XSS fortune cookie

Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:

1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en

2) Select one of the sponsored links; in this case I chose SpritualExperts.com.

3) Pick a variable. I settled for banid.

4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E

Voila...an XSS fortune cookie. Sorry. Really, I am.

The webmaster has been advised...play nice.

Screenshot for after they fix the issue.



del.icio.us | digg

Comments

Anonymous said…
Hopefully your day job will keep you employed long enough that you won't need to fall back on stand up comedy.
For sure you're working too hard at your day job to have to resort to this! :) Funny stuff man!

Kevin
Impacta LLC
Rafal said…
Dude... you need a vacation.

Popular posts from this blog

Toolsmith Tidbit: XssPy

Toolsmith In-depth Analysis: motionEyeOS for Security Makers

Toolsmith Release Advisory: Malware Information Sharing Platform (MISP) 2.4.52