Tuesday, February 10, 2009

Fresh stock: XSS in NASA

###############################
# Website: http://www.nasa.gov
# Open source & NASA
# Bug: XSS
# Date: 10.02.09
#############################



Vulnerable URL: hxxp://opensource.gsfc.nasa.gov/feedback.php
Post based XSS: any field

Click here for POST request

Fix input validation in all the fields...

Cheers,
Kish
Posted by at No comments:
Labels: , , , , , , , , , ,

Tuesday, January 27, 2009

NASA fixed the XSS

Well, well, well, it is that time of the day again, when a demo on NASA fails ... ;)

They fixed the bug in 3 days, which is not bad ...

Cheers,
Kish
Posted by at No comments:
Labels: , , , , , , , , ,

Saturday, January 24, 2009

XSS in NASA website, again

#########################################
# Website: http://www.nasa.gov
# It's time to know more about astronauts and gravity
# Bug: XSS
# Date: 24.01.09
########################################


Vulnerable URL: hxxp://astrogravs.nasa.gov

Click here for the demo

Fix input validation in the page.

Cheers :)
Kish
Posted by at No comments:
Labels: , , , , , , , , ,

Thursday, January 22, 2009

XSS in Facebook

###################################
# Website: http://www.facebook.com
# It's free and anyone can hack !
# Bug: XSS
# Date: 22.01.09
##################################


Vulnerable URL: hxxp://apps.facebook.com/skillzbase/

Click here for the XSS Demo

Fix input validation in the app

Social networking websites are targetted a lot these days, reckless filtering *shrugs*

Cheers :)
Kish

Date: 24.01.09
Update: The bug has been fixed by Facebook, Full disclosure - We believe in it !
Posted by at No comments:
Labels: , , , , , , , , , , ,

Thursday, January 15, 2009

XSS in DMOZ Search

Advisory #1 (2009)


############################
# Website: dmoz.org
# Bug: HTML Injection, XSS
# Date: 15.01.09
###########################

Vulnerable URL: http://search.dmoz.org/cgi-bin/search?search=

Click here for a demo

Next screenshot to show the presence of XSS bug


Click here for demo

Fix input validation in these pages for better security.

Cheers,
Kish
Posted by at No comments:
Labels: , , , , , , , , ,

Sunday, December 21, 2008

West Bengal Web Coding Standards (WBWCS) !


###################################
# Website: http://www.wbhealth.gov.in
# Bug: XSS
# Date: 22.12.08
##################################

Vulnerable URL: hxxp://www.wbhealth.gov.in (Site-Search feature)
Pages: site_search.asp, and site_search_result.asp

Text book style XSS for you ladies and gentlemen

Courtesy: Hash Technologies presents West Bengal Web Coding Standards (WBWCS) !

Fix input validation in the search box for god's sake before people ruin the website.

Cheers :)
Kish
Posted by at No comments:
Labels: , , , , , , , ,

And it is such a mystery ;)

And it is such a mystery why HSBC bank gets whacked, and phished a lot...


They've not fixed the bug (XSS) just yet, which was posted 3 months earlier...
Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)