Talk:XSS Filter Evasion Cheat Sheet

I can speak from being on the receiving end of XSS Evasion Attacks :)

http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html http://blog.spiderlabs.com/2013/08/the-web-is-vulnerable-xss-on-the-battlefront-part-1.html

Essentially what we need to do is to consolidate a couple of key resources. The top two being -

HTML5Sec Vectors - https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt. These are taken from Mario's awesome work - http://html5sec.org/ Shazzer's Successful Fuzzes - https://raw.githubusercontent.com/client9/libinjection/master/data/xss-shazzer.txt. These are from Gareth's equally awesome work - http://shazzer.co.uk/home.

I would start with these two resources as the base and build from there.

-Ryan

Outdated Examples?

According to https://www.owasp.org/index.php/Script_in_IMG_tags and due to my own observations, it seems that the examples with  provided here are outdated and irrelevant. Means: they are only relevant to Browsers <=IE6. This makes it hard to collect the relevant (test-)cases from this page and may make people think that an application is not xss save if it does not handle these cases (as it was in my case). Can these examples either be removed or moved to a dedicated sub-chapter? Or I am completely wrong? - Markus

ha.ckers.org Down
The ha.ckers.org site has been down for quite some time now, breaking the examples listed on the page. I've setup a mirror for these files, so the samples will work again. If ha.ckers.org ever comes back, the change to use the xss.rocks mirror can be reverted.

If anyone objects to this, please let me know. --Adam Caudill (talk) 18:43, 3 March 2016 (CST)