Skip to content

Proviesec/xss-payload-list

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

xss-payload-list

License contributions welcome Proviesec logo Twitter Buy Me A Coffee

Introduction

⭐ Star us on GitHub — it motivates a lot! ⭐

If you have any XSS payload, just create a PullRequest.

Write-Ups / Tutorials

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://medium.com/p/92ac1180e0d0 https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

My love polyglot

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
"'alert(1)

Todos

  • XSS payloads for url fields
  • XSS payloads for onfocus
  • XSS payloads for title
  • XSS payloads without alert
  • XSS payloads for base64
  • XSS payloads without script tag
  • XSS payloads for javascript fields
  • XSS payloads for number fields
  • XSS payloads for a href
  • XSS payloads for markdown
  • XSS for anker
  • XSS for open-redirect
  • cloudflare bypass

File Descriptions

  • XSS-polyglot.txt A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.

Rules

Rules To Find XSS

1: injecting haramless HTML ,

2: injecting HTML Entities

<b> \u003b\u00

3 :injecting Script Tag

4: Testing For Recursive Filters

5: injecting Anchor Tag

6: Testing For Event Handlers

7: Input Less Common Event Handlers

8: Testing With SRC Attrubute

9: Testing With Action Attrubute

10: Injecting HTML 5 Based Payload

Reports

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.