xss-payload-list

Introduction

:star: Star us on GitHub — it motivates a lot! :star:

If you have any XSS payload, just create a PullRequest.

Write-Ups / Tutorials

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://medium.com/p/92ac1180e0d0 https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

My love polyglot

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Todos

• [ ] XSS payloads for url fields
• [x] XSS payloads for onfocus
• [ ] XSS payloads for title
• [ ] XSS payloads without alert
• [ ] XSS payloads without script tag
• [ ] XSS payloads for javascript fields
• [ ] XSS payloads for number fields
• [ ] XSS payloads for a href
• [x] XSS payloads for markdown
• [ ] XSS for anker
• [ ] XSS for open-redirect

File Descriptions

• XSS-polyglot.txt A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.

Rules

Rules To Find XSS

1: injecting haramless HTML ,

2: injecting HTML Entities

<b> \u003b\u00

3 :injecting Script Tag

4: Testing For Recursive Filters

5: injecting Anchor Tag

6: Testing For Event Handlers

7: Input Less Common Event Handlers

8: Testing With SRC Attrubute

9: Testing With Action Attrubute

10: Injecting HTML 5 Based Payload

Reports

• https://hackerone.com/reports/1342009
• https://hackerone.com/reports/1416672
• https://hackerone.com/reports/1527284

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.