Three XSS vulnerabilities that were reported on international financial services group, CitiBank.com, last Friday have still not been patched. These vulnerabilities could allow hackers to compromise users, visitors and administrators, including theft of cookies, personal data, authentication credentials and browser history, to name just a few: https://www.xssposed.org/incidents/52831/
Information security expert Ilia Kolochenko, CEO of High-Tech Bridge and chief architect of ImmuniWeb, explains why XSS flaws like CitiBank's are so dangerous, yet commonplace:https://www.htbridge.com/blog/xss_the_easiest_way_to_hack_your_website_in_2014.html
Mr Kolochenko said: "XSS vulnerabilities can be exploited by making the victim visit any page of any website where the attacker can place an XSS exploit. Such passive XSS attacks are very dangerous as they do not require hackers to send anything to the victim. It's enough just to backdoor a website that the victim regularly visits and wait for 1 or 2 days. It’s enough to make small change to the index page of the website [controlled by the attacker] in such a manner that if the IP address of a visitor belongs to the victim’s subnet, for example the network of a bank such as CitiBank.com, the index page will automatically inject an XSS exploit among other HTML content. Such attacks are extremely difficult to detect, and even IT security professionals can be easily compromised via such technique.
"Another pattern, that we regularly see on the market, is using XSS vulnerabilities (especially stored ones) to deliver malware to the victim, instead of just stealing credentials. By clicking what appears to be a trustworthy link the victim becomes not only a victim of data theft via XSS, but is also entirely compromised. The way to protect your online business is through on-demand ethical hacking services such as ImmuniWeb, which combine automated scanning with manual penetration testing by security experts to prevent security problems before they occur. Basically, people are the missing link so, with ImmuniWeb, a team of auditors assigned to the website security assessment perform manual testing for vulnerabilities in parallel with the automated security scanner, while also monitoring the scanner to confirm nothing is missed."