Using a remote style sheet and including an expression you can embed JavaScript using a LINK that doesn’t use the JavaScript directive or the script tags. It’s a nice little evasion technique that I haven’t seen anywhere else.

I found another one doing the exact same thing as the previous remote style sheet XSS filter evasion, although this one uses a style tag instead of a link tag. I like this because it doesn’t use any Javscript directives, script tags or event handlers.

I added a vector to the list found by Sec-Consult out of Austria. They found a hole in Yahoo using CDATA obfuscation in XML.

This guy published a clever XSS exploit to demonstrate information leakage from Google Desktop. Pretty clever application of XSS.

I decided to revamp the page a little and make browser support more easily readable, so if you are testing in a specific browser you can quickly run through all of them and see what will work and won’t work. I also fixed a few typos in the vectors themselves.

While doing a little investigating I found a vector using XML namespace which includes a .htc file that includes JS. It’s a nice little vector since it doesn’t use the javascript directive or script tags.

Okay, I found another nice one that doesn’t use any JavaScript directives or script tags. Using a .htc file pulled in by a STYLE parameter allows JavaScript to run in IE and NS8.0 on trusted site settings.

This is a good write up on the non-nefarious uses of cross domain Ajax requests, but obviously this has other scary ramifactions.

Honestly, I don’t think this is much of a story, but this guy supplied an XSS patch that is vulnerable to about 1/3rd of the tests on http://ha.ckers.org/xss.html Oops.

This uses another one of the vectors on my page to propagate. If you allow objects that can embed flash, it can embed live script and JavaScript.