I got the idea to make my stats, so i've requested a database copy (just the part about my submissions) I've wait and.. no answer.
Hmm alright, I've coded my tool for grab datas and export the shit in Excel :)
For don't make this post looking empty, I will retrace also my past of 'xssboy'
xssed.com is an online vulnerability archive, the largest on-line database of websites vulnerable to cross site scripting attacks.
I've found XSSed in December 2007 and my period of high activity was in 2008/2009 to finally be part of the top.
Special ranking (Governement/International etc...):
XSSed publishing activities:
I've stopped to submit since a long time... but the XSSed staff keep to add my stuff.
Publishing a 2008 xss in 2011 (I wonder what's my amount of not yet validated stuff):
My types of submissions:
And also some 'special' submit like:
Who required staff intervention to make the mirror valid (adding the source manually or a screenshot, like for facebook):
Top 20 XSSed TLD:
To find vulnerabilities I've mainly searched by thematic (TDL/Topicality) like this:
And later i've started to automate my xss searching.
I've coded my own tools (and released them few months after)
XSS Scanner (2008): My first scanner, released for Halloween on a underground forum.
Lame crap coded in two mins:
Tiny XSS Scanner (2009): More stable/clean and released with the source code.
Tiny LFI Scanner (2009) Nothing related with XSS vulns, my mate tr00ps just joined the festivity
I've also made two papers about the cross, published firstly on Milw0rm, one of them was released later on "50-1337" (a French ezine)
Before the mag we have made (p3lo and me) the Attack-Vector project.
I've also published some security advisories during the time of xssing.com.
And one 'PoC pack' targeting Google.
In this demo (by p3lo) technic employed by the attacker will be the MITM proxy keylogger.
An XSS is dangerous yeah.. what's about redirect vulnerability?
A guys selling xss vulnerability and panel for Yahoo:
Like that i've started to derivate on browser vulnerabilities, playing with BEeF etc...
To finish, some noise:
Google accounts SSL login page suffers from highly critical XSS:
Five Sun.com XSS flaws in the SSL user login page:
Skype.com SSL powered support page vulnerable to XSS:
F-Secure.com vulnerable to cross-site scripting:
New HSBC and Barclays bank XSS and open redirect bugs:
I've never asked a reward.
On the past and like today: i do it for fun, not for profit.
btw il fallait absolument que je te chambre Xartrick, donc voilà: