About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

XSS Cheatsheet

I stumbled upon an interesting resource today - the XSS Cheatsheet. This is a really wonderful collection of XSS (cross-site scripting) test cases. If you don't know what XSS is, you might find the following resources helpful:

Christian has developed a script for filtering data specifically for XSS. He also has an example implementation where you can try it out for yourself - maybe someone with some free time can try entering all of the test cases to see if any of them expose a weakness.

About This Post

XSS Cheatsheet was posted on Thu, 27 Jan 2005 at 01:32:31 GMT.

7 Comments

1. Diane's GravatarDiane said:

Was trying the test cases at ha.ckers.org/xss.html and found one that worked. Thought you might be interested:

<IMG STYLE='no\xss:noxss("/*");

xss:ex/*XSS*/pression(alert("XSS"))'>

Fri, 16 Sep 2005 at 20:27:56 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

I'll let Christian know. Thanks.

Mon, 19 Sep 2005 at 06:23:00 GMT Link

3. <IMG STYLE='no\xss:noxss("/*");'s Gravatar<IMG STYLE='no\xss:noxss("/*"); said:

jj

Mon, 29 May 2006 at 09:47:47 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

He means one that worked on Christian's filter. :-)

Mon, 29 May 2006 at 13:39:11 GMT Link

5. Jhon's GravatarJhon said:

Hi Shiflett!

What chain of filter is you using on this site?

Regards

Jhon

Sat, 09 Jan 2010 at 20:24:45 GMT Link

6. Chris Shiflett's GravatarChris Shiflett said:

Hi Jhon,

I'm using a simple technique I describe in another post:

Allowing HTML and Preventing XSS

Hope that helps!

Fri, 15 Jan 2010 at 02:38:34 GMT Link

7. XSS Haxxor's GravatarXSS Haxxor said:

I started out looking around for this stuff and the cheat sheet at ha.ckers is probably the best i've seen. If you look deeper in the site they have a few Hex tables that show you how to write your own scripts that I found really helpful too. I never wanted to be a "Black Hat" hacker but this helps alot with my dream to be a certified ethical hacker so kudos on giving them the attention they deserve. I also checked out some of your XSS topics and they're really definitive and helpful too so thanks dude keep up the good work

Sat, 17 Jul 2010 at 01:26:01 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Chris Shiflett wrote:

Hi John, How do you avoid race conditions with this? The findandmodify() command is atomic,...

Posted in Auto Increment with MongoDB
John Judy wrote:

How do you avoid race conditions with this? Once you get to a certain traffic volume two or more ...

Posted in Auto Increment with MongoDB
Chris Shiflett wrote:

Hey Ivo, Andrei is best suited to give a full response, since he's the one who researched this...

Posted in Auto Increment with MongoDB
Ivo wrote:

Although you did mention that you werent going to discuss the why, I can't think of a single vali...

Posted in Auto Increment with MongoDB
Stikkyfinger wrote:

Jon Gibbins plays a mean guitar? I'd be interested to know what he plays and what type of guitar ...

Posted in Hello, Analog

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook