XSS for Fun (and profit?)

I recently read an article in 2600 magazine about how to make quick money by exploiting XSS vulnerabilities in a retail website. In short, XSS vulnerabilities can enable an attack to alter the price of an item displayed on a reputable website. At first glance this appears harmless since the attacker can't actually purchase the item at the modified price. However, by printing out the page showing the modified price and requesting a price match at a competing store, the attacker can leverage this technique to acquire goods at radically discounted prices.

Beyond the fact that retailers are losing money because their competitors have lousy websites, this technique is interesting because it leads to fraud that is incredibly hard to detect. First of all, the print contains a seemingly legitimate URL from a competitors’ website. Second, even if the employee who grants the price match is suspicious, the attacker can trick him into confirming the fraudulent price by asking him to visit the specially crafted URL that replicates the cross-site scripting attack. The really nasty thing about this is that the software vulnerability (XSS) is costing another company, a competitor in fact, money so there's very little motivation for the vulnerable website to fix this particular problem.

Technorati Tags: xss