lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <008d01c6ae4e$2fc26930$650ba8c0@DORKA>
Date: Sun, 23 Jul 2006 13:50:25 +0200
From: "php0t" <very@...rivate.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: news XSS on paypal.com


If it works, then you can plant iframes in popular websites so that when
somebody visits them and they happen to be logged on to paypal at the
same time, the injected javascript could make a transaction using the
victim's (visitor's) creditentials. This can all happen without alerting
the user. (There might be some circumstances blocking this in practice,
like if they require a Turing test for completing money transactions
etc).


php0t

ps: a poc showing how to fake a whole webpage?! :-)


> I wonder what is interesting in this , usually a poc show us we can 
> upload a crafted webpage on a vulnerable website, fake a whole
webpage, 
> etc,  this link doesnt speak much than the noob who found it.

>> Pigrelax wrote:
> >
www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ