Professional Documents
Culture Documents
posting-XSS Cheatsheet
posting-XSS Cheatsheet
Untitled
EVERYWHERE
Contexts
Attack
'"` <u>Rat was here + <img src=x> "'`>
vector
Breaks Nothing, reflects value into HTML HTML tag attribute
Breaks javascript context without sanitise, allowing for such as "Value" for
functions own tags <input> tag
Try to insert
Insert JS event handler
Exploit our own JS Add event handlers to tags
or JS code into tag
code
Example '); alert(); — <img src=x onerror=alert()> ' alert(); '
Filter evasion
Techniques
Use your
imagination
3