XSS vulnerabilities

I recently visited (please don’t ask why 🙂 ) and stumbled across a search field which does not filter out HTML and Java Script tags. I notified the webmaster but sadly he did not reply within two weeks.

So here we go:

suche4all - default home page

This is an excerpt of the default home page. Let’s try some HTML: – iframe

The result: - iframe included

The website shows the <iframe> which was “injected” with the help of the search field. Well, this is not a real problem since the code of the included page does not get executed on the server. But ofc it is still fun 😛 You can play around a little bit and inject some Java Script, but I guess you won’t find any user visiting a manipulated website…

Update from 7th April 2010: As I just found out this vulnerability was already detected in 2008.