WebApp Sec mailing list archives
RE: XSS Strings
From: "Glyn" <glyng () bigfoot com>
Date: Mon, 16 Dec 2002 11:23:59 -0000
Check out Gunter's paper for a concise list of XSS attack techniques: http://www.technicalinfo.net/papers/CSS.html
-----Original Message----- From: securityarchitect () hush com [mailto:securityarchitect () hush com] Sent: 16 December 2002 07:55 To: webappsec () securityfocus com Subject: XSS Strings Maybe more for vuln-dev but I have bitten the bullet and pulled out wget and perl and am gonna start testing my apps for XSS and I need to build the ultimate list of payloads. For the html tags period I guess its the classic; <script>alert(document.cookie)</script> <a href="X" onmouseover="alert(document.cookie"> <javascript ="http://www.host/script.js" "javascript:alert(document.cookie)" <iframe = c:\> <img src = "evil.js"> But I seem to recall some old versions of Netscape run the { etc Does anyone have a good list of payloads that will cover the majority of the options ? Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- XSS Strings securityarchitect (Dec 16)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
- encoder N30 (Dec 19)
- Re: encoder Kevin Spett (Dec 19)
- encoder N30 (Dec 19)