Professional Documents
Culture Documents
Blog Eek
Blog Eek
Blogeek
where geeks play
Home
Pr0ject
Tutorial
Comic
Fellowship
About
Subscribe
RSS Feed-Posts RSS Feed-Comments
September 2007
M T WT F S S
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
« Aug
Categories
Education (4)
Entertainment (2)
Firefox (1)
Games (2)
Jokes (5)
Lifelog (13)
Linux (1)
Security (5)
Whatever (1)
Windows (1)
Archives
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
Beloved Readers
You!
Join Our
Community
syahrul
syahrul
niezam
Buy online
cheap
Cytotec
menteil
Encik
Marzuki
First L
Raja Munirah
frz703
free
« Older
Loading Newer »
I found a XSS hole in maybank2u online right in the https secured section. It seems
that Maybank2u use javascript to validate and filter user input in forgot password
page, before echoing it back. This can be easily evaded by sending the input not to
the textbox, but straight to the URL bar. As a result, user can inject javascript code
into the page by changing the birthday’s date value. Funny isn’t it?
What can we do with a xssed site? It’s an online banking site dude, why not setting
up a phishing site right there?
First we need to remove the old content [forgot password form] using
getElementByTagName. Fire up your DOM Inspector in Firefox and you should find
that the form is in the 4th table. Replace the form HTML code with innerHTML
command. The whole code that we’re going to inject should be something like this.
oldcontent= document.getElementsByTagName(”table”)[3];
oldcontent.innerHTML=’<–phising code goes here–>’;
String.fromCharCode(60,115,99,114,105,112,116,62,109,121,80,61,32,100,111,99,117,109,
101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,
101,40,34,116,97,98,108,101,34,41,91,51,93,59,109,121,80,46,105,110,110,101,114,72,84,
77,76,61,39,60,105,109,103,32,115,114,99,61,104,116,116,112,58,47,47,105,109,103,49,
55,48,46,105,109,97,103,101,115,104,97,99,107,46,117,115,47,105,109,103,49,55,48,47,
57,50,55,53,47,108,111,103,105,110,108,107,52,46,106,112,103,62,39,59,60,47,115,99,
114,105,112,116,62)
Yatta! A new phising site hosted by maybank2u itself with zero cent cost and it’s
https verified. [Tested only in Firefox]
Downside is, the URL is obviously long. Notice that the login form is just an image.
I’m lazy, and it can be better if you copy the HTML code from the real page. Keep
in mind that the longer your phishing code, the longer the URL will be.
If you don’t want to create a phishing site, you can just redirect the victim to a
cookie stealer. Set the cookie back to your browser and you’ll have 10 minutes
login time.
Maybank users, you don’t have to be worry since any money transaction need TAC
code. I told you earlier this is just a proof of concept. Haha.
This article is for educational purpose only. Whatever you do, you’re on your own.
To Mr.Fark: This is the better way to phish. Not the lame way that you did last time.
Teach me to write
Published August 18th, 2007 in Education. 0 Comments
Remember back in time when I decided to create my first blog, hoping I could
improve my English. Starting on that day, I had spent most of my free time reading
and publishing post until it has become one of my life routine.
The problem is, not all bloggers can write well and use the correct grammar,
including myself. I have to admit that. By reading that kind of writing, it will just
poison your mind and damage you English skills.
Sometimes I can’t keep myself from laughing when reading blog with poor
grammar. Did they just copy and paste the article to Google translator? I wonder if
my readers think the same way on me.
Now I’ll tell you my lame technique that I’ve been using for a long period of time.
Every time I write a new post, I’ll reread it for a few times, paste it in MS word and
scan for spelling errors. I’ll use Google to make sure that I’m using the accurate
words or phrases. My electronic dictionary and online Thesaurus are also come in
handy.
I know that some readers don’t even care about grammar errors as they only
interested with the content. For me, both are important because the way you write
shows the way you think. Plus, if you don’t know how to write well, you might
mislead the readers with the wrong ideas.
Recent Posts
Rob Maybank2u with javascript
Teach me to write
Analogy of a transistor
Bored? Try this
Hi, my name is Pudge and I’m overweight
Recent Comments
flisterz on Bored? Try this
Hertz on Pownce pwned
tk2 on Bored? Try this
adq890 on Bored? Try this
xenowork on Hi, my name is Pudge and I'm overweight
AVI to DVD
Creator
Easily convert
your AVI files to
movie DVD. Free
to try!
smartDVDcreator.com
Convert VHS to
DVD Easily
Fast & Simple
DVDs of Home
Videos Easy to
Install Hardware &
Software
www.Roxio.com
VOB to AVI
Converter
Download free
software to
convert VOB
videos to AVI file
format.
video.nchsoftware.co…
DWG to PDF -
Free Trial
Batch, Combine,
Stamp, and more.
Includes PDF
editor to markup
PDFs.
www.bluebeam.com