xss-payload-list

Introduction

⭐ Star us on GitHub — it motivates a lot! ⭐

If you have any XSS payload, just create a PullRequest.

Write-Ups / Tutorials

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://medium.com/p/92ac1180e0d0 https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

My love polyglot

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
"'alert(1)

Todos

• XSS payloads for url fields
• XSS payloads for onfocus
• XSS payloads for title
• XSS payloads without alert
• XSS payloads for base64
• XSS payloads without script tag
• XSS payloads for javascript fields
• XSS payloads for number fields
• XSS payloads for a href
• XSS payloads for markdown
• XSS for anker
• XSS for open-redirect
• cloudflare bypass

File Descriptions

• XSS-polyglot.txt A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.

Rules

Rules To Find XSS

1: injecting haramless HTML ,

2: injecting HTML Entities

<b> \u003b\u00

3 :injecting Script Tag

4: Testing For Recursive Filters

5: injecting Anchor Tag

6: Testing For Event Handlers

7: Input Less Common Event Handlers

8: Testing With SRC Attrubute

9: Testing With Action Attrubute

10: Injecting HTML 5 Based Payload

Reports

• https://hackerone.com/reports/1342009
• https://hackerone.com/reports/1416672
• https://hackerone.com/reports/1527284
• https://hackerone.com/reports/1683129
• https://hackerone.com/reports/834071

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.