These days of several XSS vulns on known sites

The role and seriousness of cross-site scripting (XSS) vulnerabilities has been a subject of recent FD discussion.

The fact is that since Saturday 3rd Nov there are the following widely known targets:

sitekey.bankofamerica.com
search.money.cnn.com
www.paypal.com (two issues)
www.zone-h.org
movies.nytimes.com
www.fbi.gov
weblogs.macromedia.com
welcome.intel.com
developer.apple.com
searchg.symantec.com
www.mastercard.com
travel.state.gov
my.aol.com
Additionally, several Yahoo domains have unpatched XSS issues. Mastercardfrance.com has its own XSS vulnerabilities as well.

According to the Xssed.com archives most of these are still unpatched. Some examples:

Symantec: XSS in search function at Enterprise section

Apple Developer Connection: XSS in search function
FBI: XSS in redirect-type URL (try www.fbi.gov/filelink.html?file=//google.fr manually)

Bank of America: XSS on Sign In page (https)
Paypal.com has fixed both of its issues.

Share