Financial websites (banks, credit card companies, investment companies) are probably the biggest targets for hackers out there. I am sometimes a bit surprised by some of the blatant security issues some of these websites have. Just a few weeks ago, after reseting my password with a credit card company, I received my old password in plain text via e-mail. One of the classes I teach most frequently for SANS is the Web Application Security class. I do use a number of problems like this in the class to make the material covered more real. However, it would be nice to have a more complete catalog of these problems.
If you run into a blatant big problem with a financial site, please let us know. We will notify the site, but if you wish we will not mention your name. DO NOT HACK OR PENTEST ANY SITES WITHOUT WRITTEN PERMISSION FROM THE OWNER OF THE SITE. We are looking for problems that you run into as a regular part of doing business with the site.
Once we notified the sites, we will post some examples here. Again, we are looking for *big* problems like:
passwords send in the clear
insufficient user identification to reset the password
cross site scripting (again, DO NOT TEST)
SQL errors / Java errors and the like visible to the user
badly formated / worded e-mails that encourage phishing.
Things I consider minor or things we don't want to cover right here:
non SSL login forms that submit to SSL servers (we already covered that in the past).
login pages that give different errors if a username doesn't exist.
site downtime.
site allows the user to opt in for certain e-mail notifications, even if the notifications reveal balances and the like.
Please use our contact form to submit reports. Did I mention NO HACKING?!
More...
Breakout Champion!
Linear Mode
