MCPcopy Index your code
hub / github.com/Proviesec/xss-payload-list

github.com/Proviesec/xss-payload-list @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
0 symbols 0 edges 1 files 0 documented · 0% updated 1y ago★ 138
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

xss-payload-list

License contributions welcome Proviesec logo Twitter Buy Me A Coffee

Introduction

:star: Star us on GitHub — it motivates a lot! :star:

If you have any XSS payload, just create a PullRequest.

Write-Ups / Tutorials

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet https://medium.com/p/92ac1180e0d0 https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

My love polyglot

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
"'alert(1)

Todos

  • [ ] XSS payloads for url fields
  • [x] XSS payloads for onfocus
  • [x] XSS payloads for title
  • [x] XSS payloads without alert
  • [ ] XSS payloads for base64
  • [ ] XSS payloads without script tag
  • [ ] XSS payloads for javascript fields
  • [ ] XSS payloads for number fields
  • [ ] XSS payloads for a href
  • [x] XSS payloads for markdown
  • [ ] XSS for anker
  • [ ] XSS for open-redirect
  • [ ] cloudflare bypass

File Descriptions

  • XSS-polyglot.txt A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application.

Rules

Rules To Find XSS

1: injecting haramless HTML ,

2: injecting HTML Entities

<b> \u003b\u00

3 :injecting Script Tag

4: Testing For Recursive Filters

5: injecting Anchor Tag

6: Testing For Event Handlers

7: Input Less Common Event Handlers

8: Testing With SRC Attrubute

9: Testing With Action Attrubute

10: Injecting HTML 5 Based Payload

Reports

  • https://hackerone.com/reports/1342009
  • https://hackerone.com/reports/1416672
  • https://hackerone.com/reports/1527284
  • https://hackerone.com/reports/1683129
  • https://hackerone.com/reports/834071

Disclaimer: DONT BE A JERK!

Needless to mention, please use this tool very very carefully. The authors won't be responsible for any consequences.

Core symbols most depended-on inside this repo

Shape

For agents

$ claude mcp add xss-payload-list \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page