Some websites validate some bits and pieces but fail in other cases assuming that user will not pass anything strange there.

French OS Con website is and example of that XSS security risk.

If you go to this wage:

http://www.froscon.de/index.php?id=41&mid=132&ret=15

You will see there is a link go back to previous post. Unfortunately this post’s id is take straight from the requested URL (GET parameter) without any cast or validation. It is an common case of XSS errors where page number, date or id is passed around in links and it is not validated properly.

All you have to do is add your URL encoded javascript string and replace ‘ret’ GET parameter to inject JavaScript into the web page. You just have to prefix it with double quotes to get out of the URL definition:

http://www.froscon.de/index.php?id=41&mid=132&ret=%22%3Cscript%3Ealert%281%29%3C/script%3E

Result as always is execution of the XSS:

How to prevent XSS attacks like this?

To prevent this mistake developers should validate, cast or escape all instances of values passed form GET, POST and COOKIES.