I recently visited suche4all.de (please don’t ask why 🙂 ) and stumbled across a search field which does not filter out HTML and Java Script tags. I notified the webmaster but sadly he did not reply within two weeks.
So here we go:
This is an excerpt of the default home page. Let’s try some HTML:
The website shows the <iframe> which was “injected” with the help of the search field. Well, this is not a real problem since the code of the included page does not get executed on the suche4all.de server. But ofc it is still fun 😛 You can play around a little bit and inject some Java Script, but I guess you won’t find any user visiting a manipulated website…
Update from 7th April 2010: As I just found out this vulnerability was already detected in 2008.