Cross-Site Scripting (XSS) represents one of the most prevalent and dangerous vulnerabilities in modern web applications. Understanding XSS is crucial for developers who want to build secure, robust applications that protect both their users and their business.
🛡️ Complete XSS Cheat Sheet
📋 Table of Contents
⚡ Event Handlers – Auto Execute
Event handlers that execute automatically without user interaction
👆 Event Handlers – User Interaction Required
Event handlers that require user interaction to trigger
🔄 Consuming Tags
Tags that consume content until their closing tag, useful for escaping contexts
🔗 JavaScript Protocols
Using javascript: protocol in various contexts
⚛️ Framework Template Injections
Client-side template injection payloads for popular frameworks
Vue.js Payloads
- Version 2: {{constructor.constructor(‘alert(1)’)()}}
- Version 2: {{_c.constructor(‘alert(1)’)()}}
- Version 3: {{_openBlock.constructor(‘alert(1)’)()}}
- Version 3: {{$emit.constructor`alert(1)`()}}
AngularJS Payloads
- v1.0.1-1.1.5: {{constructor.constructor(‘alert(1)’)()}}
- v1.2.0-1.2.1: Complex prototype chain exploit
- v1.6.0+: {{$on.constructor(‘alert(1)’)()}}
- CSP Bypass: ng-focus with orderBy filter
React JSX Injection
- dangerouslySetInnerHTML prop
- Server-side rendering vulnerabilities
- Props injection through URL parameters
🔐 Encoding & Obfuscation
Various encoding techniques to bypass filters
🔥 WAF Bypass Techniques
Advanced methods to bypass Web Application Firewalls
🎭 Polyglot Payloads
Universal payloads that work in multiple contexts
🚫 Restricted Characters Bypass
Techniques for bypassing character restrictions
📱 Mobile & Modern Browsers
XSS vectors specific to mobile devices and modern browsers
🛠️ Testing & Tools
Tools and techniques for XSS testing
Professional Tools
- Burp Suite Professional
- OWASP ZAP
- XSSHunter for Blind XSS
- BeEF (Browser Exploitation Framework)
- XSSer – Automated XSS detection
Browser Extensions
- XSS Rays (Chrome)
- Hack-Tools
- Wappalyzer
- Cookie Editor
- User-Agent Switcher
Online Resources
- PortSwigger Web Security Academy
- OWASP XSS Filter Evasion
- PayloadsAllTheThings GitHub
- HackerOne Disclosed Reports
- XSS Game by Google
Testing Methodology
- Input validation testing
- Context-aware payload selection
- Filter bypass techniques
- Blind XSS detection
- Manual verification of findings
🛡️ Prevention & Mitigation
Best practices for preventing XSS vulnerabilities
Input Validation
- Whitelist-based validation
- Strict data type checking
- Length restrictions
- Format validation (regex)
- Business logic validation
Output Encoding
- HTML context encoding
- JavaScript context encoding
- CSS context encoding
- URL context encoding
- Context-aware sanitization
Content Security Policy
- default-src ‘self’
- script-src with nonces
- object-src ‘none’
- base-uri ‘self’
- report-uri for monitoring
Security Headers
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin
- Permissions-Policy
⚠️ Legal and Ethical Disclaimer
This XSS cheat sheet is provided for educational and authorized security testing purposes only.
- Always obtain proper written authorization before testing any systems
- Unauthorized testing is illegal and unethical
- Use these techniques only on systems you own or have explicit permission to test
- Respect responsible disclosure practices when reporting vulnerabilities
- Follow your organization’s security testing policies