Talk:XSS Filter Evasion Cheat Sheet

From OWASP
Jump to: navigation, search

I can speak from being on the receiving end of XSS Evasion Attacks :)

   http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
   http://blog.spiderlabs.com/2013/08/the-web-is-vulnerable-xss-on-the-battlefront-part-1.html

Essentially what we need to do is to consolidate a couple of key resources. The top two being -

   HTML5Sec Vectors - https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt.  These are taken from Mario's awesome work - http://html5sec.org/
   Shazzer's Successful Fuzzes - https://raw.githubusercontent.com/client9/libinjection/master/data/xss-shazzer.txt.  These are from Gareth's equally awesome work - http://shazzer.co.uk/home.  

I would start with these two resources as the base and build from there.

-Ryan


Outdated Examples?

According to https://www.owasp.org/index.php/Script_in_IMG_tags and due to my own observations, it seems that the examples with <img src="..."> provided here are outdated and irrelevant. Means: they are only relevant to Browsers <=IE6 . This makes it hard to collect the relevant (test-)cases from this page and may make people think that an application is not xss save if it does not handle these cases (as it was in my case). Can these examples either be removed or moved to a dedicated sub-chapter? Or I am completely wrong? - Markus

ha.ckers.org Down

The ha.ckers.org site has been down for quite some time now, breaking the examples listed on the page. I've setup a mirror for these files, so the samples will work again. If ha.ckers.org ever comes back, the change to use the xss.rocks mirror can be reverted.

If anyone objects to this, please let me know. --Adam Caudill (talk) 18:43, 3 March 2016 (CST)

%tag

I searched online with "%tag" internet explorer, saw an example in The Browser Hackers Handbook 2014 and a reference to the main article. I wonder if the main article should include the <%tag style=xss:expression(alert(6))> trick. Another article explained that IE ignored a possibility of code execution via the unexpected tag, http://real-hacker-network.blogspot.ca/2012/09/aspnet-cross-site-scripting.html --Eelgheez (talk)

My attempt with %tag could not evade IE11's XSS filter. Oh well. --Eelgheez (talk) 17:14, 7 July 2016 (CDT)

Filter bypass based polyglot

Why is this polyglot linking to a resource on a private website? (shellypalmer.com) I believe it should link to localhost. In the case of a successful execution of the payload, the referrer header will get listed on the logs of shellypalmer.com

Abhi M Balakrishnan (talk)