blizzard.com XSS - fixed within a day

[Remus]

that is the best option ^

[reduction]

If you think it is genuinely good. Then give it to a high ranked user such as myself and I will post it in a higher section and direct all rep to be given to you.

Thank you for your offer. I will take you up on it if I ever find something.

[Y R U A NUB ?]

Someone ban this troll please, every single post he has made is completely negative, ignoring all of the forums rules.

Yes please, listen to this completely mindless child and ban me.

[ZombieSnail]

Please what is a XSS?

[Y R U A NUB ?]

Please what is a XSS?

Cross Site Scripting, it's a pretty common JavaScript vulnerability that can be abused for cookie stealing and such. You can also re-direct to other sites. Let's say you use this XSS exploit, you use something like where it's vulnerable, mostly in the search function. Then you can just encode the link and make it look as if it's on Blizzards real site, then it re-directs to your phisher, and the victim is ****ed.

[parinoia]

How do you find the XSS? Do you just enter js codes until you hit something or is there an actual method to getting them?

[Y R U A NUB ?]

How do you find the XSS? Do you just enter js codes until you hit something or is there an actual method to getting them?

Type this in the search function on the site you want to check:



That should output a little box that says "IT WORKS!" if it works, and it's search function is vulnerable.

[parinoia]

Well I tried it on WoW Guild Rankings :: WoWProgress - World of Warcraft Rankings and History and got a normal looking search page with alert("IT WORKS!")" :: World of Warcraft Rankings and History." /> at the top, but I dont think that's what I want lol

[Y R U A NUB ?]

Well I tried it on WoW Guild Rankings :: WoWProgress - World of Warcraft Rankings and History and got a normal looking search page with alert("IT WORKS!")" :: World of Warcraft Rankings and History." /> at the top, but I dont think that's what I want lol

Yeah, that's just a sign that it's not vulnerable. Try another site.

[Poiview1]

I don't suggest jumping into javascript and cookie jacking until you understand the language first, atleast to an extent. That was a beautiful find, a shame that it has been fixed.

Good luck,
-Ku

[ZombieSnail]

Cross Site Scripting, it's a pretty common JavaScript vulnerability that can be abused for cookie stealing and such. You can also re-direct to other sites. Let's say you use this XSS exploit, you use something like where it's vulnerable, mostly in the search function. Then you can just encode the link and make it look as if it's on Blizzards real site, then it re-directs to your phisher, and the victim is ****ed.

Thank you very much for short and good explanation +Rep

[Ahskrew]

to bad it got fixed

[Y R U A NUB ?]

Thank you very much for short and good explanation +Rep

Oh, thanks a bunch

[Intu]

LoL, you guys have no idea, Blizzard uses a php script that auto changes the link, its what banks use for online banking, paypal and ebay do it to. Shoot even I use it.

[Kallerballer]

sad :/ .. we got a blizz on mmo ! who it is ... o.O ?