Full Disclosure mailing list archives
Visa (Europe) XSS Vulnerability
From: "Nicholas Lemonias." <lem.nikolas () googlemail com>
Date: Fri, 7 Feb 2014 02:40:49 +0000
Visa (Europe) Website Vulnerability ========================== Published Report: 07/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Cross-Site Scripting Attack. Author: Nicholas Lemonias. (Information Security Expert) Vendor Overview =========================== Visa Europe Ltd is a membership association and cooperative of over 3,700 European banks and other payment service providers that operate Visa branded products and services within Europe. Visa Europe provides electronic payment services for cardholders, businesses, and retailers. The company offers debit, credit, virtual and prepaid credit-cards. The business has developed to provide consulting and analytics services for merchant agents and service providers. The business also offers payment security knowledge to business and government. The company is headquartered in London with satellite offices in Austria, Belgium, Bulgaria, Czech Republic, Finland, France, Germany, Greece, Hungary, Ireland, Israel, Italy, the Netherlands, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland and Turkey. Coordinated Vulnerability Disclosure Timeline ==================================== 25th of November, 2013 - Contacted Vendor regarding the security realisation. 26th of November, 2013 - Vendor acknowledgement of the problem. 2nd of December, 2013 - Problem verification. 3rd of December, 2013 - Problem mitigation. Proof of Concept / Affected Services ============================= http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date= Affected directory: /en/viewpoints Injected Code to path fragment: /en/viewpoints.aspx?author=3%22%20onmouseover%3dprompt%28990207%29%20abc%3d%22&category=32&date=" 1. Escaping previous fragment function: 2. Injection: onmouseover=onmouseover%3dprompt%2831337%29%20abc%3d%22&category=32&date=" Description: On mouse over the affected link, and the injected code will be executed. In this Proof-of-concept a prompt will alter the user's normal execution flow. Proof-Of-Concept 2 ==================== http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28990207%29%20abc%3d%22&category=32&date= Proof-Of-Concept 3 ==================== http://www.visaeurope.com/en/viewpoints.aspx?author=3%22%20onmouseover%3dalert%28document.cookie%29%20bxc%3d%22&category=32&date= * This realisation was reported to the relevant security teams which acted immediately to remediate the issues. Recommendations provided for Quality of Service ====================================== A. The recommendations that have been made to Visa Europe Inc. is to consider encrypting the view state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and metacharacter filtering allows data input over the HTTP protocol to inject third-party untrusted code, in Java-Script, Active-X and Visual Basic Script. Please note that malicious users could take advantage of such a bug, as we have seen in malware and virus propagation instances. B. Our consultation to Visa Europe was therefore, for an immediate risk assessment and thus immediate review of upper-level security policies in accordance to ISO 27001 and ISO 27002 which was followed kindly by the team. Full review of ISMS policy scope and the SDLC of the vulnerable application and other subsidiary pages. Appendices ============================ A. Suggested the filtering of metacharacters. B. Suggested the utilisation User-server encoding of < and > to < and > in application output. C. An XSS attack could embrace mass user and product attacks, phishing theft of private and confidential information such as credit cards, passwords, and stored accounts. D. Suggested Filtering < and > and using appropriate encoding. ( and ) filtered and encoded to ( and ), Example: # and & converted to # (#) and & (&). References ============================ OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011 OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013. Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ff649310.aspx. ** This vulnerability report is posted for the wider benefit of the security community, as is and without any warranties, including the warranty of merchantability and capability fit for a particular purpose. The information is posted under the FOI as per best security practises. *Copyright Advanced Information Security Corp ©, 2014*
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Visa (Europe) XSS Vulnerability Nicholas Lemonias. (Feb 07)