suche4all.de XSS vulnerabilities

I recently visited suche4all.de (please don’t ask why 🙂 ) and stumbled across a search field which does not filter out HTML and Java Script tags. I notified the webmaster but sadly he did not reply within two weeks.

So here we go:

suche4all - default home page

This is an excerpt of the default home page. Let’s try some HTML:

suche4all.de – iframe

The result:

suche4all.de - iframe included

The website shows the <iframe> which was “injected” with the help of the search field. Well, this is not a real problem since the code of the included page does not get executed on the suche4all.de server. But ofc it is still fun 😛 You can play around a little bit and inject some Java Script, but I guess you won’t find any user visiting a manipulated website…

Update from 7th April 2010: As I just found out this vulnerability was already detected in 2008.