From 45a70e8ae40822a2e27f74b5726c3fd5f7514054 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Sun, 26 Nov 2006 00:46:57 +0000 Subject: [PATCH] [1.3.0] Update xssAttacks.xml. git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@585 48356398-32a2-884e-a903-53898d9a118a --- smoketests/xssAttacks.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/smoketests/xssAttacks.xml b/smoketests/xssAttacks.xml index 8b9f2530..dd8a5feb 100644 --- a/smoketests/xssAttacks.xml +++ b/smoketests/xssAttacks.xml @@ -2,7 +2,7 @@ XSS Locator - ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} + ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. You'll need to replace the "&" with "%26" if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable. Tip: If you're in a rush and need to quickly check a page, often times injecting the deprecated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably.