This is interesting, not because Google is vulnerable again, but because it is a pretty common mistake. Default 404 under IE doesn’t show the page, but if the server creates it’s own custom 404 page, that can be problimatic if the developers don’t know how to strip out XSS.

Yahoo mail was found to be vulnerable to onload event handlers inside of style tags. This attack is not explicitly described on my XSS page, because every variant of every event handler inside every HTML tag would end up making my page hundreds of times longer. I try to keep my page as brief and information packed as possible, but this is worth noting.

I added another vector using an XML data island that does not use CDATA to obfuscate it like the previous version, but instead uses comments. It works in IE and Netscape 8.0 on trusted site settings.

Interesting little writeup on how PHP_SELF needs to be sanitized before being used. This is for those PHP developers out there.

I found a way to use a locally hosted XML with embedded JavaScript that is generated using an XML data island. This is a pretty nice little vector if you can include an file on the server in question.

Okay, so today I decided to pick on Opera. I found two holes, that are basically the same that use a Meta tag to import a remote style sheet by setting the link tag header. Pretty tricky. Using the same method I can call JavaScript directly, although I don’t like that one as much because it has the word JavaScript on the page.

This was an interesting variant of the Myspace worm, using the same XSS tools, but using a different vector. They used a style sheet URL with a JavaScript directive that was broken up by whitespace. This is a nice working example of filter evasion in the real world.

So I added two vectors. The first is “Meta using data: URL scheme.” which uses a data: protocol to base 64 encode a JavaScript page. The second is “Remote style sheet part 4″ which binds a remote XUL file to Gecko rendering engines which can contain JavaScript.

Originally found by Begeek, I cleaned up this vector considerably and made it work in all browsers. Despite what the article says it is not a Firefox exploit, but rather a way that all rendering engines handle malformed ecapsulation within HTML tags. Pretty tricky though and makes it pretty hard for filters that use homebuilt rendering engines.

To replace Microsoft’s IOSEC product they have come out with a program that is apparently a subset of the original for .NET programmers. Although it has more promise it is currently not up to par with it’s predecessor in terms of the coverage according to the blog. Interesting ideas coming out of Redmond nontheless.