Active XSS hunting
Attack strategy
Types of XSS
Passive XSS hunting
Attack strategy
Enter "'`><u>Rat was here<img src=x> into every fields that you see.
- Name, last name, adress,... at registration
- Names and content of ever object you create
- EVERYWHERE
If you encounter a value that's reflected, determine context.
Contexts
Filter evasion
Techniques