Why would you do that?
-
Amazon sent a package my way using a small-time, local delivery service. The developers of their tracking webapp made some interesting decisions, regarding the way data is passed around.
As a result, you can create fake tracking information
Oh, and yeah -- it's wide open to XSS.
-
You misspelled "Adolf".
-
Try this one. It seems they just copy whatever text...
-
-
@DescentJS said:
Haha. I was startled for a moment to see that I was logged in to Google in that inner frame, beforeI realized what was going on.
-
@DescentJS said:
Cool...
Also demonstrates that my NoScript properly blocks XSS even with JavaScript turned on.
-
@DescentJS said:
This is fun to mess around with.
Didn't work on my machine, IE8 no security settings changed. I just get "var pos1=document.location..." in the deliver to box.
-
@Mithious said:
@DescentJS said:
This is fun to mess around with.
Didn't work on my machine, IE8 no security settings changed. I just get "var pos1=document.location..." in the deliver to box.
IE8 is either blocking the XSS in the url or it's escaping something more than the other browsers are doing.
-
I was startled for a moment to see that I was logged in to Google in that inner frame, before I realized what was going on.
I did the exact same thing.
-
@DescentJS said:
IE8 has some XSS protection.IE8 is either blocking the XSS in the url or it's escaping something more than the other browsers are doing.
-
meh
-
-
Yeah, that's a great site too. Web 3.1, I think.
What I particularly like is that one of the fake feedback messages is
</tr> <tr> <td colspan="2"><font size="3">Andrew, your a retard, and I think your site s*cks</font></td></tr></tbody></table><p> Just to make people believe it's really real?<br></p>
<font face="Lucida Sans Unicode" size="3">Mr. NunYa Bizness </font><font face="Lucida Sans Unicode" size="3">says </font> <font face="Arial"> <font color="#999999" size="2">3 days ago</font></font>
-
@alegr said:
@DescentJS said:
IE8 has some XSS protection.IE8 is either blocking the XSS in the url or it's escaping something more than the other browsers are doing.
Whereas Google Chrome is wide open to it. That last one is priceless if viewed in Chrome.
-
I don't think the borwsers are doing that. At least (with FF 3.5.3) I can see the XSS from the error nerds page perfectly fine but I just see escaped HTML on the tracking page. Is there anyone who can actually see that XSS as of now? Maybe the tracking page reacted really fast and updated their site? oO
-
@PSWorx said:
I don't think the borwsers are doing that. At least (with FF 3.5.3) I can see the XSS from the error nerds page perfectly fine but I just see escaped HTML on the tracking page. Is there anyone who can actually see that XSS as of now? Maybe the tracking page reacted really fast and updated their site? oO
Seems like it, oh well.
-
-
May I refactor your JS a bit?
This way it's a bit easier to use for others:
r=new String();x=[0x3c,0x73,0x63,0x72,0x69, [...] ,0x70,0x74,0x3e];for(i=0;i<x.length;i++){r+=String.fromCharCode(x[i]);}document.write(r);
Text to hex: http://www.swingnote.com/tools/texttohex.php
-
@garyniger said:
May I refactor your JS a bit?
This way it's a bit easier to use for others:
r=new String();x=[0x3c,0x73,0x63,0x72,0x69, [...] ,0x70,0x74,0x3e];for(i=0;i<x.length;i++){r+=String.fromCharCode(x[i]);}document.write(r);
Text to hex: http://www.swingnote.com/tools/texttohex.php
You could just put the numbers straight into the method,