API Documentation
Static JSON API for programmatic access to our XSS payload database. Perfect for integration with Burp Suite, OWASP ZAP, and custom security tools.
Static JSON API - Simple & Fast
All endpoints are static JSON files served from our CDN. No authentication required, no rate limits, and no CORS issues. Perfect for automated security testing and integration.
- 150+ XSS payloads across 27 categories
- No API keys or authentication needed
- CORS-enabled for browser-based tools
- Fast CDN delivery with aggressive caching
- Free for educational and authorized testing
API Endpoints
All Payloads
Open Endpoint →Endpoint URL:
https://xss.page/api/payloads.jsonResponse Format:
{
"version": "1.0",
"count": 150,
"generated": "2024-12-14T00:00:00Z",
"payloads": "[...payload objects]"
}Integration Examples
$cURL (Command Line)
bash
# Fetch all payloads
curl https://xss.page/api/payloads.json
# Fetch categories
curl https://xss.page/api/categories.json
# Search for payloads (dynamic)
curl "https://xss.page/api/search?q=script&category=basic&limit=20"
# Fuzz API - MODE 1: Mutation Mode (mutate provided payload)
curl "https://xss.page/api/fuzz?payload=<script>alert(1)</script>&strategies=htmlEntities,urlEncoding&limit=10"
curl -X POST https://xss.page/api/fuzz \
-H "Content-Type: application/json" \
-d '{"payload":"<script>alert(1)</script>","strategies":["htmlEntities","urlEncoding"],"limit":20}'
# Fuzz API - MODE 2: Generation Mode (generate arbitrary payloads)
curl "https://xss.page/api/fuzz?limit=20"
curl -X POST https://xss.page/api/fuzz \
-H "Content-Type: application/json" \
-d '{"limit":50}'
# Generation mode with mutations applied
curl -X POST https://xss.page/api/fuzz \
-H "Content-Type: application/json" \
-d '{"limit":10,"strategies":["htmlEntities","urlEncoding"]}'JSJavaScript / Node.js
javascript
// Fetch all payloads
fetch('https://xss.page/api/payloads.json')
.then(response => response.json())
.then(data => {
console.log(`Loaded ${data.count} payloads`);
data.payloads.forEach(payload => {
console.log(`[${payload.severity}] ${payload.payload}`);
});
});
// Search for payloads dynamically
fetch('https://xss.page/api/search?q=script&category=basic')
.then(response => response.json())
.then(data => {
console.log(`Found ${data.count} payloads matching query`);
});
// Fuzz API - MODE 1: Mutation Mode (mutate provided payload)
fetch('https://xss.page/api/fuzz', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
payload: '<script>alert(1)</script>',
strategies: ['htmlEntities', 'urlEncoding'],
limit: 10
})
})
.then(response => response.json())
.then(data => {
console.log(`Mode: ${data.mode}`);
console.log(`Generated ${data.total} total mutations, returned ${data.returned}`);
data.mutations.forEach(m => console.log(`[${m.strategy}] ${m.payload}`));
});
// Fuzz API - MODE 2: Generation Mode (generate arbitrary payloads)
fetch('https://xss.page/api/fuzz', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
limit: 20
})
})
.then(response => response.json())
.then(data => {
console.log(`Mode: ${data.mode}`);
console.log(`Generated ${data.total} payloads`);
data.payloads.forEach(p => {
console.log(`[${p.category}] ${p.payload}`);
});
});
// Generation mode with mutations applied
fetch('https://xss.page/api/fuzz', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
limit: 10,
strategies: ['htmlEntities', 'urlEncoding']
})
})
.then(response => response.json())
.then(data => {
console.log(`Generated ${data.total} payloads with mutations applied`);
});🐍Python
python
import requests
import json
# Fetch all payloads
response = requests.get('https://xss.page/api/payloads.json')
data = response.json()
print(f"Loaded {data['count']} payloads")
# Search for payloads dynamically
response = requests.get('https://xss.page/api/search', params={
'q': 'script',
'category': 'basic',
'severity': 'high',
'limit': 20
})
search_data = response.json()
print(f"Found {search_data['count']} matching payloads")
# Fuzz API - MODE 1: Mutation Mode (mutate provided payload)
mutation_data = {
'payload': '<script>alert(1)</script>',
'strategies': ['htmlEntities', 'urlEncoding'],
'limit': 10
}
response = requests.post('https://xss.page/api/fuzz', json=mutation_data)
fuzz_data = response.json()
print(f"Mode: {fuzz_data['mode']}")
print(f"Generated {fuzz_data['total']} mutations, returned {fuzz_data['returned']}")
for mutation in fuzz_data['mutations'][:5]:
print(f"[{mutation['strategy']}] {mutation['payload']}")
# Fuzz API - MODE 2: Generation Mode (generate arbitrary payloads)
generation_data = {
'limit': 20
}
response = requests.post('https://xss.page/api/fuzz', json=generation_data)
gen_data = response.json()
print(f"Mode: {gen_data['mode']}")
print(f"Generated {gen_data['total']} payloads")
for payload in gen_data['payloads'][:5]:
print(f"[{payload['category']}] {payload['payload']}")
# Generation mode with mutations applied
generation_with_mutations = {
'limit': 10,
'strategies': ['htmlEntities', 'urlEncoding']
}
response = requests.post('https://xss.page/api/fuzz', json=generation_with_mutations)
data = response.json()
print(f"Generated {data['total']} payloads with mutations: {data['mutationsApplied']}")☕Burp Suite Extension (Java)
java
// Burp Suite Extension Example (Java)
import burp.*;
import java.net.*;
import java.io.*;
import org.json.*;
public class XSSPayloadLoader implements IBurpExtender {
private IExtensionHelpers helpers;
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
helpers = callbacks.getHelpers();
callbacks.setExtensionName("XSS Payload Loader");
try {
// Load payloads from API
URL url = new URL("https://xss.page/api/payloads.json");
BufferedReader reader = new BufferedReader(
new InputStreamReader(url.openStream())
);
StringBuilder json = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
json.append(line);
}
reader.close();
// Parse JSON
JSONObject data = new JSONObject(json.toString());
JSONArray payloads = data.getJSONArray("payloads");
// Use payloads in your scanner
callbacks.printOutput("Loaded " + payloads.length() + " XSS payloads");
for (int i = 0; i < payloads.length(); i++) {
JSONObject payload = payloads.getJSONObject(i);
String xss = payload.getString("payload");
String severity = payload.getString("severity");
// Add to intruder payloads or scanner
callbacks.printOutput("[" + severity + "] " + xss);
}
} catch (Exception e) {
callbacks.printError("Error loading payloads: " + e.getMessage());
}
}
}⚡OWASP ZAP Script (Python)
python
# OWASP ZAP Python Script
import requests
import json
from zaproxy.core import ScriptVars
# Fetch payloads from API
response = requests.get('https://xss.page/api/payloads.json')
data = response.json()
payloads = data['payloads']
print(f"Loaded {len(payloads)} XSS payloads from xss.page")
# Filter by severity for targeted testing
critical_payloads = [p for p in payloads if p['severity'] == 'critical']
# Use in ZAP fuzzer
for payload_obj in critical_payloads:
payload = payload_obj['payload']
category = payload_obj['category']
# Add to custom fuzzer
ScriptVars.setGlobalVar(f"xss_payload_{category}", payload)
print(f"Added [{category}] {payload}")
# Example: Test a parameter with all payloads
def test_parameter(url, param_name):
for payload_obj in payloads:
test_url = f"{url}?{param_name}={payload_obj['payload']}"
# Send request through ZAP
# ... your testing logic here
passBenefits
- ✓No authentication or API keys required
- ✓No rate limiting or usage restrictions
- ✓CORS-enabled for browser usage
- ✓Cached for fast global access
- ✓Versioned for stability
Best Practices
- •Cache responses locally to reduce requests
- •Check the version field for updates
- •Filter by severity for targeted testing
- •Use context field to match injection points
- •Only test on authorized systems
Authorized Testing Only
This API is provided for educational purposes and authorized security testing only. Only use these payloads on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and unethical.