------------------------- Time Line Vulnerability ------------------------- 10-05-2018 First Security Advisory Not Response 18-05-2018 Second Security Advisory Not Response 25-05-2018 Thid Security Advisory - Response Ok.. "Teorical Fixing by Bank of Brasil Security Team" ( 3 Days They Said to me ) 28-05-2018 Verifiying - Not Fixex". Mail to Bank of Brasil -- Mail Delivery System (¿?) Full Discloure Explanation ------------ I had to upload to the website and started looking for emails and they do not exist. I used the Google translator to do email searches in Portugues and I found audacity departments divided into different sites. THERE IS NOTHING ON THE WEB PAGE TODAY RELATED TO CYBERSECURITY AND SENDING A NOTICE .. Therefore, the most similar service is the "SAC" (SAC 0800 729 0722) that is for claims and things of that style. But he does not have any mail, it's a phone number. I called. and being a bank they knew English. I told them the story and he told me directly that they could not do anything and they knew which company took the security. Therefore, in the face of the impossibility of contacting those responsible for cybersecurity and a proven existence of the same faults, I have decided to make a dissemination of informaicon which, in my view, is responsible, since I have done everything possible to improve the bank's security. Responsibility The Author @secnight as well as Vertigosistems are exempt from any type of criminal liability and that which may arise from the disclosure of this information. In these moments the security of the bank is inefficient both at the application level as in layer 2 .. and rising... and for a bank, THIS IS INADMISSIBLE --------------------- FULL DISCLOSURE --------------------- \ | / \|/ |------||------| | WARNING | |--------------| The bank currently has more than 30 security failures, so I leave these security flaws in the report, but putting them all makes no sense. They need a Penetration Test, Continuous Cycle,Code Review and for the huge failures,the severity causes the faults to be fixed as quickly as possible =========================================================== Bank of Brazil Multiple security Flaws =========================================================== I. VULNERABILITY ------------------------- #Title: Bank of Brazil Multiple security Flaws #Vendor:Bank Of Brasil #Author:Juan Carlos García (@secnight) Special Thanks Vertigosistems https://www.vertigosistems.com/ #Follow me Twitter:@secnight http://habemuscurso.blogspot.com http://hackingmadrid.blogspot.com II. DESCRIPTION ------------------------- Banco do Brasil S.A. (English: Bank of Brazil) is the second largest bank by assets in Brazil and all of Latin America. The bank, headquartered in Brasília, was founded in 1808 and is the oldest active bank in Brazil, even older than the country's central bank. It is also one of the oldest banks in continuous operation in the world. Banco do Brasil is controlled by the Brazilian government but its stock is traded on the São Paulo Stock Exchange and its management follows standard international banking practices (Basel Accords). Since 2000 it has been one of the four most-profitable Brazilian banks (the others being Itaú Unibanco, Bradesco, and Santander Brasil) and holds a strong leadership position in retail banking --------------- Security Flaws | --------------- 1 PII Scanneer The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data. URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/NetprMaintPT.pdf Method GET Evidence 500278556500 URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/NetprMaintPT.pdf Method GET Evidence 3556556556556333 Instances 2 Solution Other information Credit Card Type detected: Maestro Reference CWE Id 359 WASC Id 13 Source ID 3 2 HTTP to HTPPS transition insecure in the form of a post Description ------------- This check looks for insecure HTTP pages that host HTTPS forms. The problem is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or simulated. URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page4,8305,8388,0,0,1,6.bb?codigoMenu=15245&codigoNoticia=28842 Method GET Attack [cadena vacía] URL http://www.bb.com.br/portalbb/page4,8305,8388,0,0,1,6.bb?codigoMenu=15245&codigoNoticia=28842 Method GET Attack [cadena vacía] Instances 27 Solution Use HTTPS for landing pages that host secure forms Other information The response to the following HTTP request included a tag action attribute value of HTTPS form: http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 el contexto era: <form name="formNaoCorrentista" action="https://www2.bancobrasil.com.br/aapf/login.jsp" method="post"> <div class="grade"> <input type="Hidden" name="aapf.NC" value="sim"> <input type="Hidden" name="ativaCadastroNC" value="sim"> </div> <div class="grade"><label for="cpf">CPF</label><input type="text" value=" CPF" name="cpf" id="cpf" class="busca" onfocus="setElmAtv(this);letreiro(this,' CPF');" onblur="letreiro(this,' CPF');" maxlength="14" size="15" onkeypress="return mask(true, event, this, '###.###.###-##');" tabindex="28"></div> <div class="grade botaoOK" style="margin-left:5px;margin-top:1px;"><a href="#" title="Entrar" onclick="return validaCNC();" onkeypress="return validaCNC();" tabindex="29"><span>&nbsp;OK &nbsp;&nbsp;</span></a></div> </form> Reference [cadena vacía] CWE Id 16 WASC Id 15 Source ID 3 3 Source Code Divulgation in Perl -Description The source code of the application was disclosed by the web server - Perl URL http://www.bb.com.br/docs/pub/siteEsp/uds/dwn/Proequidade.pdf Method GET Evidence $#waRFp Instances 1 Solution Make sure that the Source Code application is not enabled with alternative extensions, and make sure that the source code is not present within other files or data displayed to the web server, or served by the web server. Other information $#waRFp Reference http://blogs.wsj.com/cio/2013/10/08/adobe-source-code-leak-is-bad-news-for-u-s-government/ CWE Id 540 WASC Id 13 4 X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks - Description- * URL: [http://www.bb.com.br/portalbb/hs001003,500490,500491,1,0,1,1,80.bb](http://www.bb.com.br/portalbb/hs001003,500490,500491,1,0,1,1,80.bb) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/jsp/eng/index.jsp](http://www.bb.com.br/portalbb/jsp/eng/index.jsp) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page44,8305,8330,0,0,1,6.bb?bread=4&codigoMenu=3800&codigoNoticia=4561&codigoRet=3809](http://www.bb.com.br/portalbb/page44,8305,8330,0,0,1,6.bb?bread=4&codigoMenu=3800&codigoNoticia=4561&codigoRet=3809) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839](http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page3,7932,7950,0,0,1,0.bb?bread=1_2&codigoMenu=3490&codigoRet=3510](http://www.bb.com.br/portalbb/page3,7932,7950,0,0,1,0.bb?bread=1_2&codigoMenu=3490&codigoRet=3510) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb](http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb](http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb) * Method: `POST` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb](http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home23,10548,10548,0,0,1,5.bb](http://www.bb.com.br/portalbb/home23,10548,10548,0,0,1,5.bb) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/](http://www.bb.com.br/) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/docs/sitesp/sustentabilidade/hotsite_Internet.html](http://www.bb.com.br/docs/sitesp/sustentabilidade/hotsite_Internet.html) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page3,7932,7952,0,0,1,0.bb?bread=1_4&codigoMenu=3490&codigoRet=3512](http://www.bb.com.br/portalbb/page3,7932,7952,0,0,1,0.bb?bread=1_4&codigoMenu=3490&codigoRet=3512) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb?dv=1](http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb?dv=1) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb](http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br](http://www.bb.com.br) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508](http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb?dv=1](http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb?dv=1) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb](http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb) * Method: `POST` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb?dv=1](http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb?dv=1) * Method: `GET` * Parameter: `X-Frame-Options` * URL: [http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200](http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200) * Method: `POST` * Parameter: `X-Frame-Options` Instances: 32 ### Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). ### Reference * http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx #### CWE Id : 16 #### WASC Id : 15 #### Source ID : 3 5 HTTP Parameter Override -Description Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page4,8305,8388,0,0,1,6.bb?codigoMenu=15245&codigoNoticia=28842 Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page3,7932,7948,22,0,1,8.bb?bread=1&codigoMenu=3490&codigoNoticia=4246&codigoRet=3494 Method GET Evidence <form name="formPerfil" autocomplete="off" action="" method="post"> URL http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method GET Evidence <form name="formPerfil" autocomplete="off" action="" method="post"> URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method POST Evidence <form name="formPerfil" autocomplete="off" action="" method="post"> URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method GET Evidence <form name="formContaEmp" action="" method="post"> URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Evidence <form name="formContaEmp" action="" method="post"> Instances 12 Solution All forms must specify the action URL. Reference http://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf CWE Id 20 WASC Id 20 Source ID 3 6 X-Content-Type-Options Header Missing Description The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing. URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/tela7.gif Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/pbb/pagina-inicial/private Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/portalbb/img.ImgWriter?codigo=19634&origem=CCI Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/css/ac/menuHorizontal.css Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/pub/inst/img/tela5red.gif Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-180x180.png Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/pbb/pagina-inicial/estilo Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/tela10.gif Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/img/v5/imgCantoMenuEsq.png Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/css/grupoCAbas.css?v=1.1 Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/img/v5/btLogo1.gif Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508 Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/NetprMaintPT.pdf Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/pbb/s001t006p002,500965,502412,8,1,1,2.bb Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/css/ac/layoutsFonte12.css Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/css/ac/layoutHomeFlex.css?1 Method GET Parameter X-Content-Type-Options URL http://www.bb.com.br/docs/home/inst/img/dot.gif Method GET Parameter X-Content-Type-Options Instances 113 Solution Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing. Other information This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scanner will not alert on client or server error responses. Reference http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx https://www.owasp.org/index.php/List_of_useful_HTTP_headers CWE Id 16 WASC Id 15 Source ID 3 7 Web Browser XSS Protection Not Enabled Description Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home1,7490 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page3,7932,7952,0,0,1,0.bb?bread=1_4&codigoMenu=3490&codigoRet=3512 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb?dv=1 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/pbb/pagina-inicial/estilo Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/jsp/eng/index.jsp Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/pbb/pagina-inicial/atendimento Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/ Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page3,7932,7951,0,0,1,0.bb?bread=1_3&codigoMenu=3490&codigoRet=3511 Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/pbb/s001t006p002,500965,502412,8,1,1,2.bb Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home23,10548,10548,0,0,1,5.bb Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method POST Parameter X-XSS-Protection URL http://www.bb.com.br/pbb/ Method GET Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Parameter X-XSS-Protection URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Parameter X-XSS-Protection Instances 42 Solution Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'. Other information The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length). Reference https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/ CWE Id 933 WASC Id 14 Source ID 3 8 Cross-Domain JavaScript Source File Inclusion Description The page includes one or more script files from a third-party domain. URL http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page4,8305,8388,0,0,1,6.bb?codigoMenu=15245&codigoNoticia=28842 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,7948,22,0,1,8.bb?bread=1&codigoMenu=3490&codigoNoticia=4246&codigoRet=3494 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,7951,0,0,1,0.bb?bread=1_3&codigoMenu=3490&codigoRet=3511 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method POST Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/hs001003,500490,500491,1,0,1,1,80.bb Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,7950,0,0,1,0.bb?bread=1_2&codigoMenu=3490&codigoRet=3510 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,7953,0,0,1,0.bb?bread=1_5&codigoMenu=3490&codigoRet=3513 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb?dv=1 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,7952,0,0,1,0.bb?bread=1_4&codigoMenu=3490&codigoRet=3512 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home29,8305,8305,0,0,1,6.bb Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb?dv=1 Method GET Parameter http://www57.bb.com.br/eni/APPS/arquivos/id.js Evidence <script type="text/javascript" src="http://www57.bb.com.br/eni/APPS/arquivos/id.js"></script> Instances 21 Solution Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application. Reference CWE Id 829 WASC Id 15 Source ID 3 9 Great Redirection detected (potential disclosure of sensitive information) Description The server has responded with a redirect that seems to provide a large response. This could indicate that although the server sent a redirect, it also responded with content (which could contain sensitive details, PII, etc.) URL http://www.bb.com.br/mpo Method GET URL http://www.bb.com.br/bbjovem Method GET URL http://www.bb.com.br/empreendedor Method GET URL http://www.bb.com.br/seguranca Method GET URL http://www.bb.com.br/acoes Method GET URL http://www.bb.com.br/acessoainformacao Method GET URL http://www.bb.com.br/aguabrasil Method GET URL http://www.bb.com.br/patrocinios Method GET Instances 8 ---------- Solution ---------- Make sure that no sensitive information is disclosed through redirected responses. Re-addressed responses should have very little content. -------------------- Other information --------------------- Ubicación de longitud encabezado URI: 95 [http://www.bb.com.br/portalbb/page47,108,7514,8,0,1,2.bb?codigoMenu=113&codigoRet=15940&bread=7]. Tamaño predecido de respuesta: 395. Longitud de cuerpo de respuesta: 719. Reference [cadena vacía] CWE Id 201 WASC Id 13 Source ID 3 10 The content security policy (CSP) header has not been established Description Content security policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or malware distribution. CSP provides a set of standard HTTP headers that allow website owners to declare approved content sources that browsers should allow to load on their page - cover types are JavaScript, CSS, HTML frames, fonts, images, and embeddable objects such as applets of Java, ActiveX, audio and video files. URL http://www.bb.com.br/portalbb/home23,110,110,11,0,1,3.bb Method GET URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb?dv=1 Method GET URL http://www.bb.com.br/pbb/ Method GET URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method GET URL http://www.bb.com.br/pbb/pagina-inicial/cooperativas Method GET URL http://www.bb.com.br/pbb/pagina-inicial/empresarial Method GET URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb Method GET URL http://www.bb.com.br/portalbb/home23,111,111,13,0,1,3.bb Method GET URL http://www.bb.com.br/pbb/pagina-inicial/corporate Method GET URL http://www.bb.com.br/pbb/pagina-inicial/empresas Method GET URL http://www.bb.com.br/portalbb/page3,7932,7953,0,0,1,0.bb?bread=1_5&codigoMenu=3490&codigoRet=3513 Method GET URL http://www.bb.com.br/portalbb/home29,8623,8623,1,0,1,1.bb Method GET URL http://www.bb.com.br/portalbb/page3,7932,7948,22,0,1,8.bb?bread=1&codigoMenu=3490&codigoNoticia=4246&codigoRet=3494 Method GET URL http://www.bb.com.br/portalbb/page22,101,2292,0,0,1,1.bb?codigoMenu=225&codigoNoticia=31640 Method GET URL http://www.bb.com.br/docs/pub/emp/empl/dwn/ManualComelet.pdf Method GET URL http://www.bb.com.br/portalbb/home29,112,112,15,0,1,3.bb Method GET URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method POST URL http://www.bb.com.br/pbb/s001t006p002,500965,502412,8,1,1,2.bb Method GET URL http://www.bb.com.br/ Method GET URL http://www.bb.com.br/portalbb/home29,113,113,14,0,1,3.bb Method GET Instances 50 ---------- Solution ----------- Make sure your web server, application server, load balancer, etc. is configured to set the strict security policy header, to achieve optimal browser support: "Content Security Policy for Chrome 25+, Firefox 23+ and Safari 7+, "Content Security Policy X" for Firefox 4.0 + and Internet Explorer 10+, and "X-Webkit-CSP" for Chrome 14+ and Safari 6+. Reference https://developer.mozilla.org/en-US/docs/Web/Security/CSP /Introducing_Content_Security_Policy https://www.owasp.org/index.php/Content_Security_Policy http://www.w3.org/TR/CSP/ http://w3c.github.io/webappsec/specs/ Content-Security-Policy/CSP-Specification.dev.html http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://caniuse.com/#feat=contentsecuritypolicy http://content-security-policy.com/ CWE Id 16 WASC Id 15 Source ID 3 11 Hash Divulgation - MD4 / MD5 Description A hash has been disclosed by the web server - MD4 / MD5 URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-144x144.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-57x57.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-114x114.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/favicon-32x32.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-72x72.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/NetprMaintPT.pdf Method GET Evidence A253144FF8221247918F5D43147DEBB2 URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-152x152.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-180x180.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-60x60.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/NetprMaintPT.pdf Method GET Evidence 4705796A0ACA3D4EB70EF22908773587 URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-120x120.png Method GET Evidence b356098659224bee23df80a1098ddb2a URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-76x76.png Method GET Evidence b356098659224bee23df80a1098ddb2a Instances 12 Solution Asegúrese que los hashes que son usados para proteger credenciales u otros recursos no están infiltrados por el servidor web o la base de datos. Típicamente no hay ningún requisito para contraseñas de hashes para ser accesibles para el navegador web. Other information b356098659224bee23df80a1098ddb2a Reference https://www.Owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure http://projects.webappsec.org/w/page/13246936/Information%20Leakage http://openwall.info/wiki/john/sample-hashes CWE Id 200 WASC Id 13 Source ID 12 Storable and cacheable content Description The response contents are storable by cacheable components such as proxy servers, and could be obtained directly from the cache, rather than from the origin server by caching services, in response to similar requests from other users. If the response data is sensitive, personal or specific to a user, this could result in the disclosure of sensitive information. In some cases, this could even result in a user gaining complete control of another user's session, depending on the configuration of caching components in use in their environments. This is primarily a problem where shared cache servers '' '' '' '' such as caches '' '' proxy '' '' are configured in the local network. This configuration is typically found in educational or corporate environments URL http://www.bb.com.br/portalbb/img.ImgWriter?codigo=29759&origem=CCI Method GET Evidence Wed, 22 May 2019 17:14:24 GMT URL http://www.bb.com.br/docs/img/btMaisPublicos.png Method GET URL http://www.bb.com.br/portalbb/img.ImgWriter?codigo=29756&origem=CCI Method GET Evidence Wed, 22 May 2019 17:14:24 GMT URL http://www.bb.com.br/docs/img/v5/imgCantoMenuDir.png Method GET URL http://www.bb.com.br/docs/img/v5/dot.gif Method GET URL http://www.bb.com.br/docs/img/v5/btToken.png Method GET URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/favicon-32x32.png Method GET URL http://www.bb.com.br/docs/img/v5/imgAumentaFonte.png Method GET URL http://www.bb.com.br/docs/img/v5/dhtmlMcBordaBottom.png Method GET URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET URL http://www.bb.com.br/docs/css/ac/layoutHome1.css?1 Method GET URL http://www.bb.com.br/portalbb/jsp/eng/index.jsp Method GET URL http://www.bb.com.br/docs/img/btLogo1.gif Method GET URL http://www.bb.com.br/docs/pub/atend/toquio/dwn/tela2red2.gif Method GET URL http://www.bb.com.br/docs/img/v5/imgDiminuiFonte.png Method GET URL http://www.bb.com.br/portalbb/hs001003,500490,500491,1,0,1,1,80.bb Method GET URL http://www.bb.com.br/docs/css/ac/cssSP22.css Method GET URL http://www.bb.com.br/docs/pub/inst/img/tela6red.gif Method GET URL http://www.bb.com.br/pbb/app/docs/comum/images/structure/header/icon/apple-icon-152x152.png Method GET URL http://www.bb.com.br/pbb/app/docs/s001/stylesheets/style.css?v=201804051 Method GET Instances 117 Solution Validate that the response does not contain sensitive, personal or specific information of a user. IF you do so, consider using the following HTTP response headers, to limit, or prevent content being stored and retrieved from the cache by another user: Control-Caché: no-cache, no-store, must-revalidate, private Pragma: no-cache Expires: 0 This configuration directs both HTTP 1.0 and HTTP 1.1 compatible cache servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. Reference https://Tools.ietf.org/html/rfc7234 https://tools.ietf.org/html/rfc7231 http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (sustituido por rfc7234) CWE Id 524 WASC Id 13 Source ID 3 13 Non-storable content Description The response contents are not storable from cache contents such as proxy servers. If the answe r does not contain sensitive, personal, or specific information of a user, it could benefit from being stored and cached, to improve performance. RL http://www.bb.com.br/acoes Method GET Evidence 302 URL http://www.bb.com.br/patrocinios Method GET Evidence 302 URL http://www.bb.com.br/pbb/pagina-inicial/estilo Method GET Evidence no-store URL http://www.bb.com.br/pbb/s001t006p002,500965,502412,8,1,1,2.bb Method GET Evidence no-store URL http://www.bb.com.br/aguabrasil Method GET Evidence 302 URL http://www.bb.com.br/pbb/pagina-inicial/empresas Method GET Evidence no-store URL http://www.bb.com.br/pbb/pagina-inicial/corporate Method GET Evidence no-store URL http://www.bb.com.br/pbb Method GET Evidence 302 URL http://www.bb.com.br/bbjovem Method GET Evidence 302 URL http://www.bb.com.br/mpo Method GET Evidence 302 URL http://www.bb.com.br/empreendedor Method GET Evidence 302 URL http://www.bb.com.br/pbb/pagina-inicial/atendimento Method GET Evidence no-store URL http://www.bb.com.br/acessoainformacao Method GET Evidence 302 URL http://www.bb.com.br/seguranca Method GET Evidence 302 URL http://www.bb.com.br/pbb/pagina-inicial/cooperativas Method GET Evidence no-store URL http://www.bb.com.br/pbb/pagina-inicial/empresarial Method GET Evidence no-store URL http://www.bb.com.br/pbb/pagina-inicial/private Method GET Evidence no-store URL http://www.bb.com.br/pbb/pagina-inicial/voce Method GET Evidence no-store Instances 18 Solution The content could be marked as storable by ensuring that the following conditions are met: The request method must be understood by the cache and defined as cacheable ('' '' GET '' '', '' "HEAD '' '', and '' '' POST '' '' are currently defined as cacheable) The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX or 5XX types of responses are generally understood) The cache directive '' '' no-store '' '' should not appear in the request or response header fields For caching using "shared" caches as "proxy" caches, the "private" response directive should not appear in the response For caching by "'' shared '' '' caches as '' '' 'proxy' '' 'caches, the header field' ' 'Authorization' '' should not appear in the request, except that the response explicitly allow it (using one of the "must-revalidate" '' ',' '' '' 'public' '' 'or' '' 's-maxage' ' 'control-control directives-cache) In addition to the conditions above , at least one of the following conditions must also be met by the response: Must contain a header field "Expires" Must contain a "max-age" response directive For shared caches' '' '' '' '' such as caches' '' 'proxy' '' ', must contain a response directive' '' '' 's-maxage' '' ' Must contain a '' '' Cache control extention '' '' that allows it to be cached It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501). Reference https://Tools.ietf.org/html/rfc7234 https://tools.ietf.org/html/rfc7231 http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (sustituido por rfc7234) CWE Id 524 WASC Id 13 Source ID 3 14 information Disclosure - Suspicious Comments Description The response appears to contain suspicious comments which may help an attacker URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb?dv=1 Method GET URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method GET URL http://www.bb.com.br/portalbb/home16,500355,500355,21,0,1,1.bb Method GET URL http://www.bb.com.br/docs/sitesp/sustentabilidade/hotsite_Internet.html Method GET URL http://www.bb.com.br/portalbb/page3,7932,7950,0,0,1,0.bb?bread=1_2&codigoMenu=3490&codigoRet=3510 Method GET URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method POST URL http://www.bb.com.br/portalbb/page3,7932,3678,22,0,1,8.bb Method GET URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method GET URL http://www.bb.com.br/portalbb/home1,8305,8305,0,0,1,6.bb Method POST URL http://www.bb.com.br/portalbb/hs001003,500490,500491,1,0,1,1,80.bb Method GET URL http://www.bb.com.br/portalbb/home1,7490 Method GET URL http://www.bb.com.br/portalbb/page100,8305,4911,0,0,1,6.bb?codigoMenu=15244&codigoNoticia=28839 Method GET URL http://www.bb.com.br/portalbb/page100,8305,19205,0,0,1,6.bb?codigoMenu=15368&codigoNoticia=28840 Method GET URL http://www.bb.com.br/portalbb/page3,7932,7952,0,0,1,0.bb?bread=1_4&codigoMenu=3490&codigoRet=3512 Method GET URL http://www.bb.com.br/portalbb/page3,7932,7951,0,0,1,0.bb?bread=1_3&codigoMenu=3490&codigoRet=3511 Method GET URL http://www.bb.com.br/portalbb/http:/www.bb.com.br/pbb/pagina-inicial/atendimento Method GET URL http://www.bb.com.br/portalbb/page251,8305,8388,0,0,1,6.bb?codigoNoticia=31200 Method POST URL http://www.bb.com.br/portalbb/page4,8305,8388,0,0,1,6.bb?codigoMenu=15245&codigoNoticia=28842 Method GET URL http://www.bb.com.br/portalbb/page4,8305,3912,0,0,1,6.bb?codigoMenu=15217&codigoNoticia=28458 Method GET URL http://www.bb.com.br/portalbb/page3,7932,7949,0,0,1,0.bb?bread=1_1&codigoMenu=3490&codigoRet=3508 Method GET Instances 24 Solution Remove all comments that return information that may help an attacker and fix any underlying problems they refer to. Other information <script type="text/javascript"> //var urlDominio = top.location.href; //var urlDominio = (window.location != window.parent.location) ? document.referrer: document.location +""; var isIFrame = false; if (window!=window.top) { isIFrame = true }else{ isIFrame = false; } //if(urlDominio.indexOf("bancodobrasilseguridade") != -1){ if(isIFrame){ $(function(){ $('a').each(function() { if($(this).attr('href') === undefined){ }else{ var urlRec = $(this).attr('href'); if( urlRec.indexOf("javascript") == -1 && urlRec.indexOf("?codigoMenu=40031") == -1 && urlRec != "" && urlRec != "#" ){ if($(this).attr('href') != null && $(this).attr('href') != ''){ var newHref = $(this).attr('href'); $(this).attr("realHref", newHref); //$(this).attr('href', "http://www.bancodobrasilseguridade.com.br"); $(this).attr('href', "http://"); }else{ $(this).attr('href', "http://"); //$(this).attr('href', "https://www.bancodobrasilseguridade.com.br"); var newHref = $(this).attr('href'); $(this).attr("realHref", newHref); } $(this).click(function(){ url = $(this).attr("realHref"); //parent.document.getElementById("urlId").innerHtml = $(this).attr("realHref"); if( url.indexOf("/appbb/portal/") == -1 && url.indexOf("javascript:abreVDHTML(") == -1 && url.indexOf("javascript:escondeCampos(") == -1 && url.indexOf("javascript:history.back(") == -1 && url.indexOf("bancodobrasil.") == -1 && url.indexOf("bancobrasil.") == -1 && url.indexOf("/docs/") == -1 && url.indexOf("/portalbb/") == -1 && url.indexOf("prevMonth()") == -1 && url.indexOf("nextMonth()") == -1 && url.indexOf("mudaFontediv(") == -1 && url.indexOf("posicaoRodape(") == -1 && url.indexOf("bb.com.br") == -1 && url.indexOf("setActiveStyleSheet(") == -1 && url.indexOf("selectDate(") == -1 && url.indexOf("determinaNichos(") == -1 && url.indexOf("bancodobrasilseguridade") == -1 && url.indexOf("/page") == -1 && url.indexOf("/home") == -1 && url.indexOf("page") == -1 && url.indexOf("MudaGrafico(") == -1 && url != "#" && url.indexOf("TrocaAba(") == -1 && url.indexOf("prnweswire") == -1 && url.indexOf("investimentos-e") == -1 && url.indexOf("bbprevidencia") == -1 && url. indexOf("licitações-e") == -1 && url.indexOf("agronegocios-e") == -1 && url.indexOf("climatempo") == -1 && url.indexOf("cma") == -1 && url.indexOf("fbb") == -1 && url.indexOf("simuladorimobiliario") == -1 && url.indexOf("bbsegurosaude") == -1 && url.indexOf ("brasilveiculos") == -1 && url.indexOf("aliancadobrasil") == -1 && url.indexOf("www.visa.com.br") == -1 && url.indexOf("mastecard") == -1 && url.indexOf("mz-ir") == -1 && url.indexOf("sitenet.serasa") == -1 && url.indexOf("brasilprev") == -1 && url.indexOf("promocaoourocardecielo") == -1 && url.indexOf ("www.mediagroup.com.br/testes/bb_page_flip/port/") == -1 && url.indexOf("www.eufacoacontecer.com.br") == -1 && url.indexOf("http://www.migre.me") == -1 && url.indexOf("http://www.twixar.com") == -1 && url.indexOf("https://livepass.showare.com.br/") == -1 && url.indexOf("http://www.comprapremiadaourocard.com.br/") == -1 && url.indexOf ("http://www.br.com.br/wps/portal/portalconteudo/produtos/cart") == -1 && url.indexOf("https://www.licitacoes-e.com.br/aop/index.jsp") == -1 && url.indexOf ("https://b2c.bbtur.com.br/") == -1 && url.indexOf("http://www.iti.gov.br/") == -1 && url.indexOf ("http://www.blogaguabrasil.com.br/") == -1 && url.indexOf("http://www.prepax.com.br/cbssprepax/bb") == -1 && url.indexOf("home") == -1 && url.indexOf("http://b2c.bbtur.com.br/") == -1 && url.indexOf ("http://www.bancodobrasilseguridade.com.br/") == -1 && url.indexOf("brasilcap") == -1 && url.indexOf ("bancodobrasilseguridade") == -1 && url.indexOf("wittel") == -1 && url.indexOf("Comprapremiada") == -1 && url.indexOf("Prepax") == -1 && url.indexOf("BBCOVERS") == -1 && url.indexOf("admin bb205anos") == -1 && url .indexOf("executantecompe") == -1 && url.indexOf("executante") == -1 && url.indexOf ("compeexecutante") == -1 && url.indexOf("compexecutante") == -1 && url.indexOf("bbjovem") == -1 && url.indexOf("momentohistoricoourocard") == -1 && url.indexOf("bbcovers") == -1 && url.indexOf("Lei 4.595, de 31 de dezembro de 1964") == -1 && url.indexOf("Lei 7.357, de 02 de setembro de 1985") == -1 && url.indexOf ("Lei 7.783, de 28 de junho de 1989") == -1 && url.indexOf("Lei 10.214, de 27 de março de 2001") == -1 && url.indexOf("http://www.bcb.gov.br/") == -1 && url.indexOf("http://www.planalto.gov.br/") == -1 && url.indexOf("http://www.fgc.org.br/") == -1 && url.indexOf("http://www.febraban.org.br/") == -1 && url.indexOf("bbseguranca") == -1 && url.indexOf("google-analytics") == -1 && url.indexOf("https://www.facebook.com/BBnosEsportes") == -1 && url.indexOf("https://twitter.com/bbnosesportes") == -1 && url.indexOf("https://instagram.com/bbnosesportes") == -1 && url.indexOf("https://www.youtube.com/watch?v=I5jp-2NqYos") == -1 && url.indexOf("http://www.pontoslivelo.com.br") == -1 && url.indexOf ("http://www.bbdigital.com.br/") == -1 && url.indexOf("http://www.bbcode.com.br/") == -1 && url.indexOf("https://mobi.bb.com.br/lj") == -1 && url. indexOf("https://www.youtube.com/watch?v=0k1mhDsifPw") == -1 && url.indexOf("http://www.bbdigital.com.br") == -1 && url.indexOf("https://www.facebook.com/bancodobrasil") == -1 && url.indexOf("https://twitter.com/bancodobrasil") == -1 && url.indexOf ("https://www.youtube.com/user/bancodobrasil") == -1 && url.indexOf("https://instagram.com/bancodobrasil") == -1 && url.indexOf("https://www.bbprevidencia.com.br/linkExterno/empresalimpa") == -1 && url.indexOf("https://www.pensefuturo.com.br") == -1 && url.indexOf("https://www.previc.gov.br/") == -1 && url.indexOf("https://www.bbprevidencia.com.br/acessorestrito") == -1 && url.indexOf ("http://bbsimplifica.com.br/franquia") == -1 && url.indexOf("http://bbsimplifica.com.br/empreendedor-individual") == -1 && url.indexOf("http://www.pontoslivelo.com.br/livelo/alivelo") == -1 && url.indexOf ("https://www.avianca.com.br/") == -1 && url.indexOf("https://www.pontosmultiplus.com.br/promo/diadoconsumidor") == -1 && url.indexOf("http://www.smiles.com.br/bancos/bb60") == -1 && url.indexOf ("http://bbsimplifica.com.br/") == -1 && url.indexOf("http://www.bbsimplifica.com.br/") == -1 && url.indexOf ("http://www.bbestilodigital.com.br/") == -1 && url.indexOf("http://www.bbseguridaderi.com.br/pt") == -1 && url.indexOf("http://www.bbseguridaderi.com.br") == -1 && url.indexOf("http://www.bbseguridaderi.com.br/en") == -1 && url.indexOf("https://www.youtube.com/watch?v=x18LA3O_WY4&feature=youtu.be") == -1 && url.indexOf("http://www.ethicsdeloitte.com.br/bbseguridade") == -1 && url.indexOf("https://www.youtube.com/watch?v=qjK_KddmhDg") == -1 && url.indexOf("https://www.youtube.com/watch?v=7lhPOByYE44") == -1 && url.indexOf("https://www.youtube.com/watch?v=U_rvYpunNKk") == -1 && url.indexOf("https://www.youtube.com/watch?v=nNupfhvcVPY") == -1 && url.indexOf("https://youtu.be/tl0YL0DQNJc") == -1 && url.indexOf ("https://www.youtube.com/watch?v=dKRsPjHlYrg") == -1 && url.indexOf("https://www.youtube.com/watch?v=treGUO4qThQ") == -1 && url.indexOf("https://www.youtube.com/watch?v=N4vi2i98c4g") == -1 && url.indexOf ("http://promocoesleclub.com.br/bb/") == -1 && url.indexOf("http://www.flytap.com/ptpt/victoria/promocoes") == -1 && url.indexOf("http://www.smiles.com.br/bancos/bonusbb") == -1 && url.indexOf ("https://www.youtube.com/watch?v=wunN2LQ1dXY&feature=youtu.be") == -1 && url.indexOf("http://www.bbseguros.com.br") == -1 && url.indexOf("https://www.linkedin.com/company-beta/162626/") == -1 && url.indexOf("https://www.linkedin.com/company-beta/162626/") == -1 && url.indexOf ("https://www.youtube.com/watch?v=wunN2LQ1dXY&featur") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/para- voce/seguro-aut") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/ servicos/sinistro/si") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/atendimento/atendime") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/servicos/sinistro/si") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/para-voce/seguro-mot") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/atendimento/atendime") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/para-voce/seguro-mot") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/servicos/sinistro/si") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/para-voce/seguro-mot") == -1 && url.indexOf ("http://www3.bbseguroauto.com.br/services/DocumentManagement/") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/servicos/sinistro/de") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/servicos/sinistro/de") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/servicos/sinistro/de") == -1 && url.indexOf ("http://www3.bbseguroauto.com.br/issuu/CondicoesGeraisProduto") == -1 && url.indexOf("https://sitenet37.serasa.com.br/am3cartaobb/parceiro/4A34E8C") == -1 && url.indexOf ("http://www.circuitobancodobrasil.com.br") == -1 && url.indexOf ("https://www.ourocardeshow.com.br/") == -1 && url.indexOf ("https://www.youtube.com/watch?v=qbB-Hj0aj_E") == -1 && url.indexOf ("http://www.smiles.com.br/") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=98&pk_kwd=MRV") == -1 && url.indexOf("https://guiabbimovel.labbs.com.br/?pk_campaign=75&pk_kwd=MRV") == -1 && url.indexOf("https://guiabbimovel.labbs.com.br/?pk_campaign=89&pk_kwd=MRV") == -1 && url.indexOf("https://guiabbimovel.labbs.com.br/?pk_campaign=112&pk_kwd=MR") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=77&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=86&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=90&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=108&pk_kwd=MR") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=82&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=87&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=76&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=85&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=119&pk_kwd=MR") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=91&pk_kwd=MRV") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=106&pk_kwd=MR") == -1 && url.indexOf ("https://guiabbimovel.labbs.com.br/?pk_campaign=72&pk_kwd=MRV") == -1 && url.indexOf ("https://www.youtube.com/watch? v=wunN2LQ1dXY&feature=youtu.be") == -1 && url.indexOf("https://youtu.be/y8NAt27VPds") == -1 && url.indexOf("https://youtu.be/wunN2LQ1dXY") == -1 && url.indexOf "http://www.promocaotorcidabrasil.com.br") == -1 && url.indexOf("http://www.vitrineourocard.com.br/") == -1 && url.indexOf("https://www.cartaoelo.com.br/eloofertas/") == -1 && url.indexOf("https://www.visa.com.br") == -1 && url.indexOf ("https://www.mastercard.com.br") == -1 && url.indexOf("https://youtu.be/kqWs8fBgA0c") == -1 && url.indexOf("https://www.youtube.com/watch?v=O21ktz0Dfs4&t=0s&index=2&lis") == -1 && url.indexOf ("http://blog.bbprevidencia.com.br/") == -1 && url.indexOf("http://www.pensefuturo.com.br/") == -1 && url.indexOf("http://agrobot.labbs.com.br/") == -1 && url.indexOf ("https://www.youtube.com/bancodobrasil/supermae") == -1 && url.indexOf ("https://recompensasdigitais.com.br/") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/servicos/rede-benefi") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/servicos/sinistro/") == -1 && url.indexOf("https://www.bbseguros.com.br/seguradora/atendimento/duvidas-") == -1 && url.indexOf ("https://www.bbseguros.com.br/seguradora/quem-somos/noticias/") == -1 ){ cont = url.length; for(var i=0;i<=cont;i++) { if(url.substring(i,i+1).indexOf("&") != -1){ url = url.replace("&","@"); } } //alert("vai ser popup \n :"+$(this).attr("realHref")); PopUpLinks('/portalbb/jsp/home/inst/inc/popUpLinksExt.jsp?idioma=1&end='+url,'popUp','566','482',0); url = ""; return false; }else{ //if($(this).attr("realHref") != 'https://www.bancodobrasilseguridade.com.br'){ //alert("Vou acessar >>> \n "+$(this).attr("realHref")); if($(this).attr("realHref") != ''){ document.location = $(this).attr("realHref"); return false; }else{ return false; } } }); } }//fim undef... }); }); } //Personlizações para resoluções abaixo de 1024. if(getDimencoesJanela().largura <= 1024){ pesona1024(); } </script> <script type="text/javascript" language="JavaScript"> function init2(){ if (window == window.top) { var links = document.getElementsByTagName("a"); var idioma = "1"; var uri = location.href; var temTermo = false; for(var i=0;i<links.length;i++) { if (links[i].href != ""){ url = links[i].href; if( links[i].href.indexOf("/appbb/portal/") == -1 && links[i].href.indexOf("javascript:abreVDHTML(") == -1 && links[i].href.indexOf("javascript:escondeCampos(") == -1 && links[i].href.indexOf("javascript:history.back(") == -1 && links[i].href.indexOf("bancodobrasil.") == -1 && links[i].href.indexOf("bancobrasil.") == -1 && links[i].href.indexOf("/docs/") == -1 && links[i].href.indexOf("/portalbb/") == -1 && links[i].href.indexOf("prevMonth()") == -1 && links[i].href.indexOf("nextMonth()") == -1 && links[i].href.indexOf("mudaFontediv(") == -1 && links[i].href.indexOf("posicaoRodape(") == -1 && links[i].className.indexOf("aMenuNome_12") == -1 && links[i].href.indexOf("bb.com.br") == -1 && links[i].href.indexOf("setActiveStyleSheet(") == -1 && links[i].href.indexOf("selectDate(") == -1 && links[i].href.indexOf("determinaNichos(") == -1 && links[i].href.indexOf("/page") == -1 && links[i].href.indexOf("page") == -1 && links[i].href.indexOf("/home") == -1 && links[i].href != null && links[i].href.indexOf("MudaGrafico(") == -1 && links[i].href.indexOf("TrocaAba(") == -1 && links[i].href.indexOf("prnweswire") == -1 && links[i]. href.indexOf("investimentos-e") == -1 && links[i].href.indexOf("bbprevidencia") == -1 && links[i].href.indexOf("licitações-e") == -1 && links[i].href.indexOf("agronegocios-e") == -1 && links[i].href.indexOf("climatempo") == -1 && links[i].href.indexOf("cma") == -1 && links[i] .href.indexOf("fbb") == -1 && links[i] .href.indexOf("simuladorimobiliario") == -1 && links[i] .href.indexOf("bbsegurosaude") == -1 && links[i].href.indexOf("brasilveiculos") == -1 && links[i] .href.indexOf("aliancadobrasil") == -1 && links[i].href.indexOf("www.visa.com.br") == -1 && links[i].href.indexOf("mastecard") == -1 && links[i].href.indexOf("mz-ir") == -1 && links[i] .href.indexOf("sitenet.serasa") == -1 && links[i].href.indexOf("brasilprev") == -1 && links[i] .href.indexOf("promocaoourocardecielo") == -1 && links[i].href.indexOf ("www.mediagroup.com.br/testes/bb_page_flip/port/") == -1 && links[i] .href.indexOf("www.eufacoacontecer.com.br") == -1 && links[i].href.indexOf("http://www.migre.me") == -1 && links[i].href.indexOf("http://www.twixar.com") == -1 && links[i].href.indexO f("https://livepass.showare.com.br/") == -1 && links[i].href.indexOf ("http://www.comprapremiadaourocard.com.br/") == -1 && links[i] .href.indexOf ("http://www.br.com.br/wps/portal/portalconteudo/produtos/cart") == -1 && links[i].href.indexOf ("https://www.licitacoes-e.com.br/aop/index.jsp") == -1 && links[i].href.indexOf ("https://b2c.bbtur.com.br/") == -1 && links[i].href. indexOf("http://www.iti.gov.br/") == -1 && links[i].href.indexOf ("http://www.blogaguabrasil.com.br/") == -1 && links[i].href.indexOf ("http://www.prepax.com.br/cbssprepax/bb") == -1 && links[i].href.indexOf("home") == -1 && links[i].href.indexOf("http://b2c.bbtur.com.br/") == -1 && links[i].href.indexOf ("http://www.bancodobrasilseguridade.com.br/") == -1 && links[i].href.indexOf("brasilcap") == -1 && links[i].href.indexOf("bancodobrasilseguridade") == -1 && links[i]. href.indexOf("wittel") == -1 && links[i].href.indexOf("Comprapremiada") == -1 && links[i]. href.indexOf("Prepax") == -1 && links[i].href.indexOf("BBCOVERS") == -1 && links[i].href.indexOf("admin bb205anos") == -1 && links[i] .href.indexOf("executantecompe") == -1 && links[i].href.indexOf("executante") == -1 && links[i].href.indexOf("compeexecutante") == -1 && links[i] .href.indexOf("compexecutante") == -1 && links[i].href.indexOf("bbjovem") == -1 && links[i].href.indexOf("momentohistoricoourocard") == -1 && links[i].href.indexOf("bbcovers") == -1 && links[i].href.indexOf("Lei 4.595, de 31 de dezembro de 1964") == -1 && links[i].href.indexOf ("Lei 7.357, de 02 de setembro de 1985") == -1 && links[i]. href.indexOf("Lei 7.783, de 28 de junho de 1989") == -1 && links[i] .href.indexOf("Lei 10.214, de 27 de março de 2001") == -1 && links[i] .href.indexOf("http://www.bcb.gov.br/") == -1 && links[i].href.indexOf ("http://www.planalto.gov.br/") == -1 && links[i].href.indexOf ("http://www.fgc.org.br/") == -1 && links[i].href.indexOf ("http://www.febraban.org.br/") == -1 && links[i].href.indexOf ("bbseguranca") == -1 && links[i].href.indexOf("google-analytics") == -1 && links[i].href.indexOf("https://www.facebook.com/BBnosEsportes") == -1 && links[i].href.indexOf("https://twitter.com/bbnosesportes") == -1 && links[i].href.indexOf("https://instagram.com/bbnosesportes") == -1 && links[i].href.indexOf ("https://www.youtube.com/watch?v=I5jp-2NqYos") == -1 && links[i] href.indexOf("http://www.pontoslivelo.com.br") == -1 && links[i].href.indexOf ("http://www.bbdigital.com.br/") == -1 && links[i].href.indexOf ("http://www.bbcode.com.br/") == -1 && links[i].href.indexOf( "https://mobi.bb.com.br/lj") == -1 && links[i].href.indexOf( "https://www.youtube.com/watch?v=0k1mhDsifPw") == -1 && links [i].href.indexOf("http://www.bbdigital.com.br") == -1 && links [i].href.indexOf("https://www.facebook.com/bancodobrasil") == -1 && links[i].href.indexOf("https://twitter.com/bancodobrasil") == -1 && links[i].href.indexOf("https://www.youtube.com/user/bancodobrasil" ) == -1 && links[i].href.indexOf("https://instagram.com/bancodobrasil" ) == -1 && links[i].href.indexOf ("https://www.bbprevidencia.com.br/linkExterno/empresalimpa") == -1 && links[i].href.indexOf("https://www.pensefuturo.com.br") == -1 && links[i].href.indexOf("https://www.previc.gov.br/") == -1 && links[i] .href.indexOf("https://www.bbprevidencia.com.br/acessorestrito") == -1 && links[i].href.indexOf("http://bbsimplifica.com.br/franquia") == -1 && links[i].href.indexO f("http://bbsimplifica.com.br/empreendedor-individual") == -1 && links[i].href.indexOf ("http://www.pontoslivelo.com.br/livelo/alivelo") == -1 && links[i].href.indexOf ("https://www.avianca.com.br/") == -1 && links[i]. href.indexOf("https://www.pontosmultiplus.com.br/promo/diadoconsumidor") == -1 && links[i].href.indexOf("http://www.smiles.com.br/bancos/bb60") == -1 && links[i].href.indexOf("http://bbsimplifica.com.br/") == -1 && links [i].href.indexOf("http://www.bbsimplifica.com.br/") == -1 && links[i] .href.indexOf("http://www.bbestilodigital.com.br/") == -1 && links[i] .href.indexOf("http://www.bbseguridaderi.com.br/pt") == -1 && links[i] .href.indexOf("http://www.bbseguridaderi.com.br") == -1 && links[i] .href.indexOf("http://www.bbseguridaderi.com.br/en") == -1 && links[i].href.indexOf("https://www.youtube.com/watch?v=x18LA3O_WY4&feature=youtu.be") == -1 && links[i].href.indexOf ("http://www.ethicsdeloitte.com.br/bbse