WebApp Sec mailing list archives
RE: XSS Testing
From: "Mike Andrews" <mike () se fit edu>
Date: Sat, 18 Sep 2004 17:42:26 -0400
Hi PenTest Guy, This questions has been asked before on this list, so rather than go into details, let's just point back to an old post... http://seclists.org/lists/webappsec/2002/Oct-Dec/0247.html There's various "ultimate string collections" and articles linked from this thread - I hope that it satisfies your question. Cheers, Mike. --- Mike Andrews Florida Institute of Technology
-----Original Message----- From: PenTest Guy [mailto:pentestguy () hotmail com] Sent: Friday, September 17, 2004 11:26 AM To: webappsec () securityfocus com Subject: XSS Testing I'm testing a web application. Previously, I had found XSS using a standard variant: <scr1pt>al3rt('XSS')</scr1pt> (note used 3 for e and 1 for i as to not cause any problems). I also URL encoded this same variant and it worked as well. So I told them how to fix it (filtering out malicious characters, encoding, etc. on the server side) and it seems fixed now. I was just curious if there is any other way to manipulate the same variant, such as other encoding schemes, that might bypass the protections I recommended. Thanks. _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- XSS Testing PenTest Guy (Sep 18)
- RE: XSS Testing Mike Andrews (Sep 18)
- Re: XSS Testing RSnake (Sep 18)
- Re: XSS Testing Devdas Bhagat (Sep 20)