lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVCmrRVy2MobSbpwfV6gwiyPaDA_Ukz+07dv-QWpwfBgeA@mail.gmail.com>
Date: Fri, 7 Feb 2014 02:40:49 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Visa (Europe) XSS Vulnerability

Visa (Europe) Website Vulnerability
==========================

Published Report: 07/02/2014

Credits: Advanced Information Security Corporation, USA

Severity: High/Critical (OWASP TOP 10)

Type: Web Application / Cross-Site Scripting Attack.

Author: Nicholas Lemonias. (Information Security Expert)


Vendor Overview
===========================
Visa Europe Ltd is a membership association and cooperative of over 3,700
European banks and other payment service providers that operate Visa
branded products and services within Europe.   Visa Europe provides
electronic payment services for cardholders, businesses, and retailers. The
company offers debit, credit, virtual and prepaid credit-cards. The
business has developed to provide consulting and analytics services for
merchant agents and service providers. The business also offers payment
security knowledge to business and government.

The company is headquartered in London with satellite offices in Austria,
Belgium, Bulgaria, Czech Republic, Finland, France, Germany, Greece,
Hungary, Ireland, Israel, Italy, the Netherlands, Norway, Poland, Portugal,
Romania, Spain, Sweden, Switzerland and Turkey.





Coordinated Vulnerability Disclosure Timeline

====================================

 25th of November, 2013 - Contacted Vendor regarding the security
realisation.

 26th of November, 2013 - Vendor acknowledgement of the problem.

2nd of December, 2013 -    Problem verification.

3rd of December, 2013 -     Problem mitigation.



 Proof of Concept / Affected Services
=============================

http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date=

Affected directory: /en/viewpoints

Injected Code to path fragment:
/en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date="

1. Escaping previous fragment function:
2. Injection:
onmouseover=onmouseover%3dprompt%2831337%29%20abc%3d%22&category=32&date="

Description: On mouse over the affected link, and the injected code will be
executed. In this Proof-of-concept a prompt will alter the user's normal
execution flow.

Proof-Of-Concept 2
====================
http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28990207%29%20abc%3d%22&category=32&date=

Proof-Of-Concept 3
====================
http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28document.cookie%29%20bxc%3d%22&category=32&date=

* This realisation was reported to the relevant security teams which acted
immediately to remediate the issues.



Recommendations provided for Quality of Service
======================================
A. The recommendations that have been made to Visa Europe Inc. is to
consider encrypting the view state of the application. Furthermore to
implement a stronger Cross-Site Scripting protection. Apparently XSS
filtering is not properly applied, and metacharacter filtering allows data
input over the HTTP protocol to inject third-party untrusted code, in
Java-Script, Active-X and Visual Basic Script. Please note that malicious
users could take advantage of such a bug, as we have seen in malware and
virus propagation instances.


B. Our  consultation to Visa Europe was therefore, for an immediate risk
assessment and thus immediate review of upper-level security policies in
accordance to ISO 27001 and ISO 27002 which was followed kindly by the
team. Full review of ISMS policy scope and the SDLC of the vulnerable
application and other subsidiary pages.


 Appendices
============================
A. Suggested the filtering of metacharacters.
B. Suggested the utilisation User-server encoding of < and > to &lt; and
&gt; in application output.
C. An XSS attack could embrace mass user and product attacks, phishing
theft of private and confidential information such as credit cards,
passwords,
and stored accounts.
D. Suggested Filtering < and > and using appropriate encoding.
( and ) filtered and encoded to &#40; and &#41;,
Example:
# and & converted to &#35 (#) and &#38 (&).


References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP.  2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.



** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.


*Copyright Advanced Information Security Corp ©, 2014*

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ