Saturday, November 6, 2010

Google Shop Oline XSS vulnerability


     
1.  Discription:

 Google Shop Online website sell the products online like souvenir.
“ How do we keep your information secure?
    The personal information that you provide to Google Store, including your credit card or other payment information, is maintained on secure servers and protected by industry-standard Secure Socket Layer encryption. When entering personal information, look for an icon at the bottom of your browser window that indicates you are on a secure page.”
     I cut from that site.
URL: http://www.google-store.com
2.  XSS Vulnerability:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.” (wikipedia.org)
“What about cookies?
A cookie is a piece of data that identifies you as a unique user. When you visit the Google Store, we set a cookie on your computer to help identify you, customize your experience and maintain your account and order information. To protect the security of your account, you must accept the Google Store cookie in order to shop here.”( google-store.com)
    Here are some snapshops:

XSS vulnerability was on the module produc_info.php, that does not filter the special characters. Hackers use this to insert javascript code to steal cookies from Customers, Administrators and so on.
Take a look at the source view from firefox.



3.  Reference:

No comments:

Post a Comment