WebApp Sec mailing list archives
Re: XSS Strings
From: Jeroen Latour <jlatour () calaquendi net>
Date: Mon, 16 Dec 2002 09:49:31 +0100
At 23:54 15-12-2002 -0800, securityarchitect () hush com wrote:
Maybe more for vuln-dev but I have bitten the bullet and pulled out wget and perl and am gonna start testing my apps for XSS and I need to build the ultimate list of payloads.For the html tags period I guess its the classic; <script>alert(document.cookie)</script> <a href="X" onmouseover="alert(document.cookie"> <javascript ="http://www.host/script.js" "javascript:alert(document.cookie)" <iframe = c:\> <img src = "evil.js"> But I seem to recall some old versions of Netscape run the { etcDoes anyone have a good list of payloads that will cover the majority of the options ?
Take a look at http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0
That bugtraq posts shows a few dozen ways to execute malicious code. There are others, of course.
Jeroen
Current thread:
- XSS Strings securityarchitect (Dec 16)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
- encoder N30 (Dec 19)
- Re: encoder Kevin Spett (Dec 19)
- encoder N30 (Dec 19)