Re: Cross site scripting @verisign.com and @cybercash.com
From: Tim Morgan (tmorgan-security@kavi.com)Date: 04/21/02
- Previous message: FozZy: "Re: Cross site scripting in almost every mayor website"
- In reply to: KF: "Cross site scripting @verisign.com and @cybercash.com"
- Next in thread: kristalaz: "Re: Cross site scripting @verisign.com and @cybercash.com"
- Next in thread: KF: "Re: Cross site scripting @verisign.com and @cybercash.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Apr 2002 20:56:17 -0700 From: Tim Morgan <tmorgan-security@kavi.com> To: KF <dotslash@snosoft.com>
> http://www.cybercash.com/
>
> or
>
> http://www.verisign.com/
> <http://www.cybercash.com/><script>alert('hi')</script>
>
> Not sure how big a deal this is... but seeing as how the name verisign
> is associated with "Security" I think it should be looked at. This
> didn't work from my Mozilla browser on linux but it did from IE on
> win2k... could be a browser detection method causing the varied results.
I noticed this on CyberCash a few weeks ago, but didn't think much of it
since their site is on the chopping block. Hadn't checked VeriSign yet
though, good find. One interesting point is that CyberCash seems to use
cookies for authentication. At this point in time, AFAIK, you can't glean CC
numbers from the site, but before VeriSign swallowed CyberCash, there
were some interfaces that allowed you to get credit card numbers for
certain transactions. It is scary and pathetic that such things go on.
tim
- Previous message: FozZy: "Re: Cross site scripting in almost every mayor website"
- In reply to: KF: "Cross site scripting @verisign.com and @cybercash.com"
- Next in thread: kristalaz: "Re: Cross site scripting @verisign.com and @cybercash.com"
- Next in thread: KF: "Re: Cross site scripting @verisign.com and @cybercash.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
