This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "XSS Filter Evasion Cheat Sheet"
m |
m (→Tests) |
||
Line 6: | Line 6: | ||
= Tests = | = Tests = | ||
+ | |||
+ | This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. | ||
+ | |||
+ | Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page. | ||
+ | |||
== XSS Locator == | == XSS Locator == | ||
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this [http://ha.ckers.org/xss.html#XSScalc URL encoding calculator] to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably: | Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this [http://ha.ckers.org/xss.html#XSScalc URL encoding calculator] to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably: |
Revision as of 20:28, 3 September 2012
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.
Tests
This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.
Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page.
XSS Locator
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
References
Authors and Primary Editors
RSnake
OWASP Cheat Sheets Project Homepage