XSS Payload Generator
Payload
Load script ($.getScript())
Load script (document.createElement())
Request URL (img)
Request URL (XHR)
JavaScript code
Built-in script
apache_httponly_bypass.js
contentstealer.php
cookiestealer.php
formjacker.php
formsubmitter.php
generator.php
local_network_scan.php
loginpage.php
paymentrequest.php
recon.php
unc_hashstealer.php
URL:
Custom Payload:
Obfuscation
None
Pass as string
Base64 (atob())
Reverse
String.fromCharCode()
Character hex codes
JSF*ck
Execution
None
eval()
window['eval']()
window['\x65\x76\x61\x6c']()
Function()()
window['Function']()()
window['\x46\x75\x6e\x63\x74\x69\x6f\x6e']()()
setTimeout()
window['setTimeout']()
window['\x73\x65\x74\x54\x69\x6d\x65\x6f\x75\x74']()
Injection type
Basic polyglot / inline script
0xsobky - Ultimate XSS Polyglot
String variable escape
img element onerror
SVG element
Element onclick
Element onmouseover
Custom element and event
HTML Element
a
abbr
acronym
address
applet
area
article
aside
audio
b
base
basefont
bdi
bdo
big
blockquote
body
br
button
canvas
caption
center
cite
code
col
colgroup
data
datalist
dd
del
details
dfn
dialog
dir
div
dl
dt
em
embed
fieldset
figcaption
figure
font
footer
form
frame
frameset
h1 to h6
head
header
hr
html
i
iframe
img
input
ins
kbd
label
legend
li
link
main
map
mark
meta
meter
nav
noframes
noscript
object
ol
optgroup
option
output
p
param
picture
pre
progress
q
rp
rt
ruby
s
samp
script
section
select
small
source
span
strike
strong
style
sub
summary
sup
svg
table
tbody
td
template
textarea
tfoot
th
thead
time
title
tr
track
tt
u
ul
var
video
wbr
HTML Event
onabort
oncancel
onblur
oncanplay
oncanplaythrough
onchange
onclick
oncontextmenu
ondblclick
ondrag
ondragend
ondragenter
ondragexit
ondragleave
ondragover
ondragstart
ondrop
ondurationchange
onemptied
onended
onerror
onfocus
onformchange
onforminput
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onloadstart
onmousedown
onmousemove
onmouseout
onmouseover
onmouseup
onmousewheel
onpause
onplay
onplaying
onprogress
onratechange
onreadystatechange
onscroll
onseeked
onseeking
onselect
onshow
onstalled
onsubmit
onsuspend
ontimeupdate
onvolumechange
onwaiting
Encoding
Available
JSON
JS Unicode
JS Hex
URL
SQL
HTML
Base64
»
«
Using
Output