StoptheHacker.com (malware, security and reputation protection service provider) 16 XSS vulnerabilities

Website: http://www.stopthehacker.com/
vulnerabilities: XSS
-------------------------------------------------------------------------------
Cross Site Scripting
At a glance
Classification
Input Validation Error
Resource
http://www.stopthehacker.com/create-an-account/
Risk
High
Discussion
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.
Impact

    * The precise impact depends greatly on the application.
    * XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive.
    * Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user.
    * This includes modifying the behavior of the web application (such as redirecting forms, etc).
    * The code may also be able to perform actions within the application without user knowledge.
    * Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly.

Remediation

    * The developer must identify how the untrustworthy data is being output to the client without adequate filtering.
    * There are various language/platform specific techniques for filtering untrustworthy data.
    * General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references).

Detailed Findings
Resource
http://www.stopthehacker.com/create-an-account/
Request
POST /create-an-account/ [website-url=http://example.com/?ro0ted_form_test email=ro0ted@example.com service-price=1 service-id=1-->">'>'" service-name=Joey service-term=1 ]
-----------------------------------------------------------------------

Cross Site Scripting
At a glance
Classification
Input Validation Error
Resource
http://www.stopthehacker.com/create-an-account/
Risk
High
Discussion
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.
Impact

    * The precise impact depends greatly on the application.
    * XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive.
    * Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user.
    * This includes modifying the behavior of the web application (such as redirecting forms, etc).
    * The code may also be able to perform actions within the application without user knowledge.
    * Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly.

Remediation

    * The developer must identify how the untrustworthy data is being output to the client without adequate filtering.
    * There are various language/platform specific techniques for filtering untrustworthy data.
    * General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references).

Detailed Findings
Resource
http://www.stopthehacker.com/create-an-account/
Request
POST /create-an-account/ [website-url=http://example.com/?ro0ted_form_test email=ro0ted@example.com service-price=1 service-id=1 service-name=Joey service-term=1.htaccess.aspx-->">'>'" ]
----------------------------------------------------------------------------------

Cross Site Scripting
At a glance
Classification
Input Validation Error
Resource
http://www.stopthehacker.com/support/
Risk
High
Discussion
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.
Impact

    * The precise impact depends greatly on the application.
    * XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive.
    * Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user.
    * This includes modifying the behavior of the web application (such as redirecting forms, etc).
    * The code may also be able to perform actions within the application without user knowledge.
    * Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly.

Remediation

    * The developer must identify how the untrustworthy data is being output to the client without adequate filtering.
    * There are various language/platform specific techniques for filtering untrustworthy data.
    * General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references).

Detailed Findings
Resource
http://www.stopthehacker.com/support/
Request
POST /support/ [keywords=Search topics-->">'>'" search-support=1 ]
-----------------------------------------------------------------------

Cross Site Scripting
At a glance
Classification
Input Validation Error
Resource
http://www.stopthehacker.com/enterprise/
Risk
High
Discussion
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.
Impact

    * The precise impact depends greatly on the application.
    * XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive.
    * Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user.
    * This includes modifying the behavior of the web application (such as redirecting forms, etc).
    * The code may also be able to perform actions within the application without user knowledge.
    * Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly.

Remediation

    * The developer must identify how the untrustworthy data is being output to the client without adequate filtering.
    * There are various language/platform specific techniques for filtering untrustworthy data.
    * General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references).

Detailed Findings
Resource
http://www.stopthehacker.com/enterprise/
Request
POST /enterprise/ [formBuilderForm[FormBuilderID]=9 formBuilderForm[First_Name]=Joey formBuilderForm[Last_Name]=Ramone formBuilderForm[Title]=ro0ted formBuilderForm[Company]=subgraph formBuilderForm[Email]=ro0ted@example.com formBuilderForm[Phone]=2129824052-->">'>'" formBuilderForm[City]=New York formBuilderForm[State]=NY formBuilderForm[Country]=US REFERER=http://www.stopthehacker.com/ PAGE=http://www.stopthehacker.com/enterprise/ Submit=Submit ]
---------------------------------------------------------------------------------------
Cross Site Scripting
At a glance
Classification
Input Validation Error
Resource
http://www.stopthehacker.com/partners/channel-partners-2/
Risk
High
Discussion
Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin.
Impact

    * The precise impact depends greatly on the application.
    * XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive.
    * Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user.
    * This includes modifying the behavior of the web application (such as redirecting forms, etc).
    * The code may also be able to perform actions within the application without user knowledge.
    * Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly.

Remediation

    * The developer must identify how the untrustworthy data is being output to the client without adequate filtering.
    * There are various language/platform specific techniques for filtering untrustworthy data.
    * General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references).

Detailed Findings
Resource
http://www.stopthehacker.com/partners/channel-partners-2/
Request
POST /partners/channel-partners-2/ [formBuilderForm[FormBuilderID]=1-->">'>'" formBuilderForm[Name]=Joey formBuilderForm[Company]=subgraph formBuilderForm[Phone]=2129824052 formBuilderForm[Email]=ro0ted@example.com formBuilderForm[Confirm_Email]=ro0ted@example.com formBuilderForm[Website]=http://example.com/?ro0ted_form_test formBuilderForm[Subject]=ro0ted formBuilderForm[Message]=ro0ted formBuilderForm[hope]=1 PAGE=http://www.stopthehacker.com/partners/channel-partners-2/ Submit=Submit ]
--------------------------------------------------------------------------------------
We found 16 Cross Site vulnerabilities. I suggest before you guys become a "Security" company you take care of your own problems.

by Ghost/ro0ted #ro0ted