XSS Payloads: The Ultimate Guide for Penetration Testers (2025)

Cross-Site Scripting (XSS) remains one of the most prevalent web vulnerabilities, consistently appearing in the OWASP Top 10. Whether you're a bug bounty hunter, penetration tester, or security engineer, having a comprehensive set of XSS payloads at your disposal is essential.

Types of XSS

Reflected XSS

Reflected XSS occurs when user input is immediately returned by the server without proper sanitization. The payload is typically delivered via a crafted URL. For example, if a search parameter is reflected in the page:

<script>alert(document.cookie)</script>

This is the most common type found in bug bounty programs because it only requires finding a single reflection point.

Stored XSS

Stored XSS is far more dangerous — the payload is saved to the server (database, log file, etc.) and executed every time the page is viewed. Common injection points include:

• Comment fields and forum posts
• User profile names and bios
• File upload metadata (filenames, EXIF data)
• Support ticket systems

DOM-Based XSS

DOM-based XSS never touches the server — the vulnerability exists entirely in client-side JavaScript. Look for dangerous sinks like innerHTML, document.write(), and eval() that process user-controlled data from sources like location.hash or document.referrer.

Essential XSS Payloads

Basic Detection

Start with simple payloads to confirm injection:

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>

Filter Bypass Techniques

Modern applications often filter common XSS patterns. Here are proven bypass techniques:

• Case variation: <ScRiPt>alert(1)</ScRiPt>
• Tag nesting: <scr<script>ipt>alert(1)</script>
• Template literals: <script>alert`1`</script>
• Unicode escapes: \u0061lert(1)
• HTML entities: alert(1)

Context-Specific Payloads

The right payload depends on where your input lands:

• Inside HTML: <img src=x onerror=alert(1)>
• Inside attribute: " onfocus=alert(1) autofocus="
• Inside JavaScript: '-alert(1)-'
• Inside URL: javascript:alert(1)

Automating XSS Testing

Use our XSS Payload Generator to quickly create payloads for any tag and event handler combination. Combine it with the Encoding Pipeline for multi-layer encoding when bypassing WAFs. You can also use the WAF Bypass Generator to automatically apply case variation, encoding tricks, and alternative syntax to evade filters.

For a complete reference of copy-ready payloads, check our XSS Cheat Sheet with 60+ categorized payloads.

Real-World Tips

1. Test all input vectors — URL params, headers, cookies, file uploads, JSON fields
2. Check for CSP — Content Security Policy may block inline scripts; look for bypasses via allowed domains
3. Try polyglots — Multi-context payloads that work across HTML, JS, and attribute contexts
4. Encode strategically — Double encoding, Unicode normalization, and HTML entity mixing can bypass WAFs. Use the Encoder/Decoder tool to test encoding chains

Related Reading

XSS is often chained with other vulnerabilities. Learn how to bypass WAFs in our SQL Injection Testing Guide (many WAF bypass techniques apply to XSS too), or explore SSRF exploitation to escalate impact after gaining JavaScript execution. If the application uses JWTs for authentication, see our JWT Attacks Guide to steal and forge tokens via XSS.