_____ _ _ _ __ _______ _____ _____ _ _ _ _ | __ \ | | | | | \ \ / / ___/ ___| / __ \ | | | | | | | | | \/ |__ ___| |_| |_ ___ \ V /\ `--.\ `--. | / \/ |__ ___ __ _| |_ ___| |__ ___ ___| |_ | | __| '_ \ / _ \ __| __|/ _ \ / \ `--. \`--. \ | | | '_ \ / _ \/ _` | __/ __| '_ \ / _ \/ _ \ __| | |_\ \ | | | __/ |_| |_| (_) | / /^\ |\__/ /\__/ / | \__/\ | | | __/ (_| | |_\__ \ | | | __/ __/ |_ \____/_| |_|\___|\__|\__|\___/ \/ \|____/\____/ \____/_| |_|\___|\__,_|\__|___/_| |_|\___|\___|\__| A ghetto collection of XSS payloads that I find to be useful during penetration tests, especially when faced with WAFs or application-based black-list filtering, but feel free to disagree or shoot your AK-74 in the air. Simple character manipulations. Note that I use hexadecimal to represent characters that you probably can't type. For example, \x00 equals a null byte, but you'll need to encode this properly depending on the context (URL encoding \x00 = %00). HaRdc0r3 caS3 s3nsit1vITy bYpa55! Null-byte character between HTML attribute name and equal sign (IE, Safari). Slash character between HTML attribute name and equal sign (IE, Firefox, Chrome, Safari). Vertical tab between HTML attribute name and equal sign (IE, Safari). Null-byte character between equal sign and JavaScript code (IE). Null-byte character between characters of HTML attribute names (IE). Null-byte character before characters of HTML element names (IE). Null-byte character after characters of HTML element names (IE, Safari). Null-byte character between characters of HTML element names (IE). Use slashes instead of whitespace (IE, Firefox, Chrome, Safari). Use vertical tabs instead of whitespace (IE, Safari). Use quotes instead of whitespace in some situations (Safari). Use null-bytes instead of whitespaces in some situations (IE). Just don't use spaces (IE, Firefox, Chrome, Safari). Prefix URI schemes. Firefox (\x09, \x0a, \x0d, \x20) Chrome (Any character \x01 to \x20) No greater-than characters needed (IE, Firefox, Chrome, Safari). alert(0) Backslash character between expression and opening parenthesis (IE). JavaScript Escaping Encoding Galore. HTML Attribute Encoding URL Encoding CSS Hexadecimal Encoding (IE specific examples)

Joker

Joker

Joker

Joker