PayPal Payflow payment gateway vulnerable to XSS

Written by DP

Thursday, 1 November 2007

Good month to everyone! A cross-site scripting vulnerability affecting PayPal's Payflow payment gateway, was discovered by Nemessis just two days after another PayPal XSS was fixed.

Link to working XSS as of today.


The Payflow gateway is one of PayPal's merchant services. According to its official overview, clients should "feel secure knowing that 128-bit SSL encryption lets customers confidently use their credit cards online". They forgot to warn their customers that are still susceptible to attack via cross-site scripting.

Fraudsters can use this vulnerability for phishing attacks and stealing of cookie based authentication credentials. It is only a matter of time that PayPal resolves this security issue.

It is interesting to mention some XSS vulnerable websites that Nemessis submitted to our archive: -  Still vulnerable. - Still vulnerable. - Fixed. - Fixed. - Still vulnerable. Only on IE. - Fixed. - Still vulnerable. - 5 months have passed and still vulnerable.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.