Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Zorpia.com XSS
Posted by: Luny
Date: January 19, 2007 09:28PM

I was reading crimelibrary and came upon this story:
http://www.crimelibrary.com/news/original/0107/1702_canadian_murders.html

After noticing the girl mentioned there had a profile on zorpia.com (one social networking site i've never heard of before), I decided to test it in IE for XSS'ing.

User input for leaving comments, posting a reply in the forum, and posting a journal are vulnerable.

One attack vector:
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

The girls profile:
http://www.zorpia.com/runawaydevil


Theres probably more attack vectors out there that work but i'll let someone else find those :P

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: Zorpia.com XSS
Posted by: id
Date: January 20, 2007 12:41AM

That's one twisted story...guess if you have two people who's IQs added together don't quite make a 100, bad shit happens.

If you think you're a vampire, werewolf or deity of any kind...don't breed, please.

-id

Options: ReplyQuote
Re: Zorpia.com XSS
Posted by: malorn
Date: January 20, 2007 03:32AM

If a friend of mine said he was a 300 year old werewolf I probably would have sent him to a psych ward.

On a lighter note, that site is riddled with XSS issues

Options: ReplyQuote
Re: Zorpia.com XSS
Posted by: SystemOfAHack
Date: January 21, 2007 05:42PM

After reading that I really didn't expect your next line to be "After noticing the girl mentioned there had a profile on zorpia.com ... I decided to test it in IE for XSS'ing". Anyway, keep it up.

Options: ReplyQuote


Sorry, only registered users may post in this forum.