Re: PayPal Phishing Site Exploits Google XSS Vulnerability

[shwaya () gmail com]

I can't view the video and the article doesn't have much information. Does anyone have a write-up of the video?

> Yes there are other sites vulnerable to this kind of XSS, but none of them
carry the same brand name.

Two questions:

1) Maybe I'm missing something having not seen the video, but can we clarify what "kind of XSS" we're talking about 
here? Are you refering to the UTF-7 vuln in Google's 404 page (supposedly fixed), or the fact that the page can be used 
as a redirect to any site?

2) If the redirection is the problem, what steps should sites take to make sure that they are not vulnerable to being 
used as a phishing vector? One 
obvious step would be to only redirect to a list of known urls. What else can be done?

There are in fact other brand-name sites, such as amazon.com, that have redirect urls. What is amazon doing right that 
prevents it from being used as a phishing vector?

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------