vinpkl — 2012-10-24T12:02:02-04:00 — #1
i was looking at this article about cross site attacks
There many examples like
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
But the both image tags dont open any alert box.
I just want to check safety against XSS attacks
pullo — 2012-10-25T07:22:51-04:00 — #2
Most modern browsers are clever enough to block stuff like this, if you just make a web page and include this in the body.
I'm no expert, but one real danger of XSS is when you are accepting user input and doing something with it on the server side.
If you want to check out a site which is intentionally vulnerable to XSS, visit: http://www.insecurelabs.org/
For example, go to the talks page and try typing
<script>alert("Hello");</script> into the search field.
This might be worth looking at, too: http://www.insecurelabs.org/Task