{"id":13292253,"url":"https://github.com/Proviesec/xss-payload-list","last_synced_at":"2025-03-10T07:32:52.849Z","repository":{"id":38741231,"uuid":"437861194","full_name":"Proviesec/xss-payload-list","owner":"Proviesec","description":"xss-payload-list","archived":false,"fork":false,"pushed_at":"2024-03-26T08:26:30.000Z","size":296,"stargazers_count":89,"open_issues_count":0,"forks_count":25,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-03-26T09:37:26.814Z","etag":null,"topics":["bugbounty","cross-site-scripting","pentesting","security","xss"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Proviesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"patreon":"proviesec"}},"created_at":"2021-12-13T12:18:39.000Z","updated_at":"2024-02-29T04:36:38.000Z","dependencies_parsed_at":"2023-10-16T10:56:58.808Z","dependency_job_id":"29865796-1a0a-4c1f-910c-fcdd0677a781","html_url":"https://github.com/Proviesec/xss-payload-list","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Proviesec%2Fxss-payload-list","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Proviesec%2Fxss-payload-list/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Proviesec%2Fxss-payload-list/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Proviesec%2Fxss-payload-list/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Proviesec","download_url":"https://codeload.github.com/Proviesec/xss-payload-list/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242811853,"owners_count":20189140,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","cross-site-scripting","pentesting","security","xss"],"created_at":"2024-07-29T17:07:40.377Z","updated_at":"2025-03-10T07:32:52.388Z","avatar_url":"https://github.com/Proviesec.png","language":"JavaScript","funding_links":["https://patreon.com/proviesec","https://www.buymeacoffee.com/proviesec"],"categories":["Web安全"],"sub_categories":[],"readme":"# xss-payload-list\n[![License](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT)\n[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/Proviesec/xss-payload-list/issues)\n\u003cimg src=\"https://img.shields.io/github/stars/Proviesec/xss-payload-list?style=social\"\u003e \u003cimg src=\"https://img.shields.io/github/forks/Proviesec/xss-payload-list?style=social\"\u003e\n\u003ca href=\"https://proviesec.org/\"\u003e\n    \u003cimg src=\"https://avatars.githubusercontent.com/u/92156402?s=400\u0026u=7fe0dbb9085a37818ee8c2b061432a9a69cbff42\u0026v=4\" alt=\"Proviesec logo\" title=\"Proviesec\" align=\"right\" height=\"60\" /\u003e\n\u003c/a\u003e\n[![Twitter](https://img.shields.io/twitter/follow/proviesec?label=Follow)](https://twitter.com/proviesec)\n\u003ca href=\"https://www.buymeacoffee.com/proviesec\" target=\"_blank\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/default-orange.png\" alt=\"Buy Me A Coffee\" height=\"41\" width=\"174\"\u003e\u003c/a\u003e\n\n# Introduction \n\n:star: Star us on GitHub — it motivates a lot! :star:\n\nIf you have any XSS payload, just create a PullRequest. \n\n# Write-Ups / Tutorials\nhttps://portswigger.net/web-security/cross-site-scripting/cheat-sheet\nhttps://medium.com/p/92ac1180e0d0\nhttps://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting\n\n# My love polyglot\n```\njaVasCript:/*--\u003e\u003c/title\u003e\u003c/style\u003e\u003c/textarea\u003e\u003c/script\u003e\u003c/xmp\u003e\u003csvg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'\u003e\n\"'alert(1)\n```\n\n\n# Todos \n\n- [ ] XSS payloads for url fields\n- [x] XSS payloads for onfocus\n- [x] XSS payloads for title\n- [x] XSS payloads without alert\n- [ ] XSS payloads for base64\n- [ ] XSS payloads without script tag\n- [ ] XSS payloads for javascript fields\n- [ ] XSS payloads for number fields\n- [ ] XSS payloads for a href\n- [x] XSS payloads for markdown \n- [ ] XSS for anker \n- [ ] XSS for open-redirect\n- [ ] cloudflare bypass \n\n\n# File Descriptions\n\n- XSS-polyglot.txt\nA JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.\n\n# Rules\n\nRules To Find XSS\n\n1: injecting haramless HTML\n\u003ca\u003e,\u003cu\u003e\n\n2: injecting HTML Entities\n\n\u0026lt;b\u0026gt;\n\\u003b\\u00\n\n3 :injecting Script Tag\n    \n4: Testing For Recursive Filters\n    \n5: injecting Anchor Tag\n    \n6: Testing For Event Handlers\n    \n7: Input Less Common Event Handlers\n    \n8: Testing With SRC Attrubute\n    \n9: Testing With Action Attrubute\n    \n10: Injecting HTML 5 Based Payload\n\n    \n\n## Reports \n\n- https://hackerone.com/reports/1342009 \n- https://hackerone.com/reports/1416672 \n- https://hackerone.com/reports/1527284 \n- https://hackerone.com/reports/1683129 \n- https://hackerone.com/reports/834071 \n\n# Disclaimer: DONT BE A JERK! \nNeedless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FProviesec%2Fxss-payload-list","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FProviesec%2Fxss-payload-list","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FProviesec%2Fxss-payload-list/lists"}