[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Date: Fri, 23 Jun 2006 10:53:35 -0700

On the heals of the Paypal-XSS Phishing article...

Robert Auger (cgisecurity.com) pointed me to another timely article about Phishing attacks using XSS vulnerabilities [1]. The reporter does a good job of describing the finer details (with screenshots) on why the technique is so effective. The reporter even called out Visa.com, JPMorganChase.com, eBay, Nasdaq.com, BankofAmerica.com, American Express, Barclays, Microsoft.com as having XSS (details withheld). Unsurprising since we know just about every website out there has XSS. These are same techniques I described during last years Black Hat presentation "Phishing with Superbait" [2] and we can expect a lot more of the same in the coming year.

While Phishing is one possible angle to XSS, new avenues of attack are emerging that are increasingly similar to the general capabilities of todays malware. Threats far more dangerous than we originally anticipated when we began researching XSS years ago. For instance when you visit a website (even a trusted website) the page port scans your network and reconfigures your DSL/Router from the inside. This will be the subject matter my talk this year at BH "Hacking Intranet Websites from the Outside".

I think it was Bruce Schneier who said attacks always get better, never worse. The same holds true here.

[1] Flaws in Financial Sites Aid Scammers http://blog.washingtonpost.com/securityfix/2006/06/ flaws_in_financial_sites_aid_s.html

[2] Phishing with Superbait
http://www.whitehatsec.com/presentations/phishing_superbait.pdf


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.
www.whitehatsec.com

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Ryan Barnett
- [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: arian.evans

Prev by Date: [WEB SECURITY] Yahoo Multiple Vulnerabilities Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection
Next by Date: Re: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Previous by thread: [WEB SECURITY] Yahoo Multiple Vulnerabilities Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection
Next by thread: Re: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org