So you’ve got some XSS that you want to test but the browser you’ve been using for your app testing is protecting against the use of javascript in the address URL. The following URL:


Would end up getting sent to the server as:

1GET /index.asp?val=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1

In order to prevent this so we can test XSS flaws within applications we need to turn off the javascript filter in the… Continue reading