Full Disclosure mailing list archives
xss problems
From: Deepan <codeshepherd () gmail com>
Date: Tue, 26 Dec 2006 15:17:23 +0800
Hi All, The following sites have XSS problems 1) http://chennaionline.com/search/ ( the first search box ) The user input for search is later displayed in the result page. No filtering is done to remove Java Scripts in the query. 2) http://www.sdbj.com/forgot.asp user is a valid field in the table where email is stored. 3) http://www.visionoss.com/login/forgotpassword/ userEmail is a valid field in the table where email is stored. I had reported my findings. I am just trying to learn the basics of XSS. I have few doubts. The site http://www.xdisclose.com/tools/yahoocookiepoc.html is capable of decrypting yahoo cookies. I fail to understand how they decrypt the user name, dob and country details from cookie. The relavent cookie contents are Y=v=1&n=3nkia0lkek00v l=h4fb820j4c08b/o p=m2kvvin013000000 jb=16|47| iz=600042 r=ak lg=us intl=us np=1 l stands for username, p stands for country, year of birth, gender Can someone tell me how xdisclose.com tools decrypt username, country, year of birth and other details. -- ----------------------------------------------- Regards Deepan Chakravarthy N http://www.codeshepherd.com/ http://sudoku-solver.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- xss problems Deepan (Dec 25)
- Re: xss problems Deepan (Dec 26)