WebApp Sec mailing list archives
Re: PayPal Phishing Site Exploits Google XSS Vulnerability
From: shwaya () gmail com
Date: 12 Jan 2006 16:42:52 -0000
I can't view the video and the article doesn't have much information. Does anyone have a write-up of the video?
Yes there are other sites vulnerable to this kind of XSS, but none of them
carry the same brand name. Two questions: 1) Maybe I'm missing something having not seen the video, but can we clarify what "kind of XSS" we're talking about here? Are you refering to the UTF-7 vuln in Google's 404 page (supposedly fixed), or the fact that the page can be used as a redirect to any site? 2) If the redirection is the problem, what steps should sites take to make sure that they are not vulnerable to being used as a phishing vector? One obvious step would be to only redirect to a list of known urls. What else can be done? There are in fact other brand-name sites, such as amazon.com, that have redirect urls. What is amazon doing right that prevents it from being used as a phishing vector? ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- PayPal Phishing Site Exploits Google XSS Vulnerability Paul Laudanski (Jan 11)
- Re: PayPal Phishing Site Exploits Google XSS Vulnerability Stelian Ene (Jan 11)
- Re: PayPal Phishing Site Exploits Google XSS Vulnerability Paul Laudanski (Jan 11)
- <Possible follow-ups>
- Re: PayPal Phishing Site Exploits Google XSS Vulnerability shwaya (Jan 12)
- Re: PayPal Phishing Site Exploits Google XSS Vulnerability Stelian Ene (Jan 11)