Paid Advertising
web application security lab

Yet Another XSS Archive

Kuza55 pointed me to yet another XSS vulnerability archive today. Seems that there are more of these popping up recently. This one is a little better than most, although it only has a handful listed, compared to the 1000+ listed on

It appears to be mostly looking at international and .gov sites so far (with an emphasis on pagerank or importance). It also has metrics to track who is the top discoverer of XSS vulnerabilities. I’m just waiting for whomever is going to scrape the “so it begins” thread on and completely owns the top poster, or uses a series of google dorks to find hundreds or thousands of vulnerable XSSs. I’ve always thought ranking the number of vulnerabilities posted was rather silly given the sheer volume of vulnerable sites out there.

3 Responses to “Yet Another XSS Archive”

  1. kuza55 Says:

    I was thinking that rather than competing, could use as a 3rd party verifier (due to its mirroring capabilities), like defacers use zone-h as a 3rd party verifier, not that people who find xss holes are in any way related to those who deface sites, but both groups face the problem that once its fixed there’s no real way to prove it. This would solve the issue of vendors being able to commit silent patches and claim that the vulnerability never existed.

  2. RSnake Says:

    Mirroring is a nice idea, although I’m not sure how valuable that really is unless you think the company will denounce that they were vulnerable. Most of the time I couldn’t care less if they want to admit it or not (except in the case of those few security companies).

    But the top posters thing strikes me as not really getting the point (not to mention it’s easily gamed). It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc… But I welcome anyone to use whatever format works best for them.

  3. What, Who, Why? | Says:

    […] we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about, “It’s not who finds the most, it’s about the ease of finding them, the difficulty in […]