My first rickroll

Every time I find an XSS I always save it in Delicious. The other night I did the same but something was different. The “save bookmarks” dialogue looked a little messed up. Upon investigation I found an XSS on Delicious itself. Here is how it looked The problem was fixed less than 10 hours later.… Read More »

Day 27: Cross-site scripting vulnerability at

Like any good security vulnerability this one starts with a good friend suggesting a link, this time a tv-show on Hulu. Since it’s XSS awareness month my attention immediately went to the search box. I entered same query which showed a vulnerability at (hey Steve/Apple, since I am not being credited with the find,… Read More »

Day 19: Cross-site scripting vulnerability at

Doing a little research before a movie night I was looking thru the Netflix movie database. I couldn’t really decide which movie to watch, so I looked for completely unrelated stuff. In this case I entered a query which has served me well (300 and counting XSS): Zhivago”><script>alert(’00ps’)</script> Ok I don’t normally use Zhivago ;).… Read More »

Day 7 and 8: Safer Internet Day

Earlier this week I was made aware that everybody in Denmark got a copy of the “Net Sikker Nu” magazine. It’s part of a yearly campaign to educate users how to keep safe on the internet. Just Today (February 8) was Safer Internet Day in Europe. There is plenty of good advise. eg. “Don’t click… Read More »

Day 6: Why can’t you fix an XSS in less than a week?

In Day 4 and the first success I wrote about how responded and fixed the vulnerability I found in their web site. I have had other site owners respond and fix vulnerabilities. The vulnerabilities which have been fixed have all (1 exception) been fixed in less than a week. Receiving an externally reported security… Read More »

Day 5: The most popular vulnerabilities

Vulnerability statistics When I started this research I had no idea what I was looking for I just did it for the thrill of discovery or fun. After a while I thought I could perhaps learn something by classifying the vulnerabilities. I used “view source” to see exactly why the XSS was triggered and then… Read More »

Day 4 and the first success

I had 211 XSS when I started writing this series of blog posts, the total as of writing this post is 237. These vulnerabilities are so ubiquitous that I will contend it’s much much harder to find a web site that is actually safe to use. Todays letter is the digit 2 The digit 2… Read More »


Due to a bad cold I was not able to post anything yesterday. Rest assured that you will not miss any of the daily letters nor any of the TLDs. Yesterdays letter was z The letter z is found 5 times. One occurrence is from a framed search on Eurocard. This was fixed very rapidly… Read More »

Cross-site scripting awareness month

I am going to declare February my personal Cross-site scripting (XSS) awareness month. It’s short enough that writing a post every day is manageable. Although I have no detailed plan what to write about I think with 199+ vulnerabilities should be sufficient material to find something to write about. The first 180 vulnerabilities were collected… Read More »