- Basic XSS payload.
- For use where URI's are taken as input.
- For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
- Another basic payload for when <script> tags are explicitly filtered.
- HTML5 payload, only works in Firefox, Chrome and Opera
- HTML5 payload, only works in Firefox, Chrome and Opera
- For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
- Example payload for sites that include JQuery
Note: Must be used with an XSS Hunter compatible client tool, click here for an example. If you want to build your own please see our documentation. Note that injection requests are only stored for 30 days and are purged afterwards. You will still receive XSS alerts after 30 days but they won't be correlated.