|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents of class Cross-site Scripting
Other
WASC threat
classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm
There are 55 incidents of class Cross-site Scripting
Date: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
References:
Date: 23 September 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
References:
Date: 17 May 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
References:
Date: 02 March 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, SQL Injection
While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
References:
Date: 29 January 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
References:
Date: 22 December 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.
References:
Date: 26 July 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.
References:
Date: 16 July 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, Worm
MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.
References:
Date: 04 July 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.
References:
Date: 16 June 2006
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality, Cross-site Scripting
A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
References:
Date: 16 June 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.
References:
Date: 05 May 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A researcher found that the login error page on this sites can be injected.
References:
Date: 04 May 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.
References:
Date: 28 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.
References:
Date: 21 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.
References:
Date: 17 April 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, Phishing
An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.
References:
Date: 09 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Sourceforge forums search is vulnerable to XSS
References:
Date: 05 April 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.
References:
Date: 05 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.
References:
Date: 04 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website
References:
Date: 04 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.
References:
Date: 02 March 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.
References:
Date: 28 February 2006
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.
References:
Date: 25 February 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.
References:
Date: 24 February 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Sourceforge download pages are vulnerable to XSS
References:
Date: 20 February 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.
References:
Date: 12 February 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.
References:
Date: 28 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6
References:
Date: 10 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).
References:
Date: 03 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.
References:
Date: 22 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.
References:
Date: 21 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.
References:
Date: 18 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies
References:
Date: 14 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.
References:
Date: 05 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Abuse of Functionality, Cross-site Scripting
An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
References:
Date: 23 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
References:
Date: 21 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
XSS in Google Base search function
References:
Date: 21 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
XSS in Yahoo mail, Allows phishing
References:
Date: 10 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, Other
References:
Date: 04 June 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
References:
Date: 25 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
References:
Date: 10 April 2005
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, Worm
The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.
References:
Date: 03 March 2005
Incident Type: Security Breach
WASC Threat Classification: Content Spoofing, Cross-site Scripting
References:
Date: 16 February 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
References:
Date: 14 January 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An XSS was found in Froogle
References:
Date: 27 December 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An XSS was found in Lycos Web Mail
References:
Date: 06 December 2004
Incident Type: Security Breach
WASC Threat Classification: Content Spoofing, Cross-site Scripting
Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
References:
Date: 27 October 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
An XSS was found in G-Mail
References:
Date: 28 September 2004
Incident Type: Security Breach
WASC Threat Classification: Content Spoofing, Cross-site Scripting
Phishing based on XSS
References:
Date: 30 June 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, SQL Injection
References:
Date: 31 December 2003
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, SQL Injection
References:
Date: 05 November 2001
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
References:
Date: 21 August 2001
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.
References:
Date: 03 August 2001
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
Persistent XSS HTML Injection inside an HTML email message to hotmail
References:
Date: 19 April 1999
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting
A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
