|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Talk:XSS Filter Evasion Cheat Sheet
I can speak from being on the receiving end of XSS Evasion Attacks :)
Essentially what we need to do is to consolidate a couple of key resources. The top two being -
HTML5Sec Vectors - https://raw.githubusercontent.com/cure53/H5SC/master/vectors.txt. These are taken from Mario's awesome work - http://html5sec.org/ Shazzer's Successful Fuzzes - https://raw.githubusercontent.com/client9/libinjection/master/data/xss-shazzer.txt. These are from Gareth's equally awesome work - http://shazzer.co.uk/home.
I would start with these two resources as the base and build from there.
According to https://www.owasp.org/index.php/Script_in_IMG_tags and due to my own observations, it seems that the examples with <img src="..."> provided here are outdated and irrelevant. Means: they are only relevant to Browsers <=IE6 . This makes it hard to collect the relevant (test-)cases from this page and may make people think that an application is not xss save if it does not handle these cases (as it was in my case). Can these examples either be removed or moved to a dedicated sub-chapter? Or I am completely wrong? - Markus
The ha.ckers.org site has been down for quite some time now, breaking the examples listed on the page. I've setup a mirror for these files, so the samples will work again. If ha.ckers.org ever comes back, the change to use the xss.rocks mirror can be reverted.
I searched online with "%tag" internet explorer, saw an example in The Browser Hackers Handbook 2014 and a reference to the main article. I wonder if the main article should include the <%tag style=xss:expression(alert(6))> trick. Another article explained that IE ignored a possibility of code execution via the unexpected tag, http://real-hacker-network.blogspot.ca/2012/09/aspnet-cross-site-scripting.html --Eelgheez (talk)
Filter bypass based polyglot
Why is this polyglot linking to a resource on a private website? (shellypalmer.com) I believe it should link to localhost. In the case of a successful execution of the payload, the referrer header will get listed on the logs of shellypalmer.com