$loading...
An XSS (Cross-Site Scripting) payload is a string of HTML or JavaScript injected into a vulnerable web page so it executes in another user's browser. A successful payload can steal session cookies, perform actions as the victim, or rewrite the DOM. The XSS Payload generator builds these vectors with tag and encoding options.
Reflected XSS bounces the payload straight back from a request parameter into the response, requiring a crafted link. Stored XSS persists the payload server-side so it fires for every visitor. DOM-based XSS never touches the server; vulnerable client-side JavaScript writes attacker input into a sink like innerHTML or document.write.
Use the encoding and tag options to evade naive blocklists. Try HTML-entity or URL encoding, mixed case like <ScRiPt>, event-handler vectors such as onerror or onmouseover instead of <script>, and SVG or img tags. When quotes or angle brackets are stripped, JavaScript template literals or eval(atob()) can smuggle the payload past.
Yes, the XSS Payload generator is free and executes entirely client-side, so nothing you type is transmitted or logged anywhere. It is intended only for authorized security testing such as bug bounties, pentests, and CTFs against targets you have permission to test.