Fun with E*Trade

Most of these require the user to be logged in, and for those who don’t know, the ‘expression’ technique only works on IE. You will need to use a different method if you want to test it on other browsers. See Rsnakes cheat sheet for exmaples.;alert(/owned/);//&language=en&country=gl
(nav and subnav are also vulnerable parameters)

Leave a Reply

Your email address will not be published. Required fields are marked *