for example,
change-password/-"><iframe src="http://hackerssite.com">-.html
change-password/-"><iframe src="http://hackerssite.com">-.html
https://sellercentral.amazon.com/gp/change-password/-%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E-.html
The XSS bug affects the "Password Assistance"
page, thus becoming the ideal phishing weapon for fraudsters who target
sensitive personal and financial information. As you can view in the
following screenshot, "See Me"
injected an iFrame tag that retrieves the first page of XSSed.com.
Instead, with border set to 0 in the tag, it could retrieve a
deceitful seller central user login page that logs authentication
credentials in cleartext and sends them to the fraudster's e-mail inbox.
Amazon is usually quick at remediating
security issues affecting their online properties. Of course, they
should go through a thorough source code security review and testing
before they put stuff live.
'Hacking' 카테고리의 다른 글
| What is the best way to manually test for buffer overflows? (0) | 2011.02.03 |
|---|---|
| PT FrameWork (0) | 2010.12.17 |
| FPS hack provider (0) | 2010.10.20 |
| Hiding files using ntfs file streaming (0) | 2010.10.16 |
| Back up Jailbreaked iPhone APPs (0) | 2010.09.21 |
