InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

eurobank e-banking

https://forums.informaction.com/viewtopic.php?t=21192

Page 2 of 2

Re: eurobank e-banking

Posted: Wed Aug 26, 2015 5:03 am
by maxer
Thrawn wrote:Eww, they're polluting window.name! Look at the second line of the console output.
I accept your words as I can look but I cann't see; I simply do not know the subject.
This is *not* a safe practice. If you can leave the XSS filter on, then please do.
I didn't mention XSS filter was on, as I thought exceptions had a meaning only if XSS filter was on.

So let me resume what I have understood and please correct me if I'm wrong:
Image

Thanks

Re: eurobank e-banking

Posted: Wed Aug 26, 2015 5:15 am
by maxer
barbaz wrote:*If* an XSS exception is the way to go.
I guess you state what you explain later.
Does this exception work?

Code: Select all

^@https://[a-z]+\.eurobank\.gr/
Yes, it works. I have changed the expression to this. Thank you too.

Re: eurobank e-banking

Posted: Wed Aug 26, 2015 7:03 am
by Thrawn
maxer wrote:
This is *not* a safe practice. If you can leave the XSS filter on, then please do.
I didn't mention XSS filter was on, as I thought exceptions had a meaning only if XSS filter was on.
What I meant was, don't write an exception if you can help it. Keep filtering these requests, because they're dangerous.

If the site breaks when the XSS filter is triggered, then I recommend using a separate profile for your banking, so that your bank can't be attacked by other sites in the same window..

Re: eurobank e-banking

Posted: Wed Aug 26, 2015 9:49 am
by maxer
Thrawn wrote: If the site breaks when the XSS filter is triggered, then I recommend using a separate profile for your banking, so that your bank can't be attacked by other sites in the same window..
I wish I knew what you mean by "breaks". What my experience is that when XSS filter is on, with no exception, there is a 15sec delay, where firefox window "freezes" (no response at all). After that the prompt save/open window comes out. The story is repeated for every new or same refreshed page in eurobank.gr

Re: eurobank e-banking

Posted: Wed Aug 26, 2015 5:49 pm
by barbaz
maxer wrote:I wish I knew what you mean by "breaks".
It means "not working in a way that makes it unusable" - including, for example, what you experience on eurobank with the XSS filter left alone.

My recommendation would be to use Thrawn's advice to use a separate profile for eurobank - where you ONLY access eurobank in that profile - but make sure you install NoScript in that profile and add that XSS exception. Because it's not a safe exception to have in general.
All times are UTC
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited