

XSS Flaw on Paypal.com - Sejanus
http://praetorianprefect.com/archives/2010/03/xss-flaw-on-paypal-com/

======
tptacek
This doesn't appear to work, whether I'm logged in or not. I'm pretty shocked
that it ever did. Almost every automated scanning tool catches this, and
Paypal has an in-house security team.

------
midnightmonster
Article authors seem to be confused by the phrase: "Pass quarterly remove
vulnerability scans". From what I know about PCI compliance, this is probably
just a mistype and not indicative of anything actually meaningful. PCI
compliance usually requires a quarterly security scan from a certified vendor.
(The "Hacker Proof" "Hacker Safe" and similar badges are from these same
services or similar.) These scans check your server(s) from the outside
against a large panel of known-vulnerable software versions and common
dangerous practices. They're useful tools, but no one should be misled into
thinking they actually demonstrate security. The scans are typically passive
only and don't do anything that could actually exploit a vulnerability or that
require interacting with your site in any interesting way (such as logging
in).

And it's not (as the article authors supposed) about removing vulnerabilities
found in previous scans--you get the same (though updated) set of tests each
scan and either pass or fail each time. Should you happen to fail, though, you
can just upgrade, protect, or remove the problematic software (or make it hide
its version number) and get scanned again until you pass.

~~~
0wned
These scanners are pretty much worthless. They are written by script kiddies
for accountants who pretend they know something about IT when most of them
have _never_ administered a system.

------
metamemetics
Has anyone used Amazon payments on a site? Would you consider it a viable
alternative to paypal now or in the future for donations, subscriptions,
ebooks, etc. ?

~~~
jeff18
I use PayPal, Amazon, and Google Checkout. PayPal and Amazon are almost
interchangeable.

Google Checkout, on the other hand, is relatively weak (doesn't support bank
accounts, is slower, more false positives, weaker API, etc.).

------
almost
They also don't seem to escape eBay auction names properly, in IPN
notifications at least. If you have an auction name with & in it then that
gets stuck straight into the URL encoded IPN body. You'd think this would be
the sort of thing they'd really want to get right.

------
Sejanus
They fixed it, which is good as it was pointed out to them.

