Hi!

I would like to propose an optimization of the XSS locator on the XSS cheatsheet and the XML files:

If you transform this...
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>


... into this...
';alert(1)//\';alert(2)//";alert(3)//\";alert(4)//--></SCRIPT>">'><SCRIPT>alert(5)</SCRIPT>;=&{<script>alert(6)</script>}

... it is a) much shorter and b) you know where the injection came through.

Greetings,
.mario

I like it, but if I have more space, I'd want to use it again :) Hahah... Ah, the perils of having so many different types of issues!

For instance, the first section might work, but it might be inside of a function that you need to close out:

function bob() {
do_stuff("your text goes here");
}

To get around that you'd need something like:

");}alert(1)function xss(){//

- RSnake
Gotta love it. http://ha.ckers.org

Yes - I guess it's not even close to possible to cover all variants in one string but developers tend to make the same mistakes ever and ever again (including me).

The other day I thought about a vector which shows what characters you could get i to the site to render html - like:

<s>111</s>&lt;s&gt;222&lt/s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%31%31%31%3c%2f%73%3e....
(... and so on)

Greetings,
.mario

Nice one mario....i am to format my own string.

http://hackathology.blogspot.com

Thx hackathology - don't hesitate to post when done ;)

Yah, agreed... I am always interested in new variants of the XSS Locator. Not because I used it (never do) but because it's an interesting case study on single vector with mass exploitation potential (particularly useful in worms and scanning).

- RSnake
Gotta love it. http://ha.ckers.org