XSS Payload Generator

Context-aware payloads with encoding, WAF bypass, and blind XSS callback support.

XSS Knowledge Base Callback Logs
Injection Settings

Payload will be inserted into HTML content

Applied after payload generation

Blind XSS Callback

Auto-generate or enter your own. Blind payloads will phone home to this URL.

Payload Category

Basic XSS Payloads

HTML Context · No Encoding

Loading payloads...

XSS Quick Reference

Testing Methodology
  1. Map inputs — forms, URL params, headers, JSON fields, file uploads
  2. Identify context — view source, find where your input lands
  3. Test reflection — inject <bb> and check if it renders
  4. Probe filters — what gets stripped? <script>? onerror? Quotes?
  5. Craft bypass — encoding, case tricks, alternative tags/events
  6. Escalate impact — cookie theft, account takeover, keylogging
  7. Test persistence — does it store? Does it fire for other users?
  8. Try blind — inject callback payloads into admin panels, logs, emails
XSS Types
Reflected Input reflected immediately in response — delivered via crafted URL
Stored Payload persisted on server — fires for every user who views the page
DOM-Based Client-side JS processes input unsafely — server never sees the payload
Blind Executes in a context you can't see (admin panel, logs, emails)
Mutation (mXSS) Browser's HTML parser mutates sanitized input into executable JS
Self-XSS Requires victim to paste payload themselves — low severity alone
Bypass Techniques
  • Case mixing<ScRiPt>
  • Double encoding%253C
  • Null bytes%00 between keywords
  • HTML entities&#x3C;
  • Event alternativesontoggle, onpointerenter
  • Tag alternatives<details>, <math>, <svg>
  • Comment splitting<scr<!-->ipt>
  • Protocol tricksjavascript:, data:
Modern Defenses to Bypass
  • CSPscript-src restrictions, nonce/hash bypass
  • Trusted Types — Chrome's DOM XSS prevention API
  • Same-Site Cookies — limits cookie theft via XSS
  • HttpOnly Cookies — not accessible via document.cookie
  • Sanitizer API — browser-native HTML sanitization
  • X-XSS-Protection — deprecated but still present
Framework Targets
  • ReactdangerouslySetInnerHTML, href with javascript:
  • Angular — template injection {{constructor.constructor('alert(1)')()}}
  • Vue.jsv-html directive, template expressions
  • jQuery.html() vs .text(), selector injection
  • Svelte{`@html`} directive

For authorized security testing only. Always ensure explicit permission before testing any application.