Everything, Everything

2024: J F M A M J J A S O N
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
PCI Compliance
Tuesday 28th September, 2010 11:24 Comments: 0
I'm not going to name names, but during an ASV scan of very a large retailer back in February I (well, one of the automated tools we use) detected some HTML injection and Cross-Site Scripting (XSS) vulnerabilities. I even created an impressive Proof of Concept (PoC) that presented a fake login page where the victim could enter their valid username and password (which was submitted to Google as a search query, but could have gone to another server that stored the submitted values, and perhaps redirected the user to the real login page). Because it was all hosted on their domain name, many users could potentially fall for this (the domain name is displayed in black text in IE8, for example).

You'd think, several months later, that I wouldn't detect these issues. They would have fixed them, right? After all, they want to be PCI compliant, right? Right?

The issues from February are still there. Due to improvements in the tools over the last few months, the main automated web application scanner appears to have detected some new issues too (although perhaps they were added by the developers to the vulnerable website between now and then?).

This is a very large retailer with millions of customers. I've bought stuff from them in the past, you've probably bought stuff from them in the past (and you probably will buy things from them for Christmas). I can't believe they're not taking this more seriously. I have to wonder how many other vulnerabilities are present in the application that automated scanning hasn't uncovered (well it is only an ASV scan we're running for them right now).

I sometimes think to myself "better the devil you know" (such as the cash machine I inspected a few years back, which ran everything as Administrator, but was otherwise quite secure); but sometimes you end up thinking "ignorance is bliss" and very occasionally "I'm not buying from their website ever again".
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3