Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Google spreads XSS vuls
Posted by: Dave
Date: January 12, 2007 04:07AM

I was laughing yesterday, when I was looking for some XSS related sites on google.de.

Browsing through the SERPs for "XSS", I found about 4 sites listed (on page 3), with javascript code in the url:
http://www.google.de/search?q=xss+&hl=de&lr=&rls=GGGL,GGGL:2006-32,GGGL:de&start=20&sa=N

for example
http://de.atari.com/index.php?pg=search&search=%3Cscript%3Ealert(31337)%3C%2Fscript%3E

If you can't see the results due to googles autmatic location redirect, I got a screenshot on http://blogged-on.de/xss-check/google-findet-xss-luecken.html (german)

I think I read about that issue already on ha.ckers.org or in this forum, but I didn't see it >in the wild<, yet.

Preparing a nice google query that automatically redirects to the listed xss-vulnerable site would be no big thing, but a google URL looks more trustworthy than urls with javascript code in it.

Options: ReplyQuote
Re: Google spreads XSS vuls
Posted by: eyeced
Date: January 12, 2007 11:27AM

http://www.google.co.uk/search?hl=en&q=inurl%3A%22alert%28%27xss%27%29%22&btnG=Search&meta=

The top result for me today was FBI.gov. Oh dear google, oh dear.

Options: ReplyQuote


Sorry, only registered users may post in this forum.