Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Ask for help about NoScript, no registration needed to post
weeniebob

Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by weeniebob » Tue Feb 06, 2018 7:58 am

Simply navigating to the Royal Bank sign-in page causes the following XSS Warning:

Image

At first glance it appears that my login credentials will be tried at 50+ semi-related websites, in the hopes that I'm reusing the same username/password... (or is that not what's going on here..?) If that IS what's happening, I'm assuming my online banking could be easily compromised too..?

(either way, I don't think I'll be paying any bills tonight..!)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

User avatar
Giorgio Maone
Site Admin
Posts: 8654
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank.

Post by Giorgio Maone » Mon Aug 27, 2018 9:57 pm

Hi, thank you for reporting,
I cannot reproduce because it seems to happen after the actual login (doens't happen with fake credentials, and the message points at a GET request: likely a post-login (stats tracking?) redirection, rather than the login submission itself, and a false positive.
Maybe I can take a look at the actual payload if you copy and paste it as text, after double checking that (as I believe) there are no credentials embedded into it.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

User avatar
Just_Golem
Junior Member
Posts: 25
Joined: Tue Nov 28, 2017 11:04 am

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by Just_Golem » Thu Feb 07, 2019 2:46 pm

Mister M,


I know this is an old post,... I also have the same question. I had this problem last summer and chose to Block permanently the XSS request. This week, I created a new VmWare KUbuntu install and needed to setup my bank again, and this XSS error still happens today.

Royal Bank login page, get XSS warning. I can reproduce XSS warning from many systems, and ISPs. (I have access to 2 ISPs and a bunch of computers). I copied the full link/XSS/code? provided by NoScript (similar to image above), (no sure how to offer it here without it creating a link to something bad).

My MAIN concern, (since I can chose to block that request without any noticeable side effect on Bank login/transactions), is the actual Names of the Sites that link is referencing. I see Yandex and Bank names from Russia, Sicily, France, then SignIn and Login words with references to Paypal and Facebook.

So my question is 3 folds
1- Can I post (and/or how-to) the actual Copied Text (code/LIVE link)
2- Would it help (you) see if this a solvable problem (false positive)?
3- "Could you help ME" see if the BUZZ words (links) are a sign of Danger/Hack with my bank?

PS my method to reproduce XSS warning:

Use Google to search for Royal Bank Canada, link should be RBCRoyalBank .com
From that page, click on Login button (top right)
This should send you to www1. royalbank. com/ cgi-bin/...etc..
NO need to fill in fields
Now I give Temporary NoScript permissions to all four of the domains one at the time
royalbank .com
ensighten .com
rbcroyalbank .com
and
rbc .com

When I grant RBC NoScript access, then XSS comes up.
Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

User avatar
Just_Golem
Junior Member
Posts: 25
Joined: Tue Nov 28, 2017 11:04 am

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by Just_Golem » Sun Feb 17, 2019 12:10 pm

hey group, is this forum still active??? Is Mr Maone still helping or working here???
Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

barbaz
Senior Member
Posts: 8837
Joined: Sat Aug 03, 2013 5:45 pm

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by barbaz » Sun Feb 17, 2019 12:42 pm

Just_Golem wrote:
Sun Feb 17, 2019 12:10 pm
hey group, is this forum still active??? Is Mr Maone still helping or working here???
This forum is still active. Giorgio is still around, but he's probably very busy.

As a start, does your bank site actually require ensighten to be allowed? Seems to be a tracker - https://better.fyi/trackers/ensighten.com/
Just_Golem wrote:
Thu Feb 07, 2019 2:46 pm
1- Can I post (and/or how-to) the actual Copied Text (code/LIVE link)
Try posting it in code tags (paste it, select what you pasted, then click the </> button above the textarea where you write your message).

If that still trips the spam filter, PM it to an active Mod (me, GµårÐïåñ, skriptimaahinen, therube, or Thrawn) and we'll try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.
Just_Golem wrote:
Thu Feb 07, 2019 2:46 pm
2- Would it help (you) see if this a solvable problem (false positive)?
Yes
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply