> using an XSS payload list Absolutely not. Never use an XSS payload list. If you want to check for XSS, determine what characters are possible to input and if you can break out of the context you're in to run javascript. Don't rely on payloads. Also, it's worth knowing any front end frameworks that are in use. You might be able to get template injection, leading to XSS. More on reddit.com

X More on reddit.com

Guide: Basic Overview Reference: Useful reference about onevents Practice: Google's XSS Game alf.nu's XSS Game prompt.ml's XSS Game Google Firing Range - This one covers A LOT of real world like scenarios. Topics for further research: Same Origin Policy (SOP). Cross-Origin Resource Sharing (CORS). Advanced stuff: jsfuck - Nonalphanumeric jsf$ck - Variant of jsfuck without parentheses Nonalphabetic XSS - Shameless plug. I'm seriously considering writing my own guide on XSS, so if you have any specific questions or topics I should cover, let me know. More on reddit.com

If I typed a search term like 'alert("xss");//' have I done something illegal? If you follow responsible disclosure guidelines, things like this are rarely prosecuted. But technically, if the company can prove this was "unauthorized access", then yes, it is illegal. At least with US law, responsible disclosure is not legally protected and is merely an informal agreement between the security community and corporations. Like ENOTTY said, you don't want to end up like Andrew Auernheimer who disclosed a vulnerability improperly and is now being prosecuted. How significant is a non-persistent XSS? This is a reflected cross-site scripting vulnerability. The risk depends on what information and functions the site has and what protections the application uses, like HTTPOnly session cookies. Of course, since it's reflected, this would only work if you sent someone a link or coerced them into visiting your maliciously hosted request. I'm applying for an IT position there, should I mention this at the interview? IT? Maybe not. For an infosec job, I'd say yes -- but for IT you'd likely be disclosing the vulnerability to someone who isn't responsible for application security. It's possible that this could leave you liable for an improper disclosure, and probably won't score you many points in the IT department anyway. As far as I know, most websites should have a security email, like security@example.com . I can't find it anywhere. They have an email for netsec consulting, I'll probably email him instead. Yes, a security contact like security@ or sirt@, or even webmaster should get these types of notifications, but to make sure you're talking to the right people email or call and ask about who you should contact regarding site security. Make sure you're talking to someone who understands the problem and is in a position to fix it. If you emailed the CEO about it, you'd probably get the panicked, unreasonable response you're concerned about. What sort of response should I expect when contacting the company? Don't expect anything, firstly. Most of these emails are not responded to or are ignored. Most companies don't have the staff and knowledge to deal with disclosures made by the public. If you do get a response, they may thank you, ask for more details. But they may, in very rare circumstances, threaten you. This being an issue which does not directly disclose customer data, the risk here is pretty low. Good luck on the job hunt! More on reddit.com