Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Clearinghouse

Alf sent me a very interesting link today that pretty much validates a lot of the fears I’ve had about the potential of XSS in the underground. This link is to an XSS clearinghouse. It’s in German, but you can probably get the idea. The users go to the site and get to see some XSS for free and others they have to contact the person who found the vulnerabilities. Not only that but it comes side by side with a Google Page Rank indicator to let you know how valuable the link is if you are into blackhat SEO.

This is probably nowhere near as dangerous as what it could be used for (redirecting a user or building a link farm out of high PR sites here or there is thankfully one of the least malicious things you could do). However the potential for using this for far more malicious purposes is highly likely in the not too distant future. I’ve already been asked about people trying to sell exploits so it’s not like we are years away from this or anything. Pretty scary.

6 Responses to “XSS Clearinghouse”

  1. Kyran Says:

    Yup. Pretty bad stuff. I remember a few time on the boards, people were asking to buy exploits for a few specific sites.

  2. dusoft Says:

    9 and 8 PR links are available only via Kontakt - so I guess he sells them already.

  3. Sh.Crew Says:

    Our Crew have found over 700 Cross Site Scripting Issues, but only 20 Webmaster answer !

  4. Wladimir Palant Says:

    dusoft, he writes there that he actually did contact eBay and Amazon, so maybe he is simply waiting before disclosing the information. That’s the optimistic interpretation at least…

  5. Jeremiah Grossman Says:

    I wonder if this has any relation to this…

    Games for Web Hackers
    http://www.disenchant.ch/blog/games-for-web-hackers/35

    What made me make the connection is the reference to PR in base cases.

  6. RSnake Says:

    @Jeremiah - interesting, but in this case, the sites might have had a PR but once you add the query string on top of it the PR is no longer there (because Google hasn’t indexed a new XSS vuln yet). The only way for this to work is persistent XSS where it hits a page that has already been indexed or in the rare case where injecting a cookie and going to a page that’s already been indexed causes a vuln. Bizzare game.