Soft Skill

XSS

Required Reading

Methodology

  1. How is non-malicious tag such as <h2> handled?

  2. How is incomplete tag such as <iframe src=//attacker.com/c= handled?

  3. How is encoding such as <%00h2 handled?

  4. How does the filter work? Whitelist or blacklist?