You sure did step up and post lots of links. The point I'm making is that sam has created things, I've created things. You've... created a youtube channel and I suppose a gcc post.
So I'm not quite sure your posting my links really did anything but highlight my point. My github has code I've written, drupal has code I've written, patches I've submitted and a job I was paid for. Sam's games are work he's done. You have nothing.
You then insult me for a typo when you've had various (yoru).
You then go on to explain how you think XSS works.
For the record, injecting a payload into an attack to cause it to be executed later is more of an MITM attack (man-in-the-middle) and less XSS. XSS occurs when comments, and other fields are allowed to be processed and displayed through the website without being sanitized. the idea is that you can force Javascript to be executed on the user's browser when people visit the site, and this has nothing to do with injecting payloads.
With regards to XST, you're almost there, although you're missing some points. The purpose of XST is not to reflect code, although the server does indeed have a response, but rather to be able to force Javascript to show headers that were previously not able to be seen. This includes, but is not limited to cookies.
With regards to php.ini, it is generally safe to hide it, but you're talking a lot of theory here. I asked you to explain how and why this was a problem, not provide a rule of thumb. In theory, a meteor could hit earth 3.2 seconds after I send this, which would preempt your next meltdown. Chances are it probably will not happen.
So, lets wrap up your theories:
1) Sam is not paying taxes.
You admit you have no proof for this accusation, but your knowledge is apparently proof enough.
2. Sam is vulnerable to various attacks including XSS and XST, which you kind of were able to explain, you point to tools to show you this but don't really fully understand. This falls short of a description short of my tools told me so (everyone loves a script kiddy), and doesn't begin to explain where and how he is specifically open to these attacks.
3) PHp.ini: There's no evidence that this is his php.ini that's in use, nor really is there any evidence of the doom and gloom you predict along with throwing out the accusation that he doesn't know how to configure apache. You vaguely note some potential attacks, remote code execution but don't really discuss them beyond just a potential that this could be the case.
4) PCI-DSS: I note you drop this one on the floor. Usually our discussions result in you abandoning about 50% of your claims and sticking to a couple which I work on cutting down as time goes on, so I can only presume you're abandoning this one as well.
5) Sam does not encrypt payment details: proven that this is false because Paypal handles payment details.
6) Sam stores payment information in clear text: False, because Paypal does not send you payment information in clear text.
7) Sam's lack of use of Mysql to store payment records is to your oppinion, sad. You equate this to some higher level of security which I have already disproven.
8) You've not proven why HTTP vs HTTPS is bad for anything but anyaudio.net except to say that security experts say this that and the other and will shoot you down.
so I'm going to give you half a point for xss, half a point for xst, and half a point for http because while mostly wrong anyaudio doesn't encrypt anything and that's terrifying, but I'll let you figure out why that is.
That brings us to a grand total of 1.5/8 or 18%. You're literally right about 18% of your claims, which I find pretty pathetic. More interesting is your need to start cursing and screaming about people that prove you wrong. So please do continue attacking my typos and calling names, because it just bolsters my point that you really are struggling to stay above water here.