XSSed.com: What, Who, Why?
Written by DP and KF
Tuesday, 6 March 2007
The goals of XSSed.com, are to provide informative resources on cross-site scripting(XSS) vulnerabilities and exploitation methodologies, and to archive XSS vulnerable websites for statistic purposes. Mirroring websites is a way to prove to vendors and webmasters, that the vulnerability really existed - in case of denial. Users will become more aware on protecting themselves on some websites, as XSS vulnerabilities are mostly targeting the users and not the websites.
XSSed.com is also an attempt to spread education and awareness about XSS to IT professionals and amateurs involved or interested in secure web application development.
The project is run by Kevin Fernandez and Dimitris Pagkalos.
There are still a lot of improvements in the TODO list including the ones listed below:
- RSS feeds.
- Search filters.
- More statistics.
- Submit POST data in the submission page.
- Add public and protected informations with the submitted XSS (more details will soon be available).
- Additional informations will be published on the mirror page (for instance the use of a specific browser to reproduce the vulnerability).
Submitting XSS vulnerable websites, should not be seen as a game for getting the lead in total submissions. Nevertheless we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about XSSed.com, "It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc…". We seriously take in consideration such comments and suggestions for improvements by people with significant experience and expertise in the web application security field.
We call for papers and video tutorials that focus on exploiting XSS vulnerabilities and on preventing them.
Since the launch of XSSed.com, we received many notifications of high-profiled websites that got XSS'ed.
Here is a list of notable XSS'ed websites in the archive:
*.globo.com - Famous portal in Brazil
*.mynet.com - Famous portal in Turkey
login.pathfinder.gr - Famous portal in Greece
plus many other "special" websites, including governmental and military...
So far we have had visitors and submitters from - in order of number of visits - Turkey, Italy, United Kingdom, United States, Brazil, France, Russia, Germany, Czech Republic and Pakistan. We would like to thank you for supporting our project.
The XSS attack vectors used on the archived websites, were from RSnake's XSS cheat sheet.