[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] news XSS on paypal.com

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] news XSS on paypal.com
From: "php0t" <very@xxxxxxxxxxxxx>
Date: Sun, 23 Jul 2006 13:50:25 +0200

If it works, then you can plant iframes in popular websites so that when
somebody visits them and they happen to be logged on to paypal at the
same time, the injected javascript could make a transaction using the
victim's (visitor's) creditentials. This can all happen without alerting
the user. (There might be some circumstances blocking this in practice,
like if they require a Turing test for completing money transactions
etc).

php0t

ps: a poc showing how to fake a whole webpage?! :-)

> I wonder what is interesting in this , usually a poc show us we can 
> upload a crafted webpage on a vulnerable website, fake a whole
webpage, 
> etc,  this link doesnt speak much than the noob who found it.

>> Pigrelax wrote:
> >
www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] news XSS on paypal.com
  - From: ad@xxxxxxxxxxxxxxxx

References:
- Re: [Full-disclosure] news XSS on paypal.com
  - From: ad@xxxxxxxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] news XSS on paypal.com
Next by Date: Re: [Full-disclosure] news XSS on paypal.com
Previous by thread: Re: [Full-disclosure] news XSS on paypal.com
Next by thread: Re: [Full-disclosure] news XSS on paypal.com
Index(es):
- Date
- Thread