Full Disclosure mailing list archives
RE: news XSS on paypal.com
From: "php0t" <very () unprivate com>
Date: Sun, 23 Jul 2006 13:50:25 +0200
If it works, then you can plant iframes in popular websites so that when somebody visits them and they happen to be logged on to paypal at the same time, the injected javascript could make a transaction using the victim's (visitor's) creditentials. This can all happen without alerting the user. (There might be some circumstances blocking this in practice, like if they require a Turing test for completing money transactions etc). php0t ps: a poc showing how to fake a whole webpage?! :-)
I wonder what is interesting in this , usually a poc show us we can upload a crafted webpage on a vulnerable website, fake a whole
webpage,
etc, this link doesnt speak much than the noob who found it.
Pigrelax wrote:
www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- news XSS on paypal.com Pigrelax (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
- RE: news XSS on paypal.com php0t (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
- Re: news XSS on paypal.com Javor Ninov (Jul 24)
- RE: news XSS on paypal.com php0t (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)