XSS

Payloads

Random

?returnUrl=javascript:alert(document.domain)

Angular

{{ 6 + 9 }}

Keywords


location.search
location.hash
location.pathname
location.assign
location.replace
URLSearchParams



ng-app 
ng-bind
ng-model
ng-click
ng-change
ng-submit
ng-init
ng-style
ng-class

DOM XSS

Sinks snipped :

eval
document.write
document.writeln
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent

JQuery sinks :

add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()

Random

Different browsers

Browsers behave differently with regards to URL-encoding, Chrome, Firefox, and Safari will URL-encode location.search and location.hash, while IE11 and Microsoft Edge (pre-Chromium) will not URL-encode these sources.

Event handler

onload
onerror

HTML Entity

&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;

WAF Bypass

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

Resources :

GitHub - renniepak/CSPBypass: CSPBypass.com, a tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocked by CSPs that only allow certain whitelisted domains.GitHub

PreviousJS endpoints NextGoogle Dorking

Last updated 12 days ago

Was this helpful?