lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 28 Nov 2009 22:57:19 +0200
From: "MustLive" <>
To: <>
Subject: XSS vulnerabilities at 404 pages

Hello participants of Full-Disclosure.

Cross-Site Scripting are very widespread vulnerabilities. The most common
place for XSS is a search engines (local on-site search and global engines),
as I know from my experience and from my statistic of found holes at web
sites and web applications (both published and unpublished holes). As I
wrote about it in my project Month of Search Engines Bugs. And in my new
series of articles I'll write about other common places of XSS.

In my article XSS vulnerabilities at 404 pages
(, which I posted in September, I wrote
about XSS vulnerabilities at 404 error pages. Here is English version of the

Cross-Site Scripting (XSS) vulnerabilities (
very widespread in Internet. I regularly discover such vulnerabilities at
web sites, which I wrote about at my site, and also mention about XSS holes
at famous sites found by other security researches. Also I wrote many times
about XSS worms (

I had occasions to discover Cross-Site Scripting vulnerabilities in
different web applications, and also in browsers and web servers. After
vulnerabilities in search engines, which I wrote about already in details in
my project MOSEB (, one of the
most widespread are XSS at Error 404 pages.

Standard vector of the attack in case of XSS at 404 pages - it's setting of
XSS-code as address of the page at the site, which will lead to showing of
404 page and to executing of JavaScript code.



Such XSS can be reflected, persistent, DOM based and strictly social.

Example of persistent XSS at 404 pages is vulnerability in Power Phlogger
( - code will trigger at viewing of visits
logs. DOM based XSS also happen to me, particularly in component ProofReader
for Joomla ( And reflected XSS at 404
pages - it's the most widespread case. Examples of such XSS are
vulnerabilities at (, in Apache
Tomcat ( and in Joomla

And also vulnerabilities in browsers, which show themselves at 404 pages:
Cross-Site Scripting with using of UTF-7 in IE
( (reflected) and Cross-Site Scripting with
UTF-7 in Mozilla and Firefox ( (strictly
social XSS).

So developers of web servers, browsers and web sites always need to check
their projects on presence of XSS vulnerabilities at 404 pages (as at all
other pages about errors). To not allow vulnerabilities at these pages.

Best wishes & regards,
Administrator of Websecurity web site 

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists