As discussed in the past,cross site scripting (XSS) can be exploited by phishers to build reallyeffective attacks. Today we have analyzed another similar attack thatincludes some enhanced features. The attack was exploiting an injectionflaw in an Internet banking application, specifically located in themodule used to display warning messages to users.
The function took a single GET parameter:
https://www.well-known-bank.com/popup.asp?msg=[ASCII_encoded_message_to_display]
And then returned a page with the following in the body:
Obviously the aim here is to have a single page display warningsthat are available to every module in the application. Because theinput was not properly sanitized the attackers used this vulnerabilityto inject a properly encoded iframe that pointed to a fake login formlocated on a hijacked server:
i--FRAME src="http://www.hijacked-site.com/path/to/fake/login.php " width =800height=800 scrolling="no" frameborder="0"/i--FRAME
The strength of these attacks is enhanced compared to classic onesbecause of two main reasons. First, users actually see the legitimatedomain of their bank in the address bar of their browser. Second, theaddress bar correctly displays “https,” which is something users havelearned they need to look at because most financial institutions havebeen pushing on this point in their security warnings to theircustomers.
While I won’t stop to underline that basic security knowledge isneeded to everybody using the Internet, I have to admit this attack ispretty tricky and even advanced users might be fooled by something likethis. On the other hand, XSS and injection flaws – most of all whenlocated on the pages accessible by everyone before authentication – aresomething easily avoidable if the bank follows some sound applicationsecurity practices. Penetration testing activities and even automatedapplication scans can easily highlight most flaws of this kind andfixing them is rather easy once the issue has been found. Symantec haspublished a number of whitepapers on this subject, should somebody want to deepen on it.
One last thought about this attack is that in order for attackers tobe able to exploit vulnerabilities, they have to be able to find themfirst. This usually means that unless they are especially lucky,attackers have to send a rather large amount of malicious data to thetarget Web site in order to find something good to use. Real time security monitoringof mission critical systems (such as an Internet banking server is)will have hopefully spotted this early enough to have a deeper look andfind the vulnerability before it was exploited.