[Owasp-delhi] XSS in IRCTC.
Karthik Muthukrishnan
karthik.muthukrishnan at tcs.com
Fri Nov 28 02:23:49 EST 2008
I had to book another ticket, and now, given what I observed, I feel that
it is infact an XSS exploitation done by a script kiddie. I didnt do any
technical analysis, since I get to the XSSd page only after booking a
ticket.
This is one of the scenarios, where even though I knew it to be very
unsafe, I had to provide my credit card details to the site knowing full
well that it could be going to the wrong hands.
One consolation is the Verified by Visa stuff. My card's payment gateway
will ask me for a password during online transactions. And Stan Chart's
payment gateway is using an SSL cert by Verisign which has expired years
ago. This is a serious issue for me and am going to return the Manhattan
card. Since the Verified by Visa is asking for a password in a separate
site, I guess IRCTC's vulnerabilities cannot read that passcode. However I
am aware that using the card info provided at the site, duplicate physical
cards may be created thus bypassing the Verified by Visa.
Just my thoughts.
Puneet, the security pen test might have been done by the lowest bidder!
"Puneet Mehta" <puneet.mehta at owasp.org>
11/27/2008 09:34 PM
To
dhruv.soi at owasp.org
cc
"Karthik Muthukrishnan" <karthik.muthukrishnan at tcs.com>, "Plash Chowdhary"
<plash.chowdhary at tcs.com>, owasp-delhi at lists.owasp.org
Subject
Re: [Owasp-delhi] XSS in IRCTC.
I am sure, they have people hired to ensure security of thier critical
application. The question is are these so called security professionals
competent to perform the job that they are hired for...???? Or is it a
quarterly automated pen test performed last time that apparently missed to
catch the jewel crown "XSS"..:-)
On Thu, Nov 27, 2008 at 9:13 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
If you think they would understand XSS, go ahead and report this issue.
And
if you think otherwise, even the confirmation won't be of any use :-)
Be generic, call it a bug and report the issue without being worried about
software bug or XSS. If they offer some remuneration then no harm in going
ahead to confirm this one or may be finding more juicy stuff. I would
prefer
to confirm vulnerabilities for our clients or some software products
rather
offering free consulting services to irresponsible companies those deploy
insecure software and make their customers suffer...If you find any
vulnerability on the wild, no doubt report it in ethical way! But no
reason
to spend time over it, where you don't have any personal or professional
interest!
-----Original Message-----
From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Karthik
Muthukrishnan
Sent: Tuesday, November 25, 2008 11:07 AM
To: Plash Chowdhary
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] XSS in IRCTC.
Thanks for pointing out Plash.
It *seems* to be an exploitation. I didnt have enough time to analyze it,
so I was hoping that someone from owasp delhi would confirm whether it is
an exploitation or not. "Print this page" link didnt work - it just showed
an alert box. I would prefer to be reasonably sure that it is not a
programming issue.
What do other guys in the mailing list say? Report it right away or
confirm
the issue and report it?
Plash
Chowdhary/DEL/TCS
To
11/25/2008 05:20 Karthik Muthukrishnan
AM <karthik.muthukrishnan at tcs.com>
cc
owasp-delhi at lists.owasp.org,
owasp-delhi-bounces at lists.owasp.org
Subject
Re: [Owasp-delhi] XSS in IRCTC.
(Document link: Karthik
Muthukrishnan)
Karthik are you going for full disclosure here without including cert
India... its a govt site dude ; )
Regards,
Plash Chowdhary
Security Consultant,
Global Consulting Practice - IRM
Tata Consultancy Services
Ph:- +91-120-4398828
Buzz:- 4120286
Mailto: plash.chowdhary at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Outsourcing
____________________________________________
Karthik Muthukrishnan
<karthik.muthukrishnan at tcs.com>
Sent by: owasp-delhi-bounces at lists.owasp.org
To
owasp-delhi at li
11/23/2008 11:36 PM sts.owasp.org
cc
Subject
[Owasp-delhi]
XSS in IRCTC.
IRCTC seems to have been exploited by an XSS vuln. After booking the
ticket, when you click on the print this page link, an alert ("hi")
appears. This is the status today morning. I didnt hav etime to analyze as
I had to rush to office. Will see if I can spend some time from office.
"Pukhraj Singh"
<pukhraj.singh at vikriya.c
om>
Sent by: To
owasp-delhi-bounces at list "Tarun Dua" <tarundua at gmail.com>
s.owasp.org cc
owasp-delhi at lists.owasp.org
Subject
11/22/2008 08:29 PM Re: [Owasp-delhi] NDTV.com
classified by google search as a
possible attack site serving
malware
Tarun,
You are correct on that one; I missed mentioning that as the exploit
seemed
too trivial for my attention.
When I went through the blog entry, my focus immediately jumped to the
subsequent iframes which were being launched (the ones mentioned after the
line: "launches several iframes that launch several other attacks. very
nice. I'll let you pull down that code.") and the subsequent malware it
was
trying to load. I was really keen to pull them down and see if they got
something juicy.
Loosely speaking, a shotgun attack is not bound to a definition, unlike
say
buffer overflows, as you may better understand; it was just a term created
by my team at Symantec to make the life and explanations easier. This one
would still come under the shotgun category (duhh - too hard on fancy
definitions) as there were multiple exploits loaded in a sequence of
nested
iframes.
Best,
Pukhraj
On Sat, Nov 22, 2008 at 12:48 PM, Tarun Dua <tarundua at gmail.com> wrote:
Hi Pukhraj,
Thanks for your explanation. As I understand that a shotgun attack is
the one where the attacking malware site attempts to exploit multiple
vulnerabilities ranging from javascript to shockwave objects ?
The url you referred lists out the type of malicious SQL injection
request that will compromise an MS-SQL server( or can it compromise
other any other database servers ) by updating the open table_cursors,
thereby injecting javascript into resultsets which are being fetched
by the web-pages which thus get written out into the webpages being
served and execute a shotgun attack on endusers computers. Is my
understanding correct.
Thanks
-Tarun
On Sat, Nov 22, 2008 at 2:48 AM, Pukhraj Singh
<pukhraj.singh at vikriya.com> wrote:
> This is the second time I have heard of NDTV being compromised. The
first
> time it was compromised with the MPack exploitation toolkit.
>
> The infection via d0uhunqn-dot-cn is pretty old. It seems that website
> remained compromised for a long time. Sad! It's a typical shotgun
attack,
> although the malicious links seem to be offline now. Couple of projects
have
> crawled through those malicious websites which have been mentioned in
the
> Google diagnostics page (CastleCops, Shadowserver, Symantec SafeWeb, et
al).
> Some of the exploits being served are old (from the Storm Worm days):
>
> http://carnal0wnage.blogspot.com/2008/08/cute.html
>
> Best,
> Pukhraj
>
>
> -----Original Message-----
> From: owasp-delhi-bounces at lists.owasp.org
> [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Tarun Dua
> Sent: Friday, November 21, 2008 10:33 PM
> To: owasp-delhi at lists.owasp.org
> Subject: [Owasp-delhi] NDTV.com classified by google search as a
possible
> attack site serving malware
>
> See advisory here
>
http://www.google.com/safebrowsing/diagnostic?site=http://www.ndtv.com/conve
> rgence/ndtv/videos.aspx&hl=en
>
> I couldn't see the malware sites mentioned on the advisory serving out
> from ndtv.com anymore on my firebug console so I figure that these
> vulnerabilities might have been gone from their site now. Does someone
> has more information as to what happened here, was it their windows
> servers that got compromised or XSS issues from the advertising or
> user generated content served by them.
>
> Cheers!!
> -Tarun
> http://tarundua.net/google/ndtv/advisory
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
ForwardSourceID:NT000100CE
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
ForwardSourceID:NT000019B2
ForwardSourceID:NT000101A6
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
--
Puneet Mehta CISSP CISA CEH CPTS BS7799 LA
OWASP Delhi Board
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
ForwardSourceID:NT00010306
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20081128/2f546a32/attachment-0001.html
More information about the Owasp-delhi
mailing list