PHP Input Filter (xss, filter, input filter, inputfilter) x5s - test encodings and character transformations to find XSS hotspots. Here's a quick tutorial to get you familiar with x5s and how to use it.
I'm assuming now that you have Fiddler and x5s installed. Configuration Open Fiddler, go to the x5s tab, click Enable. Type in the Preamble 'pqz'. Check the box to Enable Domain Name Targetting and add the domain 'nottrusted.com'. You're almost set up! Test Case Configuration Now move to the 'Test Case Configuration' tab, where you'll find all of the test cases x5s will send as character probes. We'll pick one or more from each category to get started. U+FF1C FULLWIDTH LESS-THAN SIGN from the Transformable test typeU+0130 LATIN CAPITAL LETTER I WITH DOT ABOVE from the Transformable test typeU+0022 QUOTATION MARK from the Traditional test typeU+003E GREATER-THAN SIGN > from the Overlong test typeWe're all set and ready for testing!