Cross site scripting | Breaking Cybersecurity News | The Hacker News

XSS (Cross site Scripting )  Vulnerability discovered on Google Code website as shown. Claimed to be Discovered by  Vansh Sharma & Vaibhuv Sharma. Proof Of Concept: Just go to https://code.google.com/apis/ajax/playground/  and then click on edit HTML after that remove all the codes and type this script: < img src="< img src=search"/onerror=alert("XSS")//"> And click on DEBUG CODE , and then first it will show you " Sample must have <head> element " click OK and wait for the window to load if nothing happen then try the same thing again or simply you can click on RUN CODE, and you will get a popup which is XSS. Another Similar XSS posted by  +Pirate , as posted on HackForum Community.

XSS Vulnerability On Twitter Found by 15 Years Old Expert A 15 years old XSS Expert " Belmin Vehabovic(~!White!~) " discovered XSS Vulnerability On Twitter and report us. The Vulnerable link is here . Even He also Discovered XSS Vulnerability in Facebook also as tweeted by him Yesterday  &Facebook is offering him $700 as Bounty.

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

Web App Pentesting - Pentest Magazine The significance of HTTP and the Web for Advanced Persistent Threats Web Application Security and Penetration Testing Developers are form Wenus, Application Security guys from Mars Pulling legs of Arachni XSS BeeF Metaspolit Exploitation Cross-site request forgery. In-depth analysis First the Security Gate, then the Airplane Download Magazine Here

Uniscan 5.2 is released -  vulnerability scanner Uniscan is a open source vulnerability scanner for Web applications. Uniscan 2.0 is a perl vulnerability scanner for RFI, LFI, RCE, XSS and SQL-injection. features: Identification of system pages through a Web Crawler. Use of threads in the crawler. Control the maximum number of requests the crawler. Control of variation of system pages identified by Web Crawler. Control of file extensions that are ignored. Test of pages found via the GET method. Test the forms found via the POST method. Support for SSL requests (HTTPS). Proxy support. Generate site list using Google. Generate site list using Bing. Plug-in support for Crawler. Plug-in support for dynamic tests. Plug-in support for static tests. Plug-in support for stress tests. DOWNLOAD UNISCAN 5.2 Tutorials to create your plug-ins: https://www.uniscan.com.br/tutorial1.php https://www.uniscan.com.br/tutorial2.php https://www.uniscan.com.br/tutorial3.php

myOpenID XSS : One of the Largest OpenID provider is Vulnerable One of the One of the Largest Independent OpenID provider " myOpenID " is Vulnerable to Cross Site Scripting (XSS) ,Discovered by " SeeMe " - Member of Inj3ct0r Team. Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. What Hacker can do - "The attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page". Proof Of Concept - Click Here

Cross Site Scripting Vulnerability in Speed Bit Search Engine Debasish Mandal, A hacker from India , Found that there is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.The XSS filter is filtering normal html /script /iframe tags but XSS can be achieved by injecting JavaScript event "onmouseover()".Technical Description is below. Debasish have reported the vulnerability to the Speed Bit Team but haven't yet got any response from their side. Proof Of Concept: 1) Visit this URL https://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie) 2) Bring mouse cursor over the hyperlink shown in the image and you should see a POP up box showing the browser cookies. Submitted By :  Debasish Mandal, India.

Mobile Security and Lack thereof Nidhi Rastogi ,A Security Consultant with Logic Technology Inc, New York share her Views about the Mobile Security and Lack thereof . The Article is taken from our September Month Magazine Edition  .Here we go.. Mobile technology, particularly smartphones, has come of age and is increasingly replacing PCs for internet surfing, emails, gaming and social networking. As per a recent survey by Neilson Media Research, smartphones now comprise over 38% of the U.S. Cellphone Market and will become the majority by end of the year. To meet this growing demand, cellphone companies are fast churning out new models with killer features, latest and greatest in technology. With this growth it has also come to attention that security of these devices cannot be left behind. Every day a new data breach is making headlines suggesting hackers have gone into overdrive. However, what is of particular interest is that a bulk of them is being attributed to cellphones. Hac

Persistent XSS Vulnerability in White House Website Alexander Fuchs , A German Security Researcher Discover Persistent XSS Vulnerability in Official website of White House . He said " The petition system is vulnerable. Every Petition i start or join will execute my code. I could join all petitions and my code will be executed on all users who visit the petition system. " The XSS Demo is here: https://wwws.whitehouse.gov/petitions/!/petition/security/WxgwM7DS Advisory: https://vulnerability-lab.com/get_content.php?id=308

XSS Vulnerability on AOL Energy website A non-persistent Cross Site Scripting (XSS) vulnerability discovered on AOL Energy website. The similar Vulnerability is claimed by few other guys on some forums too. No clue that who found it first, But THN got update from Vansh & Vaibhuv from India.

XSS Vulnerability in Interactive YouTube API Demo Beta There is a Critical Cross site XSS Vulnerability in Interactive YouTube API Demo Beta, Discovered by various sources. One of the White Hat Hacker " Vansh Sharma " Inform us about this XSS Vulnerability with proof of concept. Proof Of Concept : Open  https://gdata.youtube.com/ Enter script <img src="<img src=search"/onerror=alert("xss")//"> in the keyword area. Press ADD

iPhone  Skype  XSS Vulnerability Lets Hackers Steal Phonebook [Video] A bug in the latest version of Skype for iPhone and iPod touch makes its users vulnerable to having their address book stolen just by viewing a specially crafted message, says AppSec Consulting security researcher Phil Purviance. The problem is made more exploitable by the way Skype uses the embeddable WebKit browser; Skype developers have set the URI scheme for the embedded browser to "file://". This error allows an attacker to access the file system and read any file that the app would be allowed to read by the iOS application sandbox. One file that every iOS application has access to is the user's SQLlite AddressBook database. In a demonstration of the bugs, Phil Purviance, AppSec Consulting security researcher, showed how it was possible to extract the iPhone address book using the vulnerabilities. Skype is aware of the issue and is working on a fix. "We are working hard to fix this reported i

WAVSEP   1.0.3 – Web Application Vulnerability Scanner Evaluation Project A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. Additional information can be found in the developer's blog . Project WAVSEP currently includes the following test cases: Vulnerabilities: Reflected XSS:   66 test cases, implemented in 64 jsp pages (GET & POST) Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST ) Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST ) Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST ) False Positives: 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST ) 10 different categories of false positiv

20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack Most of the biggest and Famous sites are found to be Vulnerable to XSS attack . Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. Hacker with code name " Invectus " list some such famous sites with XSS vulnerability as listed below : 1.) https://video.state.gov/en/search/img-srchttp-i55tinypiccom-witu7dpng-height650-width1000/Ij48aW1nIHNyYz0iaHR0cD

Games.com XSS Vulnerability by Cyber4rt One of the Biggest site for Hasbro Games, Video Games & Online Games - Games.com having XSS Vulnerability as shown in screenshot and Discovered by " Acizninja DeadcOde " at  Cyber4rt .

Persistent XSS vulnerability in eBuddy Web Messenger A team member from Virtual Luminous Security , Russian Federation, has discovered a persistent XSS vulnerability in eBuddy (the biggest web IM solution in the world) by transmitting messages with embedded encoded javascript code. In-depth detail eBuddy Web Messenger suffers from an encoded-Persistent XSS vulnerability in the messaging function. (while sendingA message with embedded code to another authorized user in eBuddy WebMessenger). Exploit example Plain XSS (Not going to store, nor execute) <script>alert('eBuddy Persistent XSS');</script> Encoded text=%3Cscript%3Ealert%28'eBuddy%20Persistent%20XSS'%29%3C/script%3E [*] The attacker sends the encoded embedded code in an IM message. [*] The victim receives the message with the encoded embedded code and it executes on the victims browser.

XCode SQLi/LFI/XSS and Webshell Scanning tool XCode Exploit – Vulnurable & webshell Scanner help you to gather the dorks Link from Google. then you may check the results if its Vulnurable to exploit with SQL injection commands, LFI,and XSS. And You may hunt the webshells those uploaded. Download Here [ Source ]

XSS Vulnerability in MSN.com XSS Vulnerability (Cross Site Scripting) in MSN discovered by TeamDX  . Vulnerable Link  is also shown in image.  Last week One of the Security Researcher "Juan Sacco (runlvl)" - Insecurity Research Labs expose the Cross Site vulnerability (XSS) in Bing.com Search Engine.

XSS vulnerability in Bing.com Maps One of the Security Researcher " Juan Sacco (runlvl) " - Insecurity Research Labs expose the Cross Site vulnerability (XSS) in Bing.com Search Engine. BING.COM is prone to a XSS vulnerability because the application failsto properly perform adequate boundary checks on user-supplied data.An attacker can exploit this issue to execute arbitrary code in thevictim's browser. Details : The reflected XSS vulnerability is a variant of a cross-site scriptingflaw: it occurs when the data provided by the attacker is exectued bythe browser, and then displayed on "normal" pages returned to otherusers in the course of regular browsing, without proper HTML escaping. Aclassic example of this is with online message boards where users areallowed to post HTML formatted messages for other users to read. Vulnerable Link

Uniscan 4.0 vulnerability scanner Released The Uniscan vulnerability scanner is aimed at information security, which aims at finding vulnerabilities in Web systems and is licensed under the GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). The Uniscan was developed using the Perl programming language to be easier to work with text, has an easy to use regular expressions and is also multi-threaded. Uniscan Features Identification of system pages through a Web Crawler. Use of threads in the crawler. Control the maximum number of requests the crawler. Control of variation of system pages identified by Web Crawler. Control of file extensions that are ignored. Test of pages found via the GET method. Test the forms found via the POST method. Support for SSL requests (HTTPS). Proxy support. Official Change Log : - Uniscan is now Modularized. - Added directory checks. - Added file checks. - Added PUT method enabled check. - Bug fix in crawler when found ../ directory. - Crawle

Cross Site Scripting Vulnerability at Google Appspot The Google Appspot " ClickDesk " login page is vulnerable to Cross Site Scripting attack. Cross Site scripting attack is a critical issue in web application. When an attacker gets a user's browser to execute his/her XSS code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read (keylogging), modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. The vulnerability can easily be amplified by publicly available tools like Cross Site Scripting framework (XSSF), Cross Site Scripting harvest perl (XSS-Harvest) and so on. Proof of concept: The following proof-of concept sample will do a HTTP POST to trigger the XSS vuln