Six hundred and sixty six XSS vectors, suitable for attacking an API

So I need to attack an API. None of the XSS tools do it well - not Burp, not xsser, not Xenotix. All of the XSS vectors are packed away in Perl or Ruby or Python, or in articles. So I made my own data file.

Honestly, I didn't tweak the number, that what it came out to when I was done.

Anyway, here it is, ready for your File.ReadLine pleasure:

Please use it responsibly.


Comments (2) -

5/20/2013 5:34:08 AM #

Is there anything about this that's specific to API attacks? I.e., can I use this for regular XSS testing of HTML forms and such?

5/20/2013 9:30:25 AM #

You could, but there are already good tools for testing web sites, like xsser ( Also, a proxy like Burp Suite or Zed Attack Proxy ( does that well.

APIs are harder to test, because proxies don't handle them well. They are just as injectable though. Best way to test them is to write code against them. Thus, 666 things to try.

Comments are closed

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites