BBCode XSS Howto

Posted in Other
2009-09-18 01:54:17 +0000 UTC

I figured I'd do a little blog posting about finding and exploiting XSS vulnerabilities in BBCode implementations. Not many sources exist for this type of information, and certainly none exist that I am aware of that are as comprehensive.

I've been in contact with RSnake from about possibly adding a section to his infamous XSS Cheat Sheet concerning this, and he has responded favorably. Unfortunately, nothing has yet come of this, so I figured I would go ahead and write something up here. A lot of this comes from exploits I have personally found, and most can be found scattered throughout this site.

Most forums allow a user to preview their submissions before posting. This is a good place to test for injections before haphazardly injecting codes!

So, without further ado, here is the list. Feel free to submit any additions below.