TheDefaced.org team contacted our partner XSSed.com to communicate their last discovered vulnerability in the well-known Justin.TV broadcasting website and have released a JavaScript Worm that is presented by  XSSing.com in our XSS Worms section.

Here's a statement from XSSed news about the discovery:
"As of 'Sat, 28 Jun 2008 21:52:33 GMT' - An XSS worm was released on this website, this was and is meant only for research purposes. It was successfully executed and lasted roughly around 24 hours.
We have recorded such records making it possible for us to create graphical images graphing the progress of this XSS worm as it infected each profile upon the last being viewed.
The XSS Vulnerability was discovered and fixed during 'Sun, 29 Jun 2008 21:12:21 GMT', with an after mass of 2525 profiles."

You can find the Worm source code at this address:
http://worms.xssing.com/sources/justintv.txt

And all the details on XSSed.com news item:
http://www.xssed.com/news/75/Justin.tv_non-malicious_cross-site_scripting_worm/

published on 08/07/2008 by Nexus

After an inactive period the forums are finally back with some fix and modifications in order to make it more useable from all the users that alwawys proved their support to XSSing.com and its activities.

The spam issue has always ruined the forum activity so now it's up with two new features that should help in this way:
- the registration form now have an image verification that should most likely avoid spambots to register to the forum
- the forums flow is now monitored by Akismet, which is configured to disable spam posts and ban those users creating them.

It will probably get some false positive and disable legitimate posts and ban unguilty users: if this happens to you just contact us and clarify the problem and we'll restore your account.

Hope you enjoy and strike back to the forum!
Stay tuned.

published on 01/07/2008 by Nexus

Today a new vulnerability advisorie on PunBB Password Change and Cross Site Scripting has been published.

As you may know our Forum is using that Bulletin Board and in order to keep the data safe we already updated the software to the latest patched version 1.2.17, which solved this and other security issues affecting the previous versions.

The Cascading Style Sheet files will be restored within today, but if you notice any malfunctioning feel free to contact us.

published on 21/02/2008 by Nexus

With the new update of the website a new important feature has been added: RSS Feeds for the most important sections.
It was already planned from the beginning of the development but has been introduced only now for timing problems; the sections are:
- News
- XSS Cheats
- XSS Worms
- Docs
- Vulns

You can find an "RSS" link on the top-right corner of each page featuring it.
Enjoy!

published on 16/02/2008 by Nexus

Gnuciticen is organizing a Routers Hacking Challenge open to everyone interested in joining it!

It simply consists in a very flexible challenge where anyone can submit their discoveries about their own home Routers security flaws: Buffer overflow, XSS, CSRF.. everything is allowed!
Stress up your own home device and find as much vulnerabilities as you can, write them down and submit everything to the project page at this address: visit.
The most interesting and effective ones will be involved in media coverage and several researches about it.

Have fun!

published on 07/02/2008 by Nexus

For your interest i made a simple page that you can disfrut in order to try if your own vectors are able to bypass the most common PHP html encoding functions such as htmlspecialchars, htmlentities and strip_tags: the input will be parsed through this function and printed on the page as it is.

You can reach the page at this address: bypass.xssing.com.
You can discuss your results on the forum, enjoy!

published on 01/02/2008 by Nexus

We are really proud and happy to announce that from now over the two sites XSSing.com and XSSed.com are affiliated and connected for the same informational purpose.
XSSed.com is one of the main reference website for the XSS security topic, and provide several great services such as:
- XSS Afflicted website database, updated daily on the users submissions
- A complete Articles section with the very best papers on this topic
- The Early Warning Mailing List, which provide news concerning any eventual XSS found on the specified website.
Continue reading this entry

published on 29/01/2008 by Nexus

Nexus released the new version of Seride PHP Library (updated to 0.1.1).
It's available for the download at this link: download.
With the new features addition, Seride reached a stable release that provide a more professional and complete solution for CSRF preventing needs.
Continue reading this entry

published on 29/01/2008 by Nexus

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users" - Wikipedia

XSS is kicking ass from some times now, and it is growing up day by day thanks to very large interest obtained on the net: XSSing just follows that way.
Continue reading this entry

published on 26/01/2008 by Nexus