Recently we exploited nice XSS vector in one of RBS (Remote Banking Service) system. This example shows very well how dangerous can be client-attack.
Client after the authorization could sign electronic documents.
For signature from browser developers used CAPICOM technology.
If you are already understood us, you can not finish this note ;)
Signature from JavaScript - this is easy and usefull from client-side attacks.
JS code for sign document looks like:
You can easily call this function from stored/reflected XSS to sign arbitrary data.
To solve the PIN entry problem, we have used the caching mechanism for the key. Most often, after entering the PIN code of the key, PIN is remembered for a while.
So we were able to sign arbitrary (injected) document immediately after the user signs his own document (and entered PIN of course).
Then, using the Javascript we were able to hide the injected signed document from users's orders table (document was order request) for current user.
So only a single stored XSS vulnerability defeated all security measures of the RBS system. Note, that typically protections such as httpOnly cookies and SSL have been included, but it does not help.
Client after the authorization could sign electronic documents.
For signature from browser developers used CAPICOM technology.
If you are already understood us, you can not finish this note ;)
Signature from JavaScript - this is easy and usefull from client-side attacks.
JS code for sign document looks like:
function SignCreate(certSubjectName, dataToSign) { var oStore = CreateObject("CAPICOM.Store"); oStore.Open(CAPICOM_CURRENT_USER_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED); var oCertificates = oStore.Certificates.Find( CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, certSubjectName); if (oCertificates.Count == 0) { alert("Certificate not found: " + certSubjectName); return; }
...
You can easily call this function from stored/reflected XSS to sign arbitrary data.
To solve the PIN entry problem, we have used the caching mechanism for the key. Most often, after entering the PIN code of the key, PIN is remembered for a while.
So we were able to sign arbitrary (injected) document immediately after the user signs his own document (and entered PIN of course).
Then, using the Javascript we were able to hide the injected signed document from users's orders table (document was order request) for current user.
So only a single stored XSS vulnerability defeated all security measures of the RBS system. Note, that typically protections such as httpOnly cookies and SSL have been included, but it does not help.
nice artical
ОтветитьУдалитьYour English kills me. It must be really very "artical" ;)
ОтветитьУдалитьYou might be asking how you can keep away from this, or whether a payday advance is ever justified regardless of the hazard.
ОтветитьУдалитьCash Advance
So it is prudent to pick your bank carefully, by working out the net payable enthusiasm utilizing the online mini-computers for the most part gave by the loan specialists site.
ОтветитьУдалитьPayday Loans Chicago
Know about every one of the terms and conditions that may apply. The web makes correlation shopping simple; ensure you exploit this to spare a couple of dollars on charges every payday.
ОтветитьУдалитьPayday Loans Chula-vista
Payday credits are a snappy and simple approach to 'top up' a financial balance that may have excessively month left toward the finish of the cash!
ОтветитьУдалитьCash Advance Corona
Savage moneylenders are promptly accessible so take the time and contact no less than 3 unique organizations preceding being in a defenseless state.
ОтветитьУдалитьCar Title Loans Chicago