appsecuri-bank-vulnerabilitty

Cross-Site Scripting Vulnerability Leads To Critical Takeover For Canadian Banking Platform

 

To catch a hacker, you must think like a hacker. An attacker looks for ways to chain together multiple exploits into one large attack. What is often missed in this type of scenario is what happens when vulnerabilities are combined. Hackers usually chain 2 or more vulnerabilities together that leads to the compromise of a business. That is what we have recently found in one Canadian banking platform where Low severity self-XSS combined with clickjacking leading to account takeover.

 

Description

During our testing, we have triggered Self-XSS as the website was also vulnerable to Clickjacking.

Self-XSS is a social engineering attack used to gain control of victims’ web accounts. In a self-XSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker. This can be DOM-based or set in a field only settable and viewable by the one user.

Clickjacking is an attack that frames a website of a logged in user, typically sets the opacity of the frame to 0, and forces a victim to interact with their account, on a different website, unbeknownst to them. Clickjacking also called as UI Redressing, is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.

An attacker can force users to paste XSS payloads into text fields framed from other domains. These frames can be redressed, made invisible, and overlayed on top of other UI elements, making the user think they’re interacting with another website.

 

What’s the Risk?

The attacker can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), steal profile details, or perform other malicious actions. Basically, the attacker can take over the full account of the user.

 

Mitigation or Fix

Below are some protections, which should be done to prevent this attack.

  • Use X-XSS Protection header
  • Set X-Frame-Options header to deny (For Clickjacking)
  • Use content security policy
  • Always use the cookie as HTTP only

This combination is hard to automate and require human creativity to fully understand the potential impact. Discovery of the chained vulnerability requires manual testing; static/dynamic vulnerability testing is not sufficient.

Critical/High Severity Vulnerabilities Found In $1B Fintech Company

One of our clients is a leading developer of software applications for brokerages, banks, and electr ...

Read More

OK To Defer Low Severity Vulnerabilities?

Not if a black hat hacker can chain multiple low severity vulnerabilities together to create a criti ...

Read More
Here you'll find all the latest industry news and research by the experts at Appsecuri.

name


email


phone


message


Congratulations. Your message has been sent successfully.
Error, please retry. Your message has not been sent.

Request our free 24-Hour penetration test and get vulnerability report.


  • Evaluate skills before any type of engagement with Appsecuri.
  • Level-1 Testing with manual approach in addition to static/dynamic.
  • Get a clear picture of root findings with mitigations in the report.
  • 90% of the time we find unknown hidden critical/high vulnerabilities.



Leave a Reply

Your email address will not be published.


Comment


Name

Email

Url