[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <008d01c6ae4e$2fc26930$650ba8c0@DORKA>
Date: Sun, 23 Jul 2006 13:50:25 +0200
From: "php0t" <very@...rivate.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: news XSS on paypal.com
If it works, then you can plant iframes in popular websites so that when
somebody visits them and they happen to be logged on to paypal at the
same time, the injected javascript could make a transaction using the
victim's (visitor's) creditentials. This can all happen without alerting
the user. (There might be some circumstances blocking this in practice,
like if they require a Turing test for completing money transactions
etc).
php0t
ps: a poc showing how to fake a whole webpage?! :-)
> I wonder what is interesting in this , usually a poc show us we can
> upload a crafted webpage on a vulnerable website, fake a whole
webpage,
> etc, this link doesnt speak much than the noob who found it.
>> Pigrelax wrote:
> >
www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists