Here's the best part -- these websites are built terribly and are very open to this sort of thing.
After about 2 minutes of looking, I've just found that nic.io (or just io.) basically lets you type arbitrary html into the search boxes. Chrome's built in XSS auditor catches any scripts you put in there, but (at least) Firefox doesn't.
If you load it in Firefox (or any browser without an XSS auditor) it'll pop an alert, otherwise you'll just see the image I loaded and a link I inserted.
After about 2 minutes of looking, I've just found that nic.io (or just io.) basically lets you type arbitrary html into the search boxes. Chrome's built in XSS auditor catches any scripts you put in there, but (at least) Firefox doesn't.
Check it out:
http://io./cgi-bin/whois?query=%3Ca%20href=%22%22%3E%3Cu%3EA...
If you load it in Firefox (or any browser without an XSS auditor) it'll pop an alert, otherwise you'll just see the image I loaded and a link I inserted.
This is ridiculous.