Cross-Site Scripting (XSS)

Cross-site scripting lets an attacker run their JavaScript in another user's browser session — one of the most common and impactful web flaws.

XSS PayloadGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

XSS occurs when untrusted input is reflected into a page without correct output encoding, so the browser executes attacker-controlled script. It comes in three forms: reflected (echoed from the request), stored (persisted and served to other users), and DOM-based (introduced entirely client-side by unsafe JavaScript sinks).

How to test for it

Inject a unique marker into every parameter, header, and path segment, then look for it rendered unencoded in HTML, attributes, JavaScript, or URL contexts. Escalate markers to context-appropriate payloads, and use polyglots and encoding tricks to slip past filters and WAFs.

How to prevent it

Encode output for the exact context (HTML, attribute, JS, URL), prefer framework auto-escaping, and add a strict Content-Security-Policy as defense in depth. Treat innerHTML and similar DOM sinks as dangerous and sanitize with a vetted library.

In-depth articles

XSS Payloads: The Ultimate Guide for Penetration Testers12 min read Web Cache Poisoning: Exploiting Unkeyed Headers for XSS and Redirects13 min read CRLF Injection: Header Injection, Response Splitting, and XSS via \r\n11 min read Content Security Policy Bypass: Defeating CSP with JSONP, Angular, and Script Gadgets13 min read DOM-Based XSS: Exploiting JavaScript Sinks and Source Taint Flow12 min read

Frequently asked questions

What is the most common type of XSS?+

Reflected and DOM-based XSS are the most frequently found in modern single-page apps, while stored XSS is typically the highest impact because it hits every user who views the affected content.

Can a Content-Security-Policy stop XSS?+

A strict CSP (nonce or hash based, no 'unsafe-inline') greatly reduces XSS impact, but it is a mitigation layer — correct output encoding remains the primary fix.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...