blob: cdbac02377d5c37a7960a38f37155a72988a93b2 [file] [log] [blame]
Ed Tanousf9273472017-02-28 16:05:13 -08001# sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt
2
3# Reserved Strings
4#
5# Strings which may be used elsewhere in code
6
7undefined
8undef
9null
10NULL
11(null)
12nil
13NIL
14true
15false
16True
17False
18TRUE
19FALSE
20None
21hasOwnProperty
22\
23\\
24
25# Numeric Strings
26#
27# Strings which can be interpreted as numeric
28
290
301
311.00
32$1.00
331/2
341E2
351E02
361E+02
37-1
38-1.00
39-$1.00
40-1/2
41-1E2
42-1E02
43-1E+02
441/0
450/0
46-2147483648/-1
47-9223372036854775808/-1
48-0
49-0.0
50+0
51+0.0
520.00
530..0
54.
550.0.0
560,00
570,,0
58,
590,0,0
600.0/0
611.0/0.0
620.0/0.0
631,0/0,0
640,0/0,0
65--1
66-
67-.
68-,
69999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
70NaN
71Infinity
72-Infinity
73INF
741#INF
75-1#IND
761#QNAN
771#SNAN
781#IND
790x0
800xffffffff
810xffffffffffffffff
820xabad1dea
83123456789012345678901234567890123456789
841,000.00
851 000.00
861'000.00
871,000,000.00
881 000 000.00
891'000'000.00
901.000,00
911 000,00
921'000,00
931.000.000,00
941 000 000,00
951'000'000,00
9601000
9708
9809
992.2250738585072011e-308
100
101# Special Characters
102#
103# ASCII punctuation. All of these characters may need to be escaped in some
104# contexts. Divided into three groups based on (US-layout) keyboard position.
105
106,./;'[]\-=
107<>?:"{}|_+
108!@#$%^&*()`~
109
110# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F,
111# and U+007F (DEL)
112# Often forbidden to appear in various text-based file formats (e.g. XML),
113# or reused for internal delimiters on the theory that they should never
114# appear in input.
115# The next line may appear to be blank or mojibake in some viewers.
116
117
118# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F.
119# Commonly misinterpreted as additional graphic characters.
120# The next line may appear to be blank, mojibake, or dingbats in some viewers.
121€‚ƒ„†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ
122
123# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode
124# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL),
125# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often
126# treated as whitespace in some contexts.
127# This file unfortunately cannot express strings containing
128# U+0000, U+000A, or U+000D (NUL, LF, CR).
129# The next line may appear to be blank or mojibake in some viewers.
130# The next line may be flagged for "trailing whitespace" in some viewers.
131 …             ​

   
132
133# Unicode additional control characters: all of the characters with
134# general category Cf (in Unicode 8.0.0).
135# The next line may appear to be blank or mojibake in some viewers.
136­؀؁؂؃؄؅؜۝܏᠎​‌‍‎‏‪‫‬‭‮⁠⁡⁢⁣⁤⁦⁧⁨⁩𑂽𛲠𛲡𛲢𛲣𝅳𝅴𝅵𝅶𝅷𝅸𝅹𝅺󠀁󠀠󠀡󠀢󠀣󠀤󠀥󠀦󠀧󠀨󠀩󠀪󠀫󠀬󠀭󠀮󠀯󠀰󠀱󠀲󠀳󠀴󠀵󠀶󠀷󠀸󠀹󠀺󠀻󠀼󠀽󠀾󠀿󠁀󠁁󠁂󠁃󠁄󠁅󠁆󠁇󠁈󠁉󠁊󠁋󠁌󠁍󠁎󠁏󠁐󠁑󠁒󠁓󠁔󠁕󠁖󠁗󠁘󠁙󠁚󠁛󠁜󠁝󠁞󠁟󠁠󠁡󠁢󠁣󠁤󠁥󠁦󠁧󠁨󠁩󠁪󠁫󠁬󠁭󠁮󠁯󠁰󠁱󠁲󠁳󠁴󠁵󠁶󠁷󠁸󠁹󠁺󠁻󠁼󠁽󠁾󠁿
137
138# "Byte order marks", U+FEFF and U+FFFE, each on its own line.
139# The next two lines may appear to be blank or mojibake in some viewers.
140
141
142
143# Unicode Symbols
144#
145# Strings which contain common unicode symbols (e.g. smart quotes)
146
147Ω≈ç√∫˜µ≤≥÷
148åß∂ƒ©˙∆˚¬…æ
149œ∑´®†¥¨ˆøπ“‘
150¡™£¢∞§¶•ªº–≠
151¸˛Ç◊ı˜Â¯˘¿
152ÅÍÎÏ˝ÓÔÒÚÆ☃
153Œ„´‰ˇÁ¨ˆØ∏”’
154`⁄€‹›fifl‡°·‚—±
155⅛⅜⅝⅞
156ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
157٠١٢٣٤٥٦٧٨٩
158
159# Unicode Subscript/Superscript/Accents
160#
161# Strings which contain unicode subscripts/superscripts; can cause rendering issues
162
163⁰⁴⁵
164₀₁₂
165⁰⁴⁵₀₁₂
166ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็
167
168# Quotation Marks
169#
170# Strings which contain misplaced quotation marks; can cause encoding errors
171
172'
173"
174''
175""
176'"'
177"''''"'"
178"'"'"''''"
179<foo val=“bar” />
180<foo val=“bar” />
181<foo val=”bar“ />
182<foo val=`bar' />
183
184# Two-Byte Characters
185#
186# Strings which contain two-byte characters: can cause rendering issues or character-length issues
187
188田中さんにあげて下さい
189パーティーへ行かないか
190和製漢語
191部落格
192사회과학원 어학연구소
193찦차를 타고 온 펲시맨과 쑛다리 똠방각하
194社會科學院語學研究所
195울란바토르
196𠜎𠜱𠝹𠱓𠱸𠲖𠳏
197
198# Changing length when lowercased
199#
200# Characters which increase in length (2 to 3 bytes) when lowercased
201# Credit: https://twitter.com/jifa/status/625776454479970304
202
203Ⱥ
204Ⱦ
205
206# Japanese Emoticons
207#
208# Strings which consists of Japanese-style emoticons which are popular on the web
209
210ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
211(。◕ ∀ ◕。)
212`ィ(´∀`∩
213__ロ(,_,*)
214・( ̄∀ ̄)・:*:
215゚・✿ヾ╲(。◕‿◕。)╱✿・゚
216,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
217(╯°□°)╯︵ ┻━┻)
218(ノಥ益ಥ)ノ ┻━┻
219┬─┬ノ( º _ ºノ)
220( ͡° ͜ʖ ͡°)
221
222# Emoji
223#
224# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always
225
226😍
227👩🏽
228👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
229🐵 🙈 🙉 🙊
230❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
231✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
232🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
2330️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
234
235# Regional Indicator Symbols
236#
237# Regional Indicator Symbols can be displayed differently across
238# fonts, and have a number of special behaviors
239
240🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
241🇺🇸🇷🇺🇸🇦🇫🇦🇲
242🇺🇸🇷🇺🇸🇦
243
244# Unicode Numbers
245#
246# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric
247
248123
249١٢٣
250
251# Right-To-Left Strings
252#
253# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew)
254
255ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
256בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
257הָיְתָהtestالصفحات التّحول
258
259
260مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ،
261
262# Trick Unicode
263#
264# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf)
265
266‪‪test‪
267‫test‫
268
test

269test⁠test‫
270⁦test⁧
271
272# Zalgo Text
273#
274# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net)
275
276Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
277̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
278̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
279̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
280Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
281
282# Unicode Upsidedown
283#
284# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com)
285
286˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
28700˙Ɩ$-
288
289# Unicode font
290#
291# Strings which contain bold/italic/etc. versions of normal characters
292
293The quick brown fox jumps over the lazy dog
294𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠
295𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌
296𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈
297𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰
298𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘
299𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐
300⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢
301
302# Script Injection
303#
304# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS
305
306<script>alert(123)</script>
307&lt;script&gt;alert(&#39;123&#39;);&lt;/script&gt;
308<img src=x onerror=alert(123) />
309<svg><script>123<1>alert(123)</script>
310"><script>alert(123)</script>
311'><script>alert(123)</script>
312><script>alert(123)</script>
313</script><script>alert(123)</script>
314< / script >< script >alert(123)< / script >
315 onfocus=JaVaSCript:alert(123) autofocus
316" onfocus=JaVaSCript:alert(123) autofocus
317' onfocus=JaVaSCript:alert(123) autofocus
318<script>alert(123)</script>
319<sc<script>ript>alert(123)</sc</script>ript>
320--><script>alert(123)</script>
321";alert(123);t="
322';alert(123);t='
323JavaSCript:alert(123)
324;alert(123);
325src=JaVaSCript:prompt(132)
326"><script>alert(123);</script x="
327'><script>alert(123);</script x='
328><script>alert(123);</script x=
329" autofocus onkeyup="javascript:alert(123)
330' autofocus onkeyup='javascript:alert(123)
331<script\x20type="text/javascript">javascript:alert(1);</script>
332<script\x3Etype="text/javascript">javascript:alert(1);</script>
333<script\x0Dtype="text/javascript">javascript:alert(1);</script>
334<script\x09type="text/javascript">javascript:alert(1);</script>
335<script\x0Ctype="text/javascript">javascript:alert(1);</script>
336<script\x2Ftype="text/javascript">javascript:alert(1);</script>
337<script\x0Atype="text/javascript">javascript:alert(1);</script>
338'`"><\x3Cscript>javascript:alert(1)</script>
339'`"><\x00script>javascript:alert(1)</script>
340ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF
341ABC<div style="x:expression\x5C(javascript:alert(1)">DEF
342ABC<div style="x:expression\x00(javascript:alert(1)">DEF
343ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF
344ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF
345ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF
346ABC<div style="x:\x09expression(javascript:alert(1)">DEF
347ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF
348ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF
349ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF
350ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF
351ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF
352ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF
353ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF
354ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF
355ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF
356ABC<div style="x:\x20expression(javascript:alert(1)">DEF
357ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF
358ABC<div style="x:\x00expression(javascript:alert(1)">DEF
359ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF
360ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF
361ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF
362ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF
363ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF
364ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF
365ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF
366ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF
367<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
368<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
369<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a>
370<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a>
371<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
372<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a>
373<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a>
374<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a>
375<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a>
376<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
377<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a>
378<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a>
379<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
380<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
381<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a>
382<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a>
383<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a>
384<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a>
385<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a>
386<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a>
387<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
388<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a>
389<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a>
390<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
391<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
392<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a>
393<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
394<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a>
395<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a>
396<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
397<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a>
398<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a>
399<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a>
400<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a>
401<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a>
402<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a>
403<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a>
404<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a>
405<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a>
406<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a>
407<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
408<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a>
409<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a>
410<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a>
411<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>
412<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
413<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a>
414<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a>
415<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a>
416<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a>
417<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
418<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>
419<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a>
420<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a>
421<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a>
422<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a>
423<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a>
424`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)>
425`"'><img src=xxx:x \x22onerror=javascript:alert(1)>
426`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)>
427`"'><img src=xxx:x \x0Donerror=javascript:alert(1)>
428`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)>
429`"'><img src=xxx:x \x09onerror=javascript:alert(1)>
430`"'><img src=xxx:x \x0Conerror=javascript:alert(1)>
431`"'><img src=xxx:x \x00onerror=javascript:alert(1)>
432`"'><img src=xxx:x \x27onerror=javascript:alert(1)>
433`"'><img src=xxx:x \x20onerror=javascript:alert(1)>
434"`'><script>\x3Bjavascript:alert(1)</script>
435"`'><script>\x0Djavascript:alert(1)</script>
436"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script>
437"`'><script>\xE2\x80\x81javascript:alert(1)</script>
438"`'><script>\xE2\x80\x84javascript:alert(1)</script>
439"`'><script>\xE3\x80\x80javascript:alert(1)</script>
440"`'><script>\x09javascript:alert(1)</script>
441"`'><script>\xE2\x80\x89javascript:alert(1)</script>
442"`'><script>\xE2\x80\x85javascript:alert(1)</script>
443"`'><script>\xE2\x80\x88javascript:alert(1)</script>
444"`'><script>\x00javascript:alert(1)</script>
445"`'><script>\xE2\x80\xA8javascript:alert(1)</script>
446"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>
447"`'><script>\xE1\x9A\x80javascript:alert(1)</script>
448"`'><script>\x0Cjavascript:alert(1)</script>
449"`'><script>\x2Bjavascript:alert(1)</script>
450"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script>
451"`'><script>-javascript:alert(1)</script>
452"`'><script>\x0Ajavascript:alert(1)</script>
453"`'><script>\xE2\x80\xAFjavascript:alert(1)</script>
454"`'><script>\x7Ejavascript:alert(1)</script>
455"`'><script>\xE2\x80\x87javascript:alert(1)</script>
456"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script>
457"`'><script>\xE2\x80\xA9javascript:alert(1)</script>
458"`'><script>\xC2\x85javascript:alert(1)</script>
459"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script>
460"`'><script>\xE2\x80\x83javascript:alert(1)</script>
461"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script>
462"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script>
463"`'><script>\xE2\x80\x80javascript:alert(1)</script>
464"`'><script>\x21javascript:alert(1)</script>
465"`'><script>\xE2\x80\x82javascript:alert(1)</script>
466"`'><script>\xE2\x80\x86javascript:alert(1)</script>
467"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script>
468"`'><script>\x0Bjavascript:alert(1)</script>
469"`'><script>\x20javascript:alert(1)</script>
470"`'><script>\xC2\xA0javascript:alert(1)</script>
471<img \x00src=x onerror="alert(1)">
472<img \x47src=x onerror="javascript:alert(1)">
473<img \x11src=x onerror="javascript:alert(1)">
474<img \x12src=x onerror="javascript:alert(1)">
475<img\x47src=x onerror="javascript:alert(1)">
476<img\x10src=x onerror="javascript:alert(1)">
477<img\x13src=x onerror="javascript:alert(1)">
478<img\x32src=x onerror="javascript:alert(1)">
479<img\x47src=x onerror="javascript:alert(1)">
480<img\x11src=x onerror="javascript:alert(1)">
481<img \x47src=x onerror="javascript:alert(1)">
482<img \x34src=x onerror="javascript:alert(1)">
483<img \x39src=x onerror="javascript:alert(1)">
484<img \x00src=x onerror="javascript:alert(1)">
485<img src\x09=x onerror="javascript:alert(1)">
486<img src\x10=x onerror="javascript:alert(1)">
487<img src\x13=x onerror="javascript:alert(1)">
488<img src\x32=x onerror="javascript:alert(1)">
489<img src\x12=x onerror="javascript:alert(1)">
490<img src\x11=x onerror="javascript:alert(1)">
491<img src\x00=x onerror="javascript:alert(1)">
492<img src\x47=x onerror="javascript:alert(1)">
493<img src=x\x09onerror="javascript:alert(1)">
494<img src=x\x10onerror="javascript:alert(1)">
495<img src=x\x11onerror="javascript:alert(1)">
496<img src=x\x12onerror="javascript:alert(1)">
497<img src=x\x13onerror="javascript:alert(1)">
498<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
499<img src=x onerror=\x09"javascript:alert(1)">
500<img src=x onerror=\x10"javascript:alert(1)">
501<img src=x onerror=\x11"javascript:alert(1)">
502<img src=x onerror=\x12"javascript:alert(1)">
503<img src=x onerror=\x32"javascript:alert(1)">
504<img src=x onerror=\x00"javascript:alert(1)">
505<a href=java&#1&#2&#3&#4&#5&#6&#7&#8&#11&#12script:javascript:alert(1)>XXX</a>
506<img src="x` `<script>javascript:alert(1)</script>"` `>
507<img src onerror /" '"= alt=javascript:alert(1)//">
508<title onpropertychange=javascript:alert(1)></title><title title=>
509<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>">
510<!--[if]><script>javascript:alert(1)</script -->
511<!--[if<img src=x onerror=javascript:alert(1)//]> -->
512<script src="/\%(jscript)s"></script>
513<script src="\\%(jscript)s"></script>
514<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
515<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
516<IMG SRC=# onmouseover="alert('xxs')">
517<IMG SRC= onmouseover="alert('xxs')">
518<IMG onmouseover="alert('xxs')">
519<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
520<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
521<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
522<IMG SRC="jav ascript:alert('XSS');">
523<IMG SRC="jav&#x09;ascript:alert('XSS');">
524<IMG SRC="jav&#x0A;ascript:alert('XSS');">
525<IMG SRC="jav&#x0D;ascript:alert('XSS');">
526perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
527<IMG SRC=" &#14; javascript:alert('XSS');">
528<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
529<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
530<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
531<<SCRIPT>alert("XSS");//<</SCRIPT>
532<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
533<SCRIPT SRC=//ha.ckers.org/.j>
534<IMG SRC="javascript:alert('XSS')"
535<iframe src=http://ha.ckers.org/scriptlet.html <
536\";alert('XSS');//
537<u oncopy=alert()> Copy me</u>
538<i onwheel=alert(1)> Scroll over me </i>
539<plaintext>
540http://a/%%30%30
541</textarea><script>alert(123)</script>
542
543# SQL Injection
544#
545# Strings which can cause a SQL injection if inputs are not sanitized
546
5471;DROP TABLE users
5481'; DROP TABLE users-- 1
549' OR 1=1 -- 1
550' OR '1'='1
551
552%
553_
554
555# Server Code Injection
556#
557# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
558
559-
560--
561--version
562--help
563$USER
564/dev/null; touch /tmp/blns.fail ; echo
565`touch /tmp/blns.fail`
566$(touch /tmp/blns.fail)
567@{[system "touch /tmp/blns.fail"]}
568
569# Command Injection (Ruby)
570#
571# Strings which can call system commands within Ruby/Rails applications
572
573eval("puts 'hello world'")
574System("ls -al /")
575`ls -al /`
576Kernel.exec("ls -al /")
577Kernel.exit(1)
578%x('ls -al /')
579
580# XXE Injection (XML)
581#
582# String which can reveal system files when parsed by a badly configured XML parser
583
584<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
585
586# Unwanted Interpolation
587#
588# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
589
590$HOME
591$ENV{'HOME'}
592%d
593%s
594{0}
595%*.*s
596File:///
597
598# File Inclusion
599#
600# Strings which can cause user to pull in files that should not be a part of a web server
601
602../../../../../../../../../../../etc/passwd%00
603../../../../../../../../../../../etc/hosts
604
605# Known CVEs and Vulnerabilities
606#
607# Strings that test for known vulnerabilities
608
609() { 0; }; touch /tmp/blns.shellshock1.fail;
610() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
611<<< %s(un='%s') = %u
612+++ATH0
613
614# MSDOS/Windows Special Filenames
615#
616# Strings which are reserved characters in MSDOS/Windows
617
618CON
619PRN
620AUX
621CLOCK$
622NUL
623A:
624ZZ:
625COM1
626LPT1
627LPT2
628LPT3
629COM2
630COM3
631COM4
632
633# IRC specific strings
634#
635# Strings that may occur on IRC clients that make security products freak out
636
637DCC SEND STARTKEYLOGGER 0 0 0
638
639# Scunthorpe Problem
640#
641# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
642
643Scunthorpe General Hospital
644Penistone Community Church
645Lightwater Country Park
646Jimmy Clitheroe
647Horniman Museum
648shitake mushrooms
649RomansInSussex.co.uk
650http://www.cum.qc.ca/
651Craig Cockburn, Software Specialist
652Linda Callahan
653Dr. Herman I. Libshitz
654magna cum laude
655Super Bowl XXX
656medieval erection of parapets
657evaluate
658mocha
659expression
660Arsenal canal
661classic
662Tyson Gay
663Dick Van Dyke
664basement
665
666# Human injection
667#
668# Strings which may cause human to reinterpret worldview
669
670If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
671
672# Terminal escape codes
673#
674# Strings which punish the fools who use cat/type on this file
675
676Roses are red, violets are blue. Hope you enjoy terminal hue
677But now...for my greatest trick...
678The quick brown fox... [Beeeep]
679
680# iOS Vulnerabilities
681#
682# Strings which crashed iMessage in various versions of iOS
683
684Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
685🏳0🌈️