|
WebApp Sec
mailing list archives
Re: XSS Strings
From: Jeroen Latour <jlatour () calaquendi net>
Date: Mon, 16 Dec 2002 09:49:31 +0100
At 23:54 15-12-2002 -0800, securityarchitect () hush com wrote:
Maybe more for vuln-dev but I have bitten the bullet and pulled out wget
and perl and am gonna start testing my apps for XSS and I need to build
the ultimate list of payloads.
For the html tags period I guess its the classic;
<script>alert(document.cookie)</script>
<a href="X" onmouseover="alert(document.cookie">
<javascript ="http://www.host/script.js";
"javascript:alert(document.cookie)"
<iframe = c:\>
<img src = "evil.js">
But I seem to recall some old versions of Netscape run the { etc
Does anyone have a good list of payloads that will cover the majority of
the options ?
Take a look at
http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0
That bugtraq posts shows a few dozen ways to execute malicious code. There
are others, of course.
Jeroen
 By Date 
By Thread
Current thread:
| 
Intro
