NIST IT Security: Printer Friendly

XSS Hall of Shame
Web Sites Vulnerable to Cross-Site Scripting
NIST.org, Tuesday 31 March 2009 - 00:00:00

[newpage=Currently XSS Vulnerable]

Cross-Site Scripting (XSS) Hall of Shame

** This list is no longer being regularly maintained. XSS vulnerabilities come and go so quickly it is impossible to keep up. This page will remain for educational and entertainment purposes. If something good comes up we'll add it to the top of the list. **

The web domains below have all been identified as having XSS vulnerabilities. They are listed here as a public service to promote a prompt resolution to the problem. XSS hurts others, not the sites or companies listed here. If the problem has been fixed we will note it as such, if new vulnerabilities are found a new entry will be added. We do not indicate what page or module on the server is vulnerable and we do not include example code as we do not wish to encourage phishing attacks. (NIST.org)

The XSS vulnerabilities on any of the below listed servers could probably have been used in a phishing attack or for some other malicious purpose, so if you are responsible for one of these servers please try to get the problem corrected as quickly as possible. Check back here frequently as new vulnerabilities are often reported at sites that have had them reported previously. The entries are added as they are reported to us and are in no particular order, but they tend to be from the oldest reported to latest reported. You can press CTRL-F to use your browser's find function to locate your domain. Once a problem is fixed it will be moved to the 'Repaired' section (see the bottom of this page).

Click here to learn more about the dangers of XSS.
If your site is listed below [...click here for more information]

If you are responsible for a server listed below you can probably find example code showing how your site is vulnerable by searching the Internet. If you still can not find the source of the problem you can contact us and we will send you the information we were given so you can fix the problem (this may take 1-2 business days so you should first try to locate the problem yourself. There is probably enough information below to find what you need). We will only send this information to someone with an email address at the company listed (please include your name, company position, email address, and phone number) After the problem is fixed if you notify us and give us permission to test the fix we'll mark the entry fixed and move it to the repaired section. If the vulnerable link is posted publicly on the Internet we may test it ourselves provided that we can determine that the link is safe and does no harm to your system (since a 5 year old could stumble across a link and click on it we see no reason why we shouldn't allowed to do the same thing with proper precaution).
If you would like to report a XSS vulnerability [...click here for more information]

If you would like to report a XSS vulnerability please use the eMail address at the bottom of this page. Examples will only be accepted if all they do is pop up an alert box. If you had to obscure the Javascript (or other code) please tell us how you did it or even better tell us how to unobscure it. Any examples other than a pop up alert box won't be tested and the site vulnerability probably won't be posted. Please do us a favor and try to locate a contact email address for the vulnerable website so that we can notify them. We will not be the first to publish a site vulnerability unless we make an attempt to notify a site administrator. If you want credit for the find tell us what name or handle you want us to use, otherwise it will be posted as 'anonymous'. If it comes to our attention that you have used the vulnerability for anything malicious we will mark your future emails as spam and block your IP address.

Cross-Site Scripting (XSS) News [...more]

XSS Vulnerable Domains (listed by discovery date):

Google.com – Another Google XSS probably won't last long. Reported by Hong on 1/15/2007 at sla.ckers.org. Screen Shot
yellowpages.aol.com – AOL's yellowpages. Reported by unsticky on 1/15/2007 at sla.ckers.org Screen Shot
Google.com – Google XSS probably won't last long. Reported by Ghozt on 1/12/2007 at sla.ckers.org. Screen Shot
myspace.com – MySpace XSS vulnerability. They actually have a new one reported once or twice a week, some have led to worms in the past. Reported by maluc at sla.ckers.org. Screen Shot
WellsFargo.com - Huge bank and financial company. Reported by anonymous on 11/30/06. Screen Shot
Thornburg.com - Mutual Fund and investment company. Reported by anonymous on 11/30/06. Screen Shot
Amanafunds.com - Invests according to Islamic principles. Reported by anonymous on 11/30/06. Screen Shot
sfcu.org - Stanford Federal Credit Union. Reported by anonymous on 11/24/06. Screen Shot
denalifcu.org - Denali Alaskan Credit Union. Reported by anonymous on 11/24/06. Screen Shot
gencu.org - General Credit Union. Reported by anonymous on 11/24/06. Screen Shot
dccu.com - Deere Employees Credit Union. Reported by anonymous on 11/24/06. Screen Shot
baygulf.com - Bay Gulf Credit Union. Reported by anonymous on 11/24/06. Screen Shot
golden1.com - The Golden 1 Credit Union. Reported by anonymous on 11/24/06. Screen Shot
www.citimortgage.com - Fun with phishing... Reported at sla.ckers.org by malorn on 11/17/2006. Screen Shot
www.bestbuy.com - Reported at sla.ckers.org by unsticky on 11/16/2006.
www.gnc.com - Reported at sla.ckers.org by unsticky on 11/16/2006.
www.staples.com - Reported at sla.ckers.org by unsticky on 11/16/2006.
cbs.sportsline.com - Reported at sla.ckers.org by unsticky on 11/16/2006. Screen Shot
www.cbs.com - Reported at sla.ckers.org by unsticky on 11/16/2006.
nbc.resultspage.com - Reported at sla.ckers.org by unsticky on 11/16/2006. Screen Shot
fuse.tv - Reported at sla.ckers.org by unsticky on 11/16/2006.
www.tenaciousdmovie.com - Reported at sla.ckers.org by unsticky on 11/16/2006.
TheOnion.com - Really, no kidding – The Onion website has XSS vulnerabilities. Of course one has to wonder how someone could ever spoof them. Who would even notice? Screen Shot
mypyramid.gov – The official U.S. Government food pyramid website, part of USDA (who recently had two other vulnerabilities that were taken care of quickly). Agency notified on 11/06/2006. Screen Shot
nature.com - The science and medicine magazine. Reported by anonymous. They were notified on 11/06/2006. Screen Shot
epa.gov – Environmental Protection Agency. Reported to NIST.org by anonymous. Agency notified by us on 10/26/2006. Screen Shot
who.it – World Health Organization, part of the United Nations. Reported to NIST.org by anonymous. Agency notified by us on 10/26/2006. Screen Shot
fmcsa.dot.gov – U.S. Dept of Transportation. Reported to NIST.org by anonymous. Agency notified by us on 10/25/2006. Screen Shot
LearnandServe.gov – U.S. government Learn and Serve America website. Reported to NIST.org by anonymous. Agency notified by us on 10/25/2006. Screen Shot
collegedrinkingprevention.gov – Humm... we'll pass on the jokes Part of the National Institute of Heatth. Reported to NIST.org by anonymous. (agency notified on 10/12/06) Screen Shot
www.fema.gov - Federal Emergency Management Agency, Reported to NIST.org by anonymous (agency notified on 10/11/06)
search.disney.go.com - Disney! Is nothing sacred! Reported at sla.ckers.org by anonymous on 10/7/06
www.afcm.org - Americans for Free Choice in Medicine. Reported at sla.ckers.org by anonymous on 10/7/06
www.nhtsa.gov - National Highway Traffic Safety Administration – NHTSA. Reported at sla.ckers.org by anonymous on 10/7/06
www.nationalservice.gov - National & Community Service. Reported at sla.ckers.org by anonymous on 10/7/06
www.americorps.gov – AmeriCorps. Reported at sla.ckers.org by anonymous
www.aoa.gov - U.S. Administration on Aging. Reported at sla.ckers.org by anonymous
w4.systranlinks.com - translation service used by U.S. Department of Labor Mine Safety and Health Administration. Reported at sla.ckers.org by anonymous on 10/7/06
www.fcc.gov - Federal Communications Commission – FCC. Reported at sla.ckers.org by anonymous on 10/7/06
www.genome.gov - U.S. Government National Human Genome Research Institute. Reported at sla.ckers.org by anonymous on 10/7/06
search.state.nj.us - State of New Jersey. Reported at sla.ckers.org by anonymous
www.usaid.gov - U.S. Gov. aid site. Reported at sla.ckers.org by anonymous
ftn.fedex.com - Reported at sla.ckers.org by maluc on 10/2/06.
www.compsource.com - Reported at sla.ckers.org by yawnmoth on 10/2/06.
stocks.usatoday.com - USA Today. Reported at sla.ckers.org by anonymous on 10/2/06.
markets.latimes.com - Los Angeles Times. Reported at sla.ckers.org by anonymous on 10/2/06.
forums.washingtonpost.com - Washington Post. Reported at sla.ckers.org by anonymous on 10/2/06.
markets.chicagotribune.com - Chicago Tribune. Reported at sla.ckers.org by anonymous on 10/2/06.
realestate.nytimes.com - New York Times. Reported at sla.ckers.org by anonymous on 10/2/06.
weather.kansascity.com - Kansas City Star. Reported at sla.ckers.org by anonymous on 10/2/06.
bostonglobe.com - Boston Globe. Reported at sla.ckers.org by anonymous on 10/2/06.
www.nypost.com - New York Post. Reported at sla.ckers.org by anonymous on 10/2/06.
washingtontimes.com - The Washington Times. Reported at sla.ckers.org by anonymous on 10/2/06.
app.abc.go.com - ABC. Reported at sla.ckers.org by anonymous on 10/2/06.
cgi.cbs.com - CBS. Reported at sla.ckers.org by anonymous on 10/2/06.
www2.warnerbros.com - Warner Brothers. Reported at sla.ckers.org by anonymous on 10/2/06.
secure.petco.com - PetCo. Reported at sla.ckers.org by anonymous on 10/2/06.
www.petsmart.com - PetSmart. Reported at sla.ckers.org by anonymous on 10/2/06.
www.wbshop.com - Warner Brothers Store. Reported at sla.ckers.org by anonymous on 10/2/06.
www.sonymusicstore.com - Sony Music Store. Reported at sla.ckers.org by anonymous on 10/2/06.
www.nike.com - Nike. Reported at sla.ckers.org by anonymous on 10/2/06.
www.cafepress.com - cafepress. Reported at sla.ckers.org by anonymous on 10/2/06.
www.gnc.com - GNC. Reported at sla.ckers.org by anonymous on 10/2/06.
www.shopnbc.com - Shop NBC. Reported at sla.ckers.org by anonymous on 10/2/06.
www.lnt.com - Linens N Things. Reported at sla.ckers.org by anonymous on 10/2/06.
www.buynetgear.com - Netgear. Reported at sla.ckers.org by anonymous on 10/2/06.
www.fingerhut.com - Fingerhut. Reported at sla.ckers.org by anonymous on 10/2/06.
www.armaniexchange.com - Armani Exchange. Reported at sla.ckers.org by anonymous on 10/2/06.
www.ritzcamera.com - Ritz Camera. Reported at sla.ckers.org by anonymous on 10/2/06.
fbijobs.gov – FBI Jobs. Reported at sla.ckers.org by thomaspollet on 10/1/06
www.networksolutions.com - Reported at sla.ckers.org by RSnake on 10/1/06
www.nukecops.com - Reported at sla.ckers.org by maluc on 10/1/06.
www.visitlasvegas.com - Reported at sla.ckers.org by RSnake on 10/1/06
www.telco.com - Reported at sla.ckers.org by RSnake on 10/1/06
direct.motorola.com - Reported at sla.ckers.org by RSnake on 10/1/06
www22.verizon.com - Reported at sla.ckers.org by RSnake on 10/1/06. “Can you hear me now?” -- Rsnake {14}
www.rav.ro – Antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
www.grisoft.com – Antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
tools.sonic.net – Another site with the 'Hacker Safe' seal of approval. Reported at sla.ckers.org by maluc on 9/30/06
www.authentium.com – An antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
alerts.f-prot.com – An antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
www.trendmicro.com – An antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
www.avast.com – An antivirus company. Reported at sla.ckers.org by maluc on 9/30/06
www.ca.com – A very large antivirus / security company. Reported at sla.ckers.org by maluc on 9/30/06. Still vulnerable on 10/22/06. Screen Shot {13}
f-secure.com – An antivirus company. Reported at sla.ckers.org by metal_hurlant on 9/30/06.

"I love the stock market xss: go figure someone spamming about stock xyz skyrocketting, putting xss'ed links to nasdaq etc. on it...profit!" -- thomaspollet at sla.ckers.org

cccure.org – An excellent resourse for people studying for IT security exams. Hopefully this gets fixed soon. Reported at sla.ckers.org by thomaspollet on 9/29/06
linksys.com - Reported at sla.ckers.org by Ghozt on 9/29/06
www.certicom.com – A big name encryption and data security company. Reported at sla.ckers.org by maluc on 9/29/06
search4.unisys.com - Reported at sla.ckers.org by maluc on 9/29/06
subscribermail.com - Reported at sla.ckers.org by Ghozt on 9/29/06
truste.org – The company that issues those TRUSTe® privacy seals "We certify and monitor web site privacy". Reported at sla.ckers.org by Ghozt on 9/29/06
zme.amazon.com - Reported at sla.ckers.org by maluc on 9/29/06
www.afpc.randolph.af.mil - Reported at sla.ckers.org by maluc on 9/29/06
search.access.gpo.gov - Reported at sla.ckers.org by maluc on 9/29/06
ohrm.os.doc.gov - Reported at sla.ckers.org by maluc on 9/29/06
www.compusa.com - Reported at sla.ckers.org by maluc on 9/29/06
www.neweggg.com - Reported at sla.ckers.org by maluc on 9/29/06
techpowerup.com - Reported at sla.ckers.org by maluc on 9/29/06
www.frozencpu.com - Reported at sla.ckers.org by maluc on 9/29/06
searchg.symantec.com – You know, the giant antivirus / security company. Reported at sla.ckers.org by digi7al64 on 9/29/06. Still vulnerable on 10/18/2006. See Screen Shot
www.tv – A Verisign company, root level domain registration for TV stations (eg; KMPP.TV). Reported at sla.ckers.org by Ghozt on 9/29/06
www.zonelabs.com – They sell the popular ZoneAlarm firewall software. Reported at sla.ckers.org by maluc on 9/29/06 See Screen Shot
usa.kaspersky-labs.com – Large well respected antivirus company. Reported at sla.ckers.org by maluc on 9/29/06 See Screen Shot
adidas.com - Reported at sla.ckers.org by Ghozt and maluc on 9/29/06
dictionary.com - Reported at sla.ckers.org by Ghozt and maluc on 9/29/06 {12}
livesupport.bitdefender.ro - Reported at sla.ckers.org by maluc on 9/29/06
support.drweb.com - Reported at sla.ckers.org by maluc on 9/29/06
www.norman.com – An antivirus company. Reported at sla.ckers.org by maluc on 9/29/06
www.astalavista.net - Reported at sla.ckers.org by maluc on 9/29/06
shop.pandasoftware.com - The antivirus company. Reported at sla.ckers.org by maluc on 9/29/06
www.scientology.org - Reported at sla.ckers.org by Ghozt on 9/29/06
webcenters.netscape.compuserve.com - Reported at sla.ckers.org by maluc on 9/28/06
search.lexmark.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.nvidia.com - Reported at sla.ckers.org by Ghozt on 9/28/06
search.ati.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.buy.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.hooters.com – Screen shot wouldn't have included waitresses so we didn't bother. Reported at sla.ckers.org by maluc on 9/28/06
www.geeksquad.com - Reported at sla.ckers.org by Ghozt on 9/28/06. Screen Shot
www.pricegrabber.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.xfxforce.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.bizrate.com - Reported at sla.ckers.org by Ghozt on 9/28/06
castle.pricewatch.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.cyberguys.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.gotdotnet.com - Reported at sla.ckers.org by digi7al64 on 9/28/06.
www.sonystyle.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.alliedelec.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.mouser.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.newark.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.jameco.com - Reported at sla.ckers.org by Ghozt on 9/28/06
cars.kbb.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.engadget.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.lww.com - Reported at sla.ckers.org by Ghozt on 9/28/06
search.gifts.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.linuxdevices.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.gamerankings.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.cbsnews.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.travelport.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.whalecommunications.com - Reported at sla.ckers.org by kirke on 9/28/06
portal.knowledgebase.net - Reported at sla.ckers.org by maluc on 9/28/06 {10}
searchsecurity.techtarget.com - Reported at sla.ckers.org by Ghozt on 9/28/06. As reported by digi7al64 all of the following domains share the same search engine and the same problem as techtarget.com: 2020software.com, Bitpipe.com, Search400.com, SearchAppSecurity.com, SearchCIO.com, SearchCRM.com, SearchDataCenter.com, SearchDataManagement.com, SearchDomino.com, SearchExchange.com, SearchMobileComputing.com, SearchNetworking.com, SearchOpenSource.com, SearchOracle.com, SearchSAP.com, SearchSecurity.com, SearchServer.com, SearchSMB.com, SearchSQLServer.com, SearchStorage.com, SearchVB.com, SearchVoIP.com, SearchWebServices.com, SearchWinComputing.com, SearchWindowsSecurity.com, SearchWinIT.com, TheServerSide.NET TheServerSide.com, Whatis.com
search.ittoolbox.com - Reported at sla.ckers.org by Ghozt on 9/28/06
shops.ancestry.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.gesecurity.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.safer-networking.org - Home of Spybot S&D. Reported at sla.ckers.org by Ghozt on 9/28/06
www.scmagazine.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.nasdaq.com - Reported at sla.ckers.org by RSnake on 9/28/06 Screen Shot
www.amex.com - Reported at sla.ckers.org by RSnake on 9/28/06
www.borsaitaliana.it - Italian Stock Exchange. Reported at sla.ckers.org by RSnake on 9/28/06.
www.asx.com.au - Australian Stock Exchange. Reported at sla.ckers.org by RSnake on 9/28/06.
www.shop.com - Reported at sla.ckers.org by digi7al64 on 9/28/06.
www.hummingbird.com - Reported at sla.ckers.org by digi7al64 on 9/28/06.
morpheus.com - Reported at sla.ckers.org by Ghozt on 9/28/06
sales.limewire.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.downloadsquad.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.pbs.org - Reported at sla.ckers.org by digi7al64 on 9/28/06.
www.marketwatch.com - Reported at sla.ckers.org by digi7al64 on 9/28/06.
www.tucows.com - Reported at sla.ckers.org by Ghozt on 9/28/06
mybittorrent.com - Reported at sla.ckers.org by Ghozt on 9/28/06
www.phpnuke.org - Reported at sla.ckers.org by Ghozt on 9/28/06
nukecops.com - Reported at sla.ckers.org by Ghozt on 9/28/06 {11}
www.f5.com – They originally denied vulnerabilities that were fixed but they are still have other vulnerabilities. Reported at sla.ckers.org by maluc on 9/27/06. Screen Shot
www.latimes.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
online.wsj.com – The Wall Street Journal. Reported at sla.ckers.org by digi7al64 on 9/27/06.
www.navair.navy.mil - Reported at sla.ckers.org by maluc on 9/27/06.
www.caltex.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.ge.com - "Imagination at Work", yea with this vuln anything is possible. - Reported at sla.ckers.org by maluc on 9/27/06.
movies.aol.com – many different ones. Reported at sla.ckers.org by maluc on 9/27/06.
videogames.aol.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.lightreading.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.norad.org - Reported at sla.ckers.org by digi7al64 on 9/27/06.
query.nytimes.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.truste.org - Reported at sla.ckers.org by cheng on 9/27/06.
www.virgin.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
search.sky.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
search.forbes.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
www.pcworld.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
www.aapt.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
cgi.yahoo.com - Reported at sla.ckers.org by Ghozt on 9/27/06.
www.netflix.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.blockbuster.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.jeep.com - Reported at sla.ckers.org by digi7al64 on 9/27/06.
support.opera.com - Reported at sla.ckers.org by maluc on 9/27/06.
www.chevrolet.com - Reported at sla.ckers.org by digi7al64 on 9/27/06. (pg9)
www.us-webmasters.com - Reported at sla.ckers.org by Ghozt on 9/27/06
www.netdemon.net - Reported at sla.ckers.org by Ghozt on 9/27/06

Quote: "I have noticed we have successfully hit the 4 of the 5 major search engines as well as a relatively large number of the top 100 websites going around (apparently all we needed to do was look)...congratulations to all." -- digi7al64 at sla.ckers.org

subscribe.infoworld.com - Reported at sla.ckers.org by digi7al64 on 9/26/06.
news.cnn.com – various. Reported at sla.ckers.org by Kyran and maluc 9/26/06
www.techworld.com – various. Reported at sla.ckers.org by maluc on 9/26/06
www.pcadvisor.co.uk - Reported at sla.ckers.org by maluc on 9/26/06
www.digitmag.co.uk - Reported at sla.ckers.org by maluc on 9/26/06
playboy.rgc2.com - Reported at sla.ckers.org by RSnake on 9/26/06.
www.portblogs.com - Reported at sla.ckers.org by RSnake on 9/26/06.
www.startrek.com - Reported at sla.ckers.org by RSnake on 9/26/06.
www.weather.aol.com - Reported at sla.ckers.org by digi7al64 on 9/26/06.
www.gm.com - Reported at sla.ckers.org by digi7al64 on 9/26/06.
validatory.opml.org - Reported at sla.ckers.org by maluc on 9/26/06.
www.w3.org - Reported at sla.ckers.org by maluc on 9/26/06.
orders.sbs.yahoo.com - Reported at sla.ckers.org by Kyran on 9/26/06.
viewer.youtubech.com - Reported at sla.ckers.org by maluc on 9/26/06.
rss.scripting.com - Reported at sla.ckers.org by maluc on 9/26/06.
megalodon.jp - Reported at sla.ckers.org by maluc on 9/26/06.
www.dotcr.ost.dot.gov - Reported at sla.ckers.org by maluc on 9/25/06
www.mbda.gov - Reported at sla.ckers.org by maluc 9/25/06
www.friendsunited.co.uk - Reported at sla.ckers.org by dyn0 on 9/25/06
www.salford.gov.uk - Reported at sla.ckers.org by dyn0 9/25/06
www.freeml.com - Reported at sla.ckers.org by Rsnake on 9/25/06
www.siteadvisor.com - Reported at sla.ckers.org by kirke on 9/25/06
audience.cnn.com – Multiple problems. Reported at sla.ckers.org by RSnake on 9/25/06
www.bbc.co.uk – UK's BBC. Reported at sla.ckers.org by RSnake on 9/25/06
search1.taobao.com – Big China auction site. Reported at sla.ckers.org by RSnake on 9/25/06.
www.alipay.com – Payment processing site in China. Reported at sla.ckers.org by Rsnake on 9/25/06
www.clickbank.com - Reported at sla.ckers.org by Kyran on 9/25/06
www.altavista.com – Another vulnerability. Simply search for a bit of Javascript code and it runs it back on your computer. They really should fix this. Reported at sla.ckers.org by Acidus on 9/25/06.
search.netscape.com - Reported at sla.ckers.org by digi7al64 on 9/25/06.
www.pepperjam.com - Reported at sla.ckers.org by tsar on 9/25/06
national.citysearch.com - Reported at sla.ckers.org by digi7al64 on 9/25/06.
www.wamuhomeloans.com - Reported at sla.ckers.org by RSnake on 9/25/06
www.anywho.com - Reported at sla.ckers.org by digi7al64 on 9/25/06.
www.hbo.com - Reported at sla.ckers.org by RSnake on 9/25/06.
www.hemnet.se - Reported at sla.ckers.org by RSnake on 9/25/06.
www.verisign.com - Reported at sla.ckers.org by Kyran on 9/25/06
www.ericsson.se - Reported at sla.ckers.org by RSnake on 9/25/06.
www.ddj.com – Dr. Dobb's Portal. Reported at sla.ckers.org by maluc on 9/25/06.
www.codemasters.com - Reported at sla.ckers.org by Kyran on 9/24/06
www.cbs.com - Reported at sla.ckers.org by Rsnake on 9/24/06
www.nationalcrediteducationweek.com - Reported at sla.ckers.org by maluc on 9/24/06
www.nscp.org - Reported at sla.ckers.org by maluc on 9/24/06
www.dmas.virginia.gov - Reported at sla.ckers.org by maluc on 9/24/06
www.innovations.va.gov - Reported at sla.ckers.org by maluc on 9/24/06
robotics.nasa.gov - Reported at sla.ckers.org by maluc on 9//24/06
www.opic.gov - Reported at sla.ckers.org by maluc on 9/24/06
ask.census.gov - Reported at sla.ckers.org by maluc on 9/24/06
www.isc2.org - ISC2 is the organization responsible for the CISSP security certification. Reported at sla.ckers.org by maluc on 9/22/06.
www.microsoft.com - Reported at sla.ckers.org by Rsnake on Sept 23rd and its still not fixed.
www.vh1.com – VH1, the music channel. Reported at sla.ckers.org by Rsnake on Sept 23rd and its still not fixed.
www.mtv.com – MTV, just to be fair. Reported at sla.ckers.org by Rsnake on Sept 23rd and its still not fixed.
www.fedworld.gov – Part of the U.S. Dept of Commerce.. Reported at www.seomoz.org on 8/21/06
memory.loc.gov – The Library of Congress! Reported at www.seomoz.org on 8/21/06
www.leginfo.ca.gov – California Legislature. Reported at www.seomoz.org on 8/21/06
www-odi.nhtsa.dot.gov – Dept of Transportation, Office of Defects (yes, we see the irony). Reported at www.seomoz.org on 8/21/06
www1.euro.dell.com - Dell Computers European site. Reported at sla.ckers.org by WhiteAcid
www.netgear.com – Reported at sla.ckers.org by WhiteAcid
directory.gov.be – Reported at sla.ckers.org by Girzi
www.homme.lycos.fr – Reported at sla.ckers.org by Girzi
polizei.hessen.de - Found by Skyout at www.eof-project.net
arte-tv.com - Found by Skyout at www.eof-project.net
sport.ard.de - Found by Skyout at www.eof-project.net
suchnase.de - Found by Skyout at www.eof-project.net
killsometime.com - Found by Skyout at www.eof-project.net
pangora.n24.de - Found by Skyout at www.eof-project.net
n-tv.de - Found by Skyout at www.eof-project.net
walmartstores.com - Found by Skyout at www.eof-project.net
directory.fsf.org - Found by Skyout at www.eof-project.net
hr-online.de - Found by Skyout at www.eof-project.net
pcworld.co.uk - Found by Skyout at www.eof-project.net
pbs.org - Found by Skyout at www.eof-project.net
online.wsj.com - Found by Skyout at www.eof-project.net
npr.org - Found by Skyout at www.eof-project.net
weather.com - Found by Skyout at www.eof-project.net
mut.de - Found by Skyout at www.eof-project.net
mitp.de - Found by Skyout at www.eof-project.net
americanexpress.com - Found by Skyout at www.eof-project.net
netscape.com - Found by Skyout at www.eof-project.net
thestreet.com - Found by Skyout at www.eof-project.net
de.atari.com - Found by Skyout at www.eof-project.net
ati.com - Found by Skyout at www.eof-project.net
winamp.com - Found by Skyout at www.eof-project.net
evite.com - Found by Skyout at www.eof-project.net
knuddels.de - Found by Skyout at www.eof-project.net
gutenberg-gym.de - Found by Skyout at www.eof-project.net
hakin9.org - Found by Skyout at www.eof-project.net
www.serverspy.net - Reported at sla.ckers.org by kefka
www.allakhazam.com - Reported at sla.ckers.org by kefka
www.goblinworkshop.com - Reported at sla.ckers.org by kefka
www.go2.com - Reported at sla.ckers.org by RSnake
comsearch.comcast.commerce.atomz.com - Reported at sla.ckers.org by kefka
home.bellsouth.net - Reported at sla.ckers.org by kefka
www.traveltree.co.uk - Reported at sla.ckers.org by RSnake
www.sparkfun.com - Reported at sla.ckers.org by maluc
www.uo.com - Reported at sla.ckers.org by maluc
blogshares.com - Reported at sla.ckers.org by unsticky
rawstory.com - Reported at sla.ckers.org by unsticky
hawkee.com - Reported at sla.ckers.org by unsticky
seq.org - Reported at sla.ckers.org by unsticky

Quote: "Potentially a very exploitable hole for fun and profit. _-_ " -- maluc on sla.ckers.org referring to a hole at Amazon.com

mindswap.org - Reported at sla.ckers.org by unsticky
free-php.org - Reported at sla.ckers.org by unsticky
shadows.com - Reported at sla.ckers.org by unsticky
php.com - Reported at sla.ckers.org by unsticky
actifpub.com - Reported at sla.ckers.org by unsticky
mojo.zug.com - Reported at sla.ckers.org by unsticky
www.marketwatch.com - Reported at sla.ckers.org by WhiteAcid
www.marketwatch.com - Reported at sla.ckers.org by WhiteAcid
h20000.www2.hp.com - Reported at sla.ckers.org by kefka
www.nanoy.org - Reported at sla.ckers.org by WhiteAcid
www.animenfo.com - Reported at sla.ckers.org by maluc
www.manga-news.com - Reported at sla.ckers.org by maluc
www.tokyopop.com - Reported at sla.ckers.org by maluc
anidb.info - Reported at sla.ckers.org by maluc
animefringe.com - Reported at sla.ckers.org by maluc
www.darkhorse.com - Reported at sla.ckers.org by maluc
www.jlist.com - Reported at sla.ckers.org by maluc
www.totalvid.com - Reported at sla.ckers.org by maluc
www.hotscripts.com - Reported at sla.ckers.org by maluc
docs.phplivesupport.com - Reported at sla.ckers.org by maluc
s12.quicksharing.com - Reported at sla.ckers.org by maluc
forums.there.com - Reported at sla.ckers.org by RSnake
proxy.perlproxy.com - Reported at sla.ckers.org by RSnake
www.yousenit.com - Reported at sla.ckers.org by maluc
accessories.us.dell.com - Reported at sla.ckers.org by RSnake
www.pcworld.com - Reported at sla.ckers.org by RSnake
www.netdisaster.com - Reported at sla.ckers.org by RSnake
devcentral.f5.com - Reported at sla.ckers.org by kirke
support.acunetix.com - Reported at sla.ckers.org by kirke
www.dohistory.org - Reported at sla.ckers.org by raif
www.the-dma.org - Reported at sla.ckers.org by raif
www.sciencemag.org - Reported at sla.ckers.org by raif
mazda.com - Reported at sla.ckers.org by RSnake
nbc.resultspage.com - Reported at sla.ckers.org by RSnake
one.rewer.com - Reported at sla.ckers.org by RSnake
www.macworld.com - Reported at sla.ckers.org by maluc
www.weather.com - Reported at sla.ckers.org by digi7al64
www.independent.co.uk - Reported at sla.ckers.org by digi7al64
docs.info.apple.com - Reported at sla.ckers.org by maluc
www.scmagazine.com - Reported at sla.ckers.org by RSnake
hoovers.com - Reported at sla.ckers.org by Rsnake
search.bbb.org - The Better Business Bureau. Reported at sla.ckers.org by maluc.
www.allakhazam.com - Reported at sla.ckers.org by Kyran
preference.the-dma.org - Reported at sla.ckers.org by maluc
www.comcast.net - Reported at sla.ckers.org by maluc
www.em.avnet.com - Reported at sla.ckers.org by Rsnake
goonline.seeq.com - Reported at sla.ckers.org by Rsnake
www.ask.com - ASK.com . Reported at sla.ckers.org by Rsnake
search.about.com - Reported at sla.ckers.org by Rsnake
math.about.com - Reported at sla.ckers.org by Rsnake
about.com – Apparently most of the about.com system has vulnerabilities
search.comcast.net - Reported at sla.ckers.org by maluc
www22.verizon.com - Reported at sla.ckers.org by maluc
business.verizonwireless.com - Reported at sla.ckers.org by maluc
search.t-mobile.com - Reported at sla.ckers.org by maluc
www.cingular.com - Reported at sla.ckers.org by maluc
onlinecare.cingular.com - Reported at sla.ckers.org by maluc
www1.sprintpcs.com - Reported at sla.ckers.org by maluc
www.vodafone.com - Reported at sla.ckers.org by maluc
www.chinaunicom.com - Reported at sla.ckers.org by maluc
buscador.telefonica.es - Reported at sla.ckers.org by maluc
www.orange.com – Big French cell phone company. Reported at sla.ckers.org by maluc
www.telecomitalia.com - Reported at sla.ckers.org by maluc
www.mapquest.com - Reported at sla.ckers.org by digi7al64
www.travelodge.com - Reported at sla.ckers.org by digi7al64
www.reference.com - Reported at sla.ckers.org by digi7al64
www.information.com - Reported at sla.ckers.org by digi7al64
www.securitylab.ru – A popular Russian IT Security site. Reported at sla.ckers.org by tecklord
telenor.com.pk - a large Norwegian mobile service provider, this is their Pakistan domain. Reported at sla.ckers.org by maluc
www.teliadk.idlesurf.net - cell phone service provider in Denmark. Reported at sla.ckers.org by maluc
se.ext.telia.newjobs.com – Swedish site. Reported at sla.ckers.org by maluc
home.singtel.com – Singapore cell phone company. Reported at sla.ckers.org by maluc

[newpage=XSS Vulnerability Was Repaired]

XSS Vulnerability Repaired!

The following sites at one time had a XSS vulnerability but have repaired the problem. That is the whole point of this list and we commend them for acting responsibly. Nearly every large site has, or has had, XSS vulnerabilities. So being listed below is no shame, being listed in the unresolved section should be.

cunamutual.com – Reported to us on 11/24/06, notified on 11/26/06, fixed on 11/27/06. Great job! Screen Shot
dshs.wa.gov - {fixed} Department of Social and Health Services, Washington State. In the first case that we've seen they actually fixed the problem after noticing the XSS testing in their web server logs. This is how things should work. Fixed prior to 11/07/06.
marcopolosearch.org – {fixed} Internet Content for the Classroom sponsored in part by Verizon. Reported to NIST.org by anonymous. Site contact notified by us on 11/03/2006. Notified us the problem was fixed on 11/07/2006. Screen Shot
www.usda.gov –{fixed} Reported to NIST.org by anonymous. Multiple vulnerabilities. Agency notified by us on 10/24/2006. Fix noted on 11/03/06 - One vulnerability fixed, one system taken offline while repairs are made. Screen Shot
www.nist.gov – {fixed} U.S. Gov. site, no relation to nist.org. Multiple problems, Reported at sla.ckers.org by maluc on 10/10/06, fix noticed on 10/31/2006.
www.faa.gov –{fixed} U.S. Federal Aviation Administration, Reported to NIST.org by anonymous. (agency notified on 10/11/06. The problem was repaired in less than 10 hours. That's how things are suppose to work.)
www.healthfinder.gov – {fixed} Reported at www.seomoz.org on 8/21/06. Noted fix on 10/10/06
cit.nih.gov – {fixed} National Institutes of Health. Reported at www.seomoz.org on 8/21/06. Noted fix on 10/10/06
profiles.yahoo.com – {fixed} Reported by maluc on 9/27/06
knowledge.mcafee.com – {fixed} Another giant antivirus / security company.Reported at sla.ckers.org by maluc on 9/29/06.
www.thawte.com – {fixed} Reported at sla.ckers.org by Ghozt on 9/29/06
www.youtube.com – {fixed – Google must have helped them} Reported at sla.ckers.org by WhiteAcid and Kyran on 9/28/06
www.paypal.com - {fixed promptly} Reported by maluc on 9/27/06.
support.acunetix.com – {fixed} Reported by maluc on 9/27/06 Screen Shot
www.scanalert.com – {fixed promptly}. Multiple vulns. They certify sites as being 'safe from hackers'. Reported at sla.ckers.org by kirke and maluc on 9/26/06
search2.foxnews.com – {fixed} Reported at sla.ckers.org by RSnake on 9/25/06
www.breach.com – {fixed promptly} Vuln Reported at sla.ckers.org by kirke on 9/25/06
www.zdnet.co.uk – {fixed} Reported at sla.ckers.org by Kyran on 9/22/06
search2.foxnews.com – {fixed} Reported at sla.ckers.org by digi7al64 on 9/21/06
www.darkreading.com - (fixed – multiple issues, all resolved promptly} An IT Security news site that did an article on sla.ckers.org. Reported at sla.ckers.org by WhiteAcid on 9/21/06
search.dangdang.com - {fixed} Reported at sla.ckers.org by RSnake on 9/21/06
www.ninjaproxy.com – {fixed} Reported at sla.ckers.org by digi7al64 on 9/6/06
www.darkreading.com - {fixed}- An IT Security news site that did an article on sla.ckers.org. Reported at sla.ckers.org by Kyran
sfbay.craigslist.org – {fixed} Craig's List. Reported at sla.ckers.org by digi7al64
www.altavista.com - {fixed} – Reported at sla.ckers.org by Rsnake
greenpeace.org.uk – {fixed} - Found by Skyout at www.eof-project.net

this content item is from NIST IT Security
( http://www.nist.org/nist_plugins/content/content.php?content.61 )