Yair Amit brought something to my attention today which actually required me to add a vector to the Cheat Sheet. I got a lot of people asking me to make changes and amendments to the cheat sheet, as you can probably guess so to actually get me to do it requires something new. Yair at first began describing a known issue about Non-alpha-non-digit, which is a little ho-hum at this point, but after a few email exchanges he came up with something that actually is new. The Non-alpha-non-digit 3 XSS vector.
In the Internet Explorer rendering engine (IE6.0-7.0 and Netscape 8.0+ in IE mode) a tag and a parameter can be separated by a slash. This might sound like old news, but unlike the original non-alpha-non-digit vector this does not require a space:
Although it’s only useful in the Internet Explorer rendering engine it’s a nice vector as it a) obfuscates where the tag and the parameter start and end and b) doesn’t require any spaces. I’m absolutely positive this will cause some XSS filters to fail, so take heed if you use whitespace to test where tags end. Thanks to Yair! Nice find!