Sunday, October 08, 2006

XSS bug

found an interesting type of xss of this site, contrust a html header and do the dirty work

mass.gov

Exposed the header, this is indeed fairly funky
http://www.test.com Content-Length: 0 Cache-Control: max-age=300 Expires: Mon, 09 Oct 2006 06:15:35 GMT Connection: close Content-Type: text/plain; charset=ISO-8859-1

similar ones...

lvllord.de


Another one on
mwti.net


And discovered a xss on a metasearch engine while i was at class
click here to see demo

even one on a government website,
http://www.xxxxx.xxx.gov.au/email/?url=%3Cscript%3E
alert(%22XSS%22)%3C/script%3E

No comments: