Hacker posted code for a powerful attack XSS, which, as stated, goes beyond the usual cookie theft or sale of phishing to steal personal information.
Cross-site scripting vulnerability (XSS) allows hackers to control the content of the vulnerable, but still a trusted site, passing critical information to cybercriminals. In addition to creating tools for popup windows that are controlled by hackers on websites, XSS can also lead to theft of cookies.
Nicklas Femerstrand – a hacker who in October 2011 found that the mechanism of debugging American Express site was vulnerable to this kind of vulnerability . He developed the so-called “XSS on steroids” script by examining a similar vulnerability to the site of one of the Swedish banks.
“There are common myths about XSS, which can be used for phishing and cookie collection,” – he said.”My code destroys these myths and converts non-permanent XSS in something sustainable.”
“I have created code that defines its own existence and locally infects the payload, all references to the web site visitor. In this case, becomes a permanent non-permanent XSS for him. It also monitors the behavior of the user and sends an attacker interesting information (logins, passwords, credit card information), “- he added.
Femerstrand published his code on this site last week.
Rick Ferguson, director of security research and communications at Trend Micro, has confirmed that the script is designed Ferestrandom is a bigger threat than expected, but there are questions about whether the idea of a hacker innovative. Ferguson said that this technique had already existed for some time and was introduced in beefproject.com .
In response to this statement Femerstrand said: “I heard about BeEF, but only in passing. I did not know that they use a similar technique, and I did not come across in my eyes any documents on this topic. I saw them a keylogger can not distinguish between an input line from one another, and instead of entering what has been published, introduces anything that is on the page. I have never used BeEF, but personally I think the project is too bloated. ”
He noted that the publication of the code was logical, since it has identified inadequate security gaps in banking institutions.
“The original code was written as a proof of how easy it is to rob a bank now,” – he wrote. ”I see that banks are mocking people. Banks are serious enough to safety. But when a man sees a sign standard PCI DSS, he thinks that the bank does its job well, but in fact, anything that makes such standards – Issue logo “We confirmed the same,” and check the 4-digit PIN codes there. ”
“Modern banks know that in case of bankruptcy, the government will provide them with financial support. I am convinced that the publication of the code – the right decision, because it highlights the practical importance of financial security,” – added Femerstrand.