https://github.com/Proviesec/xss-payload-list

xss-payload-list
https://github.com/Proviesec/xss-payload-list

bugbounty cross-site-scripting pentesting security xss

Last synced: 23 days ago
JSON representation

xss-payload-list

• Host: GitHub
• URL: https://github.com/Proviesec/xss-payload-list
• Owner: Proviesec
• Created: 2021-12-13T12:18:39.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2024-03-26T08:26:30.000Z (8 months ago)
• Last Synced: 2024-03-26T09:37:26.814Z (8 months ago)
• Topics: bugbounty, cross-site-scripting, pentesting, security, xss
• Language: JavaScript
• Size: 289 KB
• Stars: 89
• Watchers: 3
• Forks: 25
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

        
# xss-payload-list

[![License](https://img.shields.io/badge/license-MIT-_red.svg)](https://opensource.org/licenses/MIT)

[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/Proviesec/xss-payload-list/issues)

 



    



[![Twitter](https://img.shields.io/twitter/follow/proviesec?label=Follow)](https://twitter.com/proviesec)



# Introduction 

:star: Star us on GitHub — it motivates a lot! :star:

If you have any XSS payload, just create a PullRequest. 

# Write-Ups / Tutorials

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

https://medium.com/p/92ac1180e0d0

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

# My love polyglot

```

jaVasCript:/*-->

"'alert(1)

```

# Todos 

- [ ] XSS payloads for url fields

- [x] XSS payloads for onfocus

- [x] XSS payloads for title

- [x] XSS payloads without alert

- [ ] XSS payloads for base64

- [ ] XSS payloads without script tag

- [ ] XSS payloads for javascript fields

- [ ] XSS payloads for number fields

- [ ] XSS payloads for a href

- [x] XSS payloads for markdown 

- [ ] XSS for anker 

- [ ] XSS for open-redirect

- [ ] cloudflare bypass 

# File Descriptions

- XSS-polyglot.txt

A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.

# Rules

Rules To Find XSS

1: injecting haramless HTML

,


2: injecting HTML Entities

<b>

\u003b\u00

3 :injecting Script Tag

    

4: Testing For Recursive Filters

    

5: injecting Anchor Tag

    

6: Testing For Event Handlers

    

7: Input Less Common Event Handlers

    

8: Testing With SRC Attrubute

    

9: Testing With Action Attrubute

    

10: Injecting HTML 5 Based Payload

    

## Reports 

- https://hackerone.com/reports/1342009 

- https://hackerone.com/reports/1416672 

- https://hackerone.com/reports/1527284 

- https://hackerone.com/reports/1683129 

- https://hackerone.com/reports/834071 

# Disclaimer: DONT BE A JERK! 

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.