[WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)

Ryan Barnett rcbarnett at gmail.com
Fri Jun 23 14:27:00 EDT 2006

Too funny.  Maybe someone should inform VIsa of the PCI security standard
and have one of the authorized scanning vendors check their site for common
web application security issues such as XSS...

*Sed quis custodiet ipsos custodies.*
*"But who is watching the watchers?"*

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
Author: Preventing Web Attacks with Apache

On 6/23/06, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> On the heals of the Paypal-XSS Phishing article...
> Robert Auger (cgisecurity.com) pointed me to another timely article
> about Phishing attacks using XSS vulnerabilities [1]. The reporter
> does a good job of describing the finer details (with screenshots) on
> why the technique is so effective. The reporter even called out
> Visa.com, JPMorganChase.com, eBay, Nasdaq.com, BankofAmerica.com,
> American Express, Barclays, Microsoft.com as having XSS (details
> withheld).  Unsurprising since we know just about every website out
> there has XSS. These are same techniques I described during last
> years Black Hat presentation "Phishing with Superbait" [2] and we can
> expect a lot more of the same in the coming year.
> While Phishing is one possible angle to XSS, new avenues of attack
> are emerging that are increasingly similar to the general
> capabilities of todays malware. Threats far more dangerous than we
> originally anticipated when we began researching XSS years ago. For
> instance when you visit a website (even a trusted website) the page
> port scans your network and reconfigures your DSL/Router from the
> inside. This will be the subject matter my talk this year at BH
> "Hacking Intranet Websites from the Outside".
> I think it was Bruce Schneier who said attacks always get better,
> never worse. The same holds true here.
> [1] Flaws in Financial Sites Aid Scammers
> http://blog.washingtonpost.com/securityfix/2006/06/
> flaws_in_financial_sites_aid_s.html
> [2] Phishing with Superbait
> http://www.whitehatsec.com/presentations/phishing_superbait.pdf
> Regards,
> Jeremiah Grossman
> Founder and CTO
> WhiteHat Security, Inc.
> www.whitehatsec.com
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060623/29878be2/attachment.html>

More information about the websecurity mailing list