A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack...
Transcript of A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack...
![Page 1: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/1.jpg)
Atalkby
13-06-2014,
![Page 2: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/2.jpg)
![Page 3: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/3.jpg)
http://en.wikipedia.org/wiki/Monkey_test
![Page 4: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/4.jpg)
![Page 5: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/5.jpg)
![Page 6: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/6.jpg)
Aresearcherin uhr niversity ochum,AstudentofXSSwhoisworkingtowardshisPhDinXSSAnXSSer/AnXSSEnthusiast
Listedintopsites'halloffameAproudfatheroftwoSpeaker@HITBKUL2013,@DeepSec2013&OWASPSeminar@RSAEurope2013ATwitterlover
http://www.tubechop.com/watch/2670518
@soaj1664ashar
![Page 7: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/7.jpg)
![Page 8: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/8.jpg)
![Page 9: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/9.jpg)
![Page 10: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/10.jpg)
![Page 11: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/11.jpg)
http://slides.com/mscasharjaved/cross-site-scripting-my-love
![Page 12: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/12.jpg)
https://twitter.com/soaj1664ashar/status/466945529059221504
![Page 13: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/13.jpg)
50$per-contextbypass(outputreflectsin5contexts)
http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/
http://xssplaygroundforfunandlearn.netai.net/final.html
http://xssplayground.net23.net/final.html
![Page 14: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/14.jpg)
1. PHP2. XSS3. TestingMethodology4. Per-ContextXSSAttackMethodology5. SummarizePHP'sfindings(includesbuilt-infunctions,
customizedXSSsolutionsandtopPHP-basedwebframeworks)
6. ResultsofAlexaSurveyofTop100sites7. Conclusion
![Page 15: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/15.jpg)
![Page 16: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/16.jpg)
http://w3techs.com/technologies/overview/programming_language/all
![Page 17: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/17.jpg)
http://www.php.net/usage.php
![Page 18: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/18.jpg)
http://www.php.net/usage.php
![Page 19: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/19.jpg)
http://w3techs.com/blog/entry/web_technologies_of_the_year_2013
![Page 20: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/20.jpg)
![Page 21: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/21.jpg)
![Page 22: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/22.jpg)
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
![Page 23: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/23.jpg)
![Page 24: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/24.jpg)
https://www.brighttalk.com/webcast/288/97255
![Page 25: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/25.jpg)
http://www.osvdb.org/osvdb/show_graph/1
![Page 26: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/26.jpg)
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-
![Page 27: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/27.jpg)
%202013%20-%20RC1.pdf
![Page 28: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/28.jpg)
![Page 29: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/29.jpg)
![Page 30: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/30.jpg)
https://twitter.com/soaj1664ashar/status/362493382645383168
![Page 31: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/31.jpg)
http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html
![Page 32: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/32.jpg)
isthetermcoinedhere:#tweetbleedhttps://twitter.com/pdp/status/476796934062370816
![Page 33: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/33.jpg)
https://twitter.com/soaj1664ashar/status/476773831928209408
![Page 34: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/34.jpg)
https://twitter.com/derGeruhn/status/476764918763749376
![Page 35: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/35.jpg)
https://twitter.com/TweetDeck/status/476770732987252736
![Page 36: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/36.jpg)
![Page 37: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/37.jpg)
![Page 38: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/38.jpg)
![Page 39: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/39.jpg)
SimulateRealWebApplicationsTestingconductedinfivecommoncontexts(HTML,Script,Attribute,Style&URL)
![Page 40: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/40.jpg)
![Page 41: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/41.jpg)
https://twitter.com/soaj1664ashar/status/463960615157915648
![Page 42: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/42.jpg)
===generaltermfilter_function
![Page 43: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/43.jpg)
![Page 44: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/44.jpg)
![Page 45: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/45.jpg)
![Page 46: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/46.jpg)
![Page 47: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/47.jpg)
![Page 48: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/48.jpg)
![Page 49: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/49.jpg)
![Page 50: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/50.jpg)
![Page 51: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/51.jpg)
DoubleQuotesCase
![Page 52: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/52.jpg)
SingleQuotesCase
![Page 53: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/53.jpg)
![Page 54: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/54.jpg)
![Page 55: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/55.jpg)
![Page 56: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/56.jpg)
![Page 57: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/57.jpg)
![Page 58: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/58.jpg)
![Page 59: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/59.jpg)
![Page 60: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/60.jpg)
![Page 61: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/61.jpg)
![Page 62: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/62.jpg)
![Page 63: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/63.jpg)
![Page 64: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/64.jpg)
![Page 65: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/65.jpg)
![Page 66: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/66.jpg)
![Page 67: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/67.jpg)
![Page 68: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/68.jpg)
SystematicinnatureEasytounderstandContext-SpecificAttackmethodologyis` `andonecanguaranteethatthereisanXSSornoXSSinaparticularinjectionpoint.Withthehelpofattackmethodology,onecanmakeasecureper-contextXSSsanitizerCanbeappliedtootherserver-sidelanguagese.g.,ASP,Rubyetc
![Page 69: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/69.jpg)
Onlyforattendees...:)
![Page 70: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/70.jpg)
";confirm(1);//
OR
';confirm(1);//
![Page 71: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/71.jpg)
http://www.dailymail.co.uk/home/search.html
![Page 72: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/72.jpg)
http://de.eonline.com
![Page 73: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/73.jpg)
![Page 74: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/74.jpg)
![Page 75: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/75.jpg)
Itsimplydoesnotwork.Encodingwillnothelpyouinbreakingthescriptcontextunlessdevelopersaredoing
somesortofexplicitdecoding.
http://issuu.com/mscasharjaved/docs/urlwriteup
![Page 76: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/76.jpg)
http://jsfiddle.net/4eqK4/2/
![Page 77: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/77.jpg)
http://xssplaygroundforfunandlearn.netai.net/series7.html
![Page 78: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/78.jpg)
![Page 79: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/79.jpg)
https://twitter.com/soaj1664ashar/status/469442421148119040
![Page 80: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/80.jpg)
Onlyforattendees:)
![Page 81: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/81.jpg)
![Page 82: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/82.jpg)
http://www.ea.com/
![Page 83: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/83.jpg)
http://www.drudgereportarchives.com/dsp/search.htm
![Page 84: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/84.jpg)
http://www.biblegateway.com
![Page 85: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/85.jpg)
``onmouseover=alert(1)
``===backtick
![Page 86: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/86.jpg)
https://twitter.com/hasegawayosuke
![Page 87: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/87.jpg)
Veryusefulinbreakingattributecontextifsiteisproperlyfilteringsingleanddoublequotes
![Page 88: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/88.jpg)
MarioHeiderichhttps://twitter.com/0x6D6172696F
Anotherusefultoolbyhimishttp://html5sec.org/innerhtml/
andmustreadresearchpaperbyhimifyouareinterestedin
innerHTMLandmutationXSShttp://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-
CCS13.pdf
![Page 89: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/89.jpg)
![Page 90: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/90.jpg)
![Page 91: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/91.jpg)
![Page 92: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/92.jpg)
![Page 93: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/93.jpg)
![Page 94: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/94.jpg)
![Page 95: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/95.jpg)
![Page 96: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/96.jpg)
![Page 97: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/97.jpg)
![Page 98: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/98.jpg)
![Page 99: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/99.jpg)
![Page 100: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/100.jpg)
http://xssplaygroundforfunandlearn.netai.net/innerHTMLtesting.html
![Page 101: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/101.jpg)
![Page 102: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/102.jpg)
http://view.officeapps.live.com/op/view.aspx?src=%20http%3a%2f%2fvideo.ch9.ms%2fsessions%2fbuild%2f2014%2f2-
559.pptx
![Page 103: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/103.jpg)
seedemohttp://jsfiddle.net/9t8UM/2/
![Page 104: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/104.jpg)
Onlyforattendees:)
![Page 105: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/105.jpg)
http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you
![Page 106: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/106.jpg)
Onlyforattendees:)
![Page 107: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/107.jpg)
http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation
![Page 108: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/108.jpg)
![Page 109: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/109.jpg)
![Page 110: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/110.jpg)
![Page 111: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/111.jpg)
![Page 112: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/112.jpg)
![Page 113: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/113.jpg)
AquicksearchonGitHubreveals...
http://xssplayground.net23.net/clean6.html
![Page 114: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/114.jpg)
AquicksearchonGitHubreveals...(falsepositivesarealsotherebutstillgiveyouanideaofpopularity)
http://xssplayground.net23.net/clean20.html
![Page 115: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/115.jpg)
AquicksearchonGitHubshows...
http://xssplayground.net23.net/clean21.html
![Page 116: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/116.jpg)
Onlyforattendees:)
![Page 117: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/117.jpg)
![Page 118: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/118.jpg)
Developersarealsocallingitwithnameslike and
AquicksearchonGitHubreveals
http://xssplayground.net23.net/clean.html
![Page 119: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/119.jpg)
Twoarraysofblack-listedkeywords:)
![Page 120: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/120.jpg)
![Page 121: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/121.jpg)
http://xssplayground.net23.net/clean.html
![Page 122: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/122.jpg)
Alleventhandlersthatarenotpartofblack-listedarraywillbypassthisprotectione.g.,
![Page 123: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/123.jpg)
https://twitter.com/soaj1664ashar/status/470843406521237504
![Page 124: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/124.jpg)
![Page 125: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/125.jpg)
![Page 126: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/126.jpg)
![Page 127: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/127.jpg)
AverypopularbutsorrytosayBADXSSprotection...
AquicksearchonGitHubreveals...
http://xssplayground.net23.net/clean1.html
![Page 128: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/128.jpg)
![Page 129: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/129.jpg)
![Page 130: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/130.jpg)
![Page 131: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/131.jpg)
http://xssplayground.net23.net/clean1.html
![Page 132: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/132.jpg)
![Page 133: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/133.jpg)
ThegoalofthisfunctionistostopJavaScriptexecutionviastyle.
http://xssplayground.net23.net/clean2.html
![Page 134: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/134.jpg)
![Page 135: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/135.jpg)
![Page 136: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/136.jpg)
![Page 137: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/137.jpg)
![Page 138: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/138.jpg)
AnotherpopularcustomizedXSSprotectionsolution.
http://xssplayground.net23.net/clean3.html
![Page 139: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/139.jpg)
![Page 140: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/140.jpg)
ApopularXSLT-poweredopensourcecontentmanagementsystemisusing function.
![Page 141: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/141.jpg)
![Page 142: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/142.jpg)
![Page 143: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/143.jpg)
![Page 144: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/144.jpg)
![Page 145: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/145.jpg)
![Page 146: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/146.jpg)
![Page 147: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/147.jpg)
![Page 148: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/148.jpg)
AFullyBakedPHPFrameworkhttp://ellislab.com/codeigniter
![Page 149: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/149.jpg)
https://github.com/EllisLab/CodeIgniter/issues/2667
![Page 150: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/150.jpg)
(SnapshotfromthelatestCodeIgniterversionavailableatGitHub)
https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L438
![Page 151: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/151.jpg)
![Page 152: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/152.jpg)
http://xssplayground.net23.net/clean11.html
![Page 153: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/153.jpg)
![Page 154: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/154.jpg)
(oldtest-bed)http://xssplayground.net23.net/clean11.html(newtest-
bed)http://xssplayground.net23.net/clean100.html
![Page 155: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/155.jpg)
SanitizeNaughtyHTMLelements
OldlistofnaughtyelementsbeforeIstartedbypassing...
![Page 156: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/156.jpg)
<math><a/xlink:href=javascript:confirm(1)>click</a>
(oldtest-bed)http://xssplayground.net23.net/clean11.html
(newtest-bed)
http://xssplayground.net23.net/clean100.html
![Page 157: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/157.jpg)
![Page 158: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/158.jpg)
![Page 159: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/159.jpg)
https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L592
![Page 160: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/160.jpg)
RemovesInvisiblecharacterse.g.,%00i.e.,NULL
![Page 161: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/161.jpg)
![Page 162: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/162.jpg)
![Page 163: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/163.jpg)
![Page 164: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/164.jpg)
![Page 165: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/165.jpg)
![Page 166: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/166.jpg)
https://twitter.com/kinugawamasato
https://zdresearch.com/zdresearch-xss1-challenge-writeup/
![Page 167: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/167.jpg)
http://websec.ca/kb/sql_injection#MySQL_Fuzzing_Obfuscation
![Page 168: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/168.jpg)
demo:http://jsfiddle.net/GTxVt/5/
![Page 169: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/169.jpg)
HxDhttp://mh-nexus.de/en/hxd/
![Page 170: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/170.jpg)
https://twitter.com/soaj1664ashar/status/358574268386246656
![Page 171: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/171.jpg)
![Page 172: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/172.jpg)
https://github.com/EllisLab/CodeIgniter/issues/2667
![Page 173: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/173.jpg)
https://github.com/EllisLab/CodeIgniter/issues/2667
![Page 174: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/174.jpg)
Onlyforattendees:)
![Page 175: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/175.jpg)
Isurveyedtop10sitesfromthefollowing10categories...
![Page 176: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/176.jpg)
![Page 177: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/177.jpg)
![Page 178: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/178.jpg)
http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere
![Page 179: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/179.jpg)
OurlargescalesurveyofPHP-basedsanitisationroutinesshowsSADstateofwebsecurityasfarasXSSisconcerned.Theproposedattackandtestingmethodologyisgeneralandmaybeappliedtootherserver-sidelanguages.Whatifweautomatethiscontext-specificattackmethodologyandunleashautomationtoolonalargescalesurveyofdeepweb...:)
![Page 180: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/180.jpg)
@padraicb
@enygma
@metromoxie
![Page 181: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/181.jpg)
![Page 182: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/182.jpg)
![Page 183: A talk by 13-06-2014, - OWASP · 1. PHP 2. XSS 3. Testing Methodology 4. Per-Context XSS Attack Methodology 5. Summarize PHP's findings (includes built-in functions, customized XSS](https://reader034.fdocuments.in/reader034/viewer/2022050611/5fb1f11aa72ed60a76754e28/html5/thumbnails/183.jpg)