHA-256 | c3f66357f373d38ba92b936055d9ff5c490bac66ad80f480d32ccb49d1deaeb7

Self-Bank Cross Site Scripting

Change Mirror Download
============================================
ON-LINE BANK MULTIPLE Cross Site Scripting

=============================================

TIME-LINE VULNERABILITY

28-5-2013 Security Advisory
29-5-2013 Vendor feedback
03-6-2013 I ask about the flaws status
04-6 -2013 Vendor Response
07-6-2013 I ask about the issues
No response
10-6-2013 I ask about the flaws No response
11-6-2013 Full Disclosure


I. VULNERABILITY
-------------------------
#Title: ON-LINE BANK MULTIPLE Cross Site Scripting
#Vendor:http://www.selfbank.es
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
http://blogs.0verl0ad.com
Twitter:@secnight
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn

II. DESCRIPTION
-------------------------

Selfbank(selfbank.es) is an online bank that currently has multipleCross site scripting (also referred to as XSS).

It is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user.
because a browser cannot know if the script should be trusted or not,
it will execute the script in the user context allowing
the attacker to access any cookies or session tokens retained
by the browser.

III. PROOF OF CONCEPT
-------------------------

Affected items

/infomercados/analisis_fundamental/consenso/internacional.phtml

http://www.selfbank.es/infomercados/analisis_fundamental/consenso/internacional.phtml?%22onmouseover=prompt(916548)%3E


/infomercados/cotizaciones/bolsa_internacional.phtml

http://www.selfbank.es/infomercados/cotizaciones/bolsa_internacional.phtml/936678%22';994550


/infomercados/cotizaciones/bolsa_nacional.phtml


http://www.selfbank.es/infomercados/cotizaciones/bolsa_nacional.phtml/912311%22';910296

IV. BUSINESS IMPACT
-------------------------

In a on-line bank, these failures are seriousMalicious users may inject JavaScript, VBScript, ActiveX,
HTML or Flash into a vulnerable application to fool a user in order to gather data from them.

An attacker can steal the session cookie and take over the account, impersonating the user.

It is also possible to modify the content of the page presented to the user.


V SOLUTION
------------------------

Very easy and I don´t understand... filter metacharacters from user input.PLEASE !!


VI. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

VIII. FOLLOW ME
-------------------------
You can follow me (@secnight)

http://www.highsec.es
http://hackingmadrid.blogspot.com
http://blogs.0verl0ad.com
Twitter:@secnight
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close