Cross-Site Scripting (XSS) Vulnerabilities
A list of XSS vulnerabilities that I reported.
note
The Alexa Global Rankings in the list below is not up to date.
#
mediafire.com![mediafire xss vulnerability](/assets/images/mediafire-1-f06746134cfa1025e211c108866b066e.png)
Alexa Global Rank(at the time): 150
Date: 2013
#
avast.com![avast xss vulnerability](/assets/images/avast-1-d1bdf97d6fc78c9612be5bdb7f9a4a0e.png)
![avast email](/assets/images/avast-2-c7c43b9460c8be93457c31ed4f80db6f.png)
I filed a security report on 16 September 2013 and received avast first reply on 17 September 2013.
#
imgur.com![imgur xss vulnerability](/assets/images/imgur-2-9395bb909eaf7bdfe79d82ada8e81161.jpg)
A persistent cross site scripting vulnerability located in the private message feature of the site. An attacker can craft a malicious private message and send it to anyone by injecting </textarea><script>payload here</script>
into the message body. When a victim views the message, the payload will be executed.
Alexa Ranking(at the time): 90
Reported on October 12 2012 and fixed on October 13 2012.
Extra: Had a little bit of talk with Alan Schaaf (CEO of imgur), he’s a really friendly guy!
#
ndtv.com![ndtv xss vulnerability](/assets/images/ndtv-2-8c193842085bf583d91c3c05182727f5.jpg)
Reflected XSS
Alexa Ranking: 442
Fixed on: 17/11/2012
#
wikiHow.com![wikiHow logo](/assets/images/wikihow-1-036a0a557fc4e40ececac95229d8849a.png)
![wikiHow xss vulnerability](/assets/images/wikihow-2-352098531f85ddbae1748a2cdf87478f.jpg)
Stored XSS: During registration, an attacker could insert malicious payload into the "real name" field.
This vulnerability was reported on 10 November 2012 and fixed on 24 November 2012. The bug fixing process went very smoothly, thanks to the great engineering team!
#
mgid.com![mgid logo](/assets/images/mgid-1-19d7ff26b074b7854a82e931f880f483.png)
![mgid xss vulnerability](/assets/images/mgid-2-6277e482e2bbfe18271c677431d50e89.jpg)
Reflected XSS
Alexa Ranking: 226
#
avg.com.au![avg Logo](/assets/images/avg-1-6f8bea2e0deffe6eb62334a1fc4cf72f.png)
![avg XSS Vulnerability](/assets/images/avg-2-0b5e0b428d1a27749a28b6a287a40ce2.jpg)
Stored XSS
#
eHow.com![eHow Logo](/assets/images/ehow-1-dbd0bfa9872fbcbfb3931b5efc955e26.png)
![eHow XSS Vulnerability](/assets/images/ehow-2-772952dc49a2f0d1acd27eaa95527301.jpg)
Reflected XSS
Alexa Global Rank: 265
#
Ask.com![Ask Logo](/assets/images/ask-1-4103d582e896b08ee75b037788db6918.png)
![Ask XSS Vulnerability](/assets/images/ask-2-011d47b8d67ba83a519c90cb909f3536.jpg)
A Reflected XSS on a subdomain of ask.com
Alexa Ranking: 47
#
Histats.com![Histats XSS Vulnerability](/assets/images/histats-2-b8adc532bcdb71931ec8bbe1e2a56201.jpg)
Stored XSS
#
Toysrus.com![Toysrus Logo](/assets/images/toysrus-1-ae6a191f24652fbb12fdd1c82d7b04be.png)
![Toysrus XSS Vulnerability](/assets/images/toysrus-2-1eab512d825118c2d8c68d64b34eeffb.jpg)
Reflected XSS
Alexa Ranking (at the time): 444
#
Weather.com![Weather Logo](/assets/images/weather-1-b020888008bcc0087c4aa4fed170f5d1.jpg)
![Weather XSS Vulnerability](/assets/images/weather-2-9fc4c527db115f00e484680883f88336.jpg)
Reflected XSS
Alexa Ranking (at the time): 119
#
Panasonic.com.au![Panasonic Logo](/assets/images/panasonic-1-2b8c01c6272f309acdb8a7adc601df6e.jpg)
![Panasonic XSS Vulnerability](/assets/images/panasonic-2-e3fda3a3a20c3fe5a7526895923778ae.jpg)
Stored XSS
#
Goal.com![Goal Logo](/assets/images/goal-1-b1ab66b5dbdd0a35d65ed261b2d1f8ce.png)
![Goal XSS Vulnerability](/assets/images/goal-2-bf4643d926ebfcaff8d14a1d3e906091.jpg)
A reflected XSS in the search bar.
Alexa Ranking (at the time): 320
Fixed on: 11/2012
#
dictionary.com![dictionary XSS Vulnerability](/assets/images/dictionary-2-88d97909a007879a10f6080ed3798d08.jpg)
Reflected XSS
Alexa Ranking (at the time): 179
Fixed on: 11/2012
#
mywebsearch.com![mywebsearch XSS Vulnerability](/assets/images/mywebsearch-2-b351bc082174cc1569c80b65fafbe2b5.jpg)
Reflected XSS
Alexa Ranking (at the time): 77
Fixed on: 17/11/2012
#
ShoutJax.com![ShoutJax XSS Vulnerability](/assets/images/shoutjax-2-6ec6f1333f9bae86a22b04418ec5861d.jpg)
A stored cross site scripting vulnerability located in the shoutbox.
Fixed on: 5/10/2012