43things.com=0D
=0D
Homepage:=0D
http://www.43things.com=0D 
=0D
Affected files:=0D
input box "I want to add to my list"=0D
posting a comment=0D
=0D
----------------------------------------=0D
=0D
XSS vuln via input text of the box "I want to____"=0D
=0D
When you add an item thats already on your list. =0D
=0D
For a PoC we have style tags with broken up javascript. Put thisitem in your list once, and then using the "I want to:" put it again:=0D
=0D
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/43things1.jpg=0D 
=0D
=0D
Now, in the same box even with no filter evasion we can even show our cookie. try putting:=0D
=0D
=0D 
=0D
And then, once again, like above, try putting it again in the same box.=0D
=0D
Our cookie:=0D
=0D
"This is remote text via xss.js located at youfucktard.com auth=7k5BtRfaYdbOdaaD%2BrHb8JGnJkroqKA2fR2Txs%2BO8BpvcxoRbeAe%2Bp3JZs2fhO7wu4IpF6ofcq1dROtVuHwTiQFkMV3U7pl%2FmcmA4ICJmLk%3D; ubid=4G%2BZUgL4cQNV0JT1ixHx5obNSs0%3D; _session_id=837ecebc52b1d47edd9c65e29a945de8; AWSUSER_ID=awsuser_id1150241074938r6320; AWSSESSION_ID=awssession_id1150241074938r6320"=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/43things2.jpg=0D 
=0D
--------------------------------------=0D
=0D
XSS via posting a comment.=0D
=0D
Data here isn't properally sanatized here before being generated. We see that even with no filtering we can insert something like:=0D
=0D
=0D
and it will create our xss example. =0D
=0D
Screenshot3:=0D
http://www.youfucktard.com/xsp/43things3.jpg=0D 
=0D
However, it wont actually insert the comment, it will just execute it. So to bypass "malformed html found" error msg, we will use the numerial refference of <> which is < and >, along with double beginning and ending tags. For a PoC tryputting the code below as a comment:=0D
=0D
<<>>=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/43things4.jpg=0D