Additional details and PoC available at http://security-sh3ll.blogspot.com/2010/09/visa-website-vulnerable-to-xss.html

XSS Weakness Found on Visa USA Website

2010/09/20

Lucian Constantin

http://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtml



A cross-site scripting (XSS) vulnerability, which could be used to enhance phishing and other attacks, has been identified on the usa.visa.com website.

The weakness was reported yesterday to the XSSed Project by a security researcher, who goes by the online handle of d3v1l.

D3v1l's track record involves finding similar bugs on Mashable, Verisign, Tweetmeme, Blippr, Twitter, Symantec and other high profile websites.

Cross-site scripting vulnerabilities stem from a failure to properly validated user input in forms and can be exploited by attackers to serve unauthorized code to visitors.

The weakness on usa.visa.com is part of the most common, but less vulnerable class of cross-site scripting vulnerabilities, called reflected XSS.

But, even though it is not of the most dangerous type and can only be exploited by tricking users into opening malformed URLs, the impact of this bug is ultimately influenced by the popularity and trust associated with the vulnerable website.

A reflected XSS flaw located on the website of a bank, credit union or some other financial institution, like Visa, can be used to increase the credibility of phishing attacks.

Let's take a recent ZBot trick, which directed users to pages masquerading as enrollment forms for the Visa and MasterCard anti-fraud programs, as example.

In that case, the pages were being injected directly into the browser, but let's suppose that a gang of phishers would use rogue emails to direct users to similar fake sites.

Instead of linking directly to the malicious domains, they could leverage the XSS vulnerability to pass the request through usa.visa.com.

When checking the link's destination in the phishing emails by hovering the mouse over it, users will see that it takes them to http://usa.visa.com/[something].

Even if from the Visa site they would be redirected to an external domain, via a JavaScript prompt or similar, chances are that they'll never notice it, since their trust has already been won over.



main page ATTRITION feedback