Talk:XSS Filter Evasion Cheat Sheet

From OWASP
Jump to: navigation, search

I can speak from being on the receiving end of XSS Evasion Attacks :)

   http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
   http://blog.spiderlabs.com/2013/08/the-web-is-vulnerable-xss-on-the-battlefront-part-1.html

Essentially what we need to do is to consolidate a couple of key resources. The top two being -

   HTML5Sec Vectors - https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt.  These are taken from Mario's awesome work - http://html5sec.org/
   Shazzer's Successful Fuzzes - https://raw.githubusercontent.com/client9/libinjection/master/data/xss-shazzer.txt.  These are from Gareth's equally awesome work - http://shazzer.co.uk/home.  

I would start with these two resources as the base and build from there.

-Ryan


Outdated Examples?

According to https://www.owasp.org/index.php/Script_in_IMG_tags and due to my own observations, it seems that the examples with <img src="..."> provided here are outdated and irrelevant. Means: they are only relevant to Browsers <=IE6 . This makes it hard to collect the relevant (test-)cases from this page and may make people think that an application is not xss save if it does not handle these cases (as it was in my case). Can these examples either be removed or moved to a dedicated sub-chapter? Or I am completely wrong? - Markus