Phishing Attacks Exploiting Injection Flaws: The Importance of Application Security

cross site scripting (XSS) can be exploited by phishers to build really effective attacks. Today we have analyzed another similar attack that includes some enhanced features. The attack was exploiting an injection flaw in an Internet banking application, specifically located in the module used to display warning messages to users.

The function took a single GET parameter:[ASCII_encoded_message_to_display]

And then returned a page with the following in the body:


Obviously the aim here is to have a single page display warnings that are available to every module in the application. Because the input was not properly sanitized the attackers used this vulnerability to inject a properly encoded iframe that pointed to a fake login form located on a hijacked server:

i--FRAME src=" " width =800 height=800 scrolling="no" frameborder="0"/i--FRAME

The strength of these attacks is enhanced compared to classic ones because of two main reasons. First, users actually see the legitimate domain of their bank in the address bar of their browser. Second, the address bar correctly displays “https,” which is something users have learned they need to look at because most financial institutions have been pushing on this point in their security warnings to their customers.

While I won’t stop to underline that basic security knowledge is needed to everybody using the Internet, I have to admit this attack is pretty tricky and even advanced users might be fooled by something like this. On the other hand, XSS and injection flaws – most of all when located on the pages accessible by everyone before authentication – are something easily avoidable if the bank follows some sound application security practices. Penetration testing activities and even automated application scans can easily highlight most flaws of this kind and fixing them is rather easy once the issue has been found. Symantec has published a number of whitepapers on this subject, should somebody want to deepen on it.

One last thought about this attack is that in order for attackers to be able to exploit vulnerabilities, they have to be able to find them first. This usually means that unless they are especially lucky, attackers have to send a rather large amount of malicious data to the target Web site in order to find something good to use. Real time security monitoring of mission critical systems (such as an Internet banking server is) will have hopefully spotted this early enough to have a deeper look and find the vulnerability before it was exploited.