February, 2007

I'm obsessed with XSS, I can't help it. Whenever I stumble upon a new site I test it for common XSS attacks.
The real scary thing here is that most sites are in fact vulnerable. Usually I send the webmaster an e-mail, and I get a thank you wery much back.

Some weeks ago while trying to log in to my online bank, I entered the wrong account number and an error message was returned. I noticed that the account number i entered the first time was used as the field value on the new login screen. I couldn't help it, and tried with one of the most common XSS payloads: ">.