Cross-Site Scripting (XSS) Vulnerabilities
A list of XSS vulnerabilities that I reported.
note
The Alexa Global Rankings in the list below is not up to date.
mediafire.com#
Alexa Global Rank(at the time): 150
Date: 2013
avast.com#
I filed a security report on 16 September 2013 and received avast first reply on 17 September 2013.
imgur.com#
A persistent cross site scripting vulnerability located in the private message feature of the site. An attacker can craft a malicious private message and send it to anyone by injecting </textarea><script>payload here</script> into the message body. When a victim views the message, the payload will be executed.
Alexa Ranking(at the time): 90
Reported on October 12 2012 and fixed on October 13 2012.
Extra: Had a little bit of talk with Alan Schaaf (CEO of imgur), he’s a really friendly guy!
ndtv.com#
Reflected XSS
Alexa Ranking: 442
Fixed on: 17/11/2012
wikiHow.com#
Stored XSS: During registration, an attacker could insert malicious payload into the "real name" field.
This vulnerability was reported on 10 November 2012 and fixed on 24 November 2012. The bug fixing process went very smoothly, thanks to the great engineering team!
mgid.com#
Reflected XSS
Alexa Ranking: 226
avg.com.au#
Stored XSS
eHow.com#
Reflected XSS
Alexa Global Rank: 265
Ask.com#
A Reflected XSS on a subdomain of ask.com
Alexa Ranking: 47
Histats.com#
Stored XSS
Toysrus.com#
Reflected XSS
Alexa Ranking (at the time): 444
Weather.com#
Reflected XSS
Alexa Ranking (at the time): 119
Panasonic.com.au#
Stored XSS
Goal.com#
A reflected XSS in the search bar.
Alexa Ranking (at the time): 320
Fixed on: 11/2012
dictionary.com#
Reflected XSS
Alexa Ranking (at the time): 179
Fixed on: 11/2012
mywebsearch.com#
Reflected XSS
Alexa Ranking (at the time): 77
Fixed on: 17/11/2012
ShoutJax.com#
A stored cross site scripting vulnerability located in the shoutbox.
Fixed on: 5/10/2012