XSS Payload Examples
XSS payload examples for authorized security testing. This page lists common payload types and test strings. Use only on systems you own or have permission to test. For detection methodology, see our XSS detection guide.
XSS Payload Overview
XSS payloads are test strings used to detect cross-site scripting vulnerabilities. They include script tags, event handlers, and encoding variants. Reflected XSS payloads appear in the response immediately; stored XSS persists in the database and affects other users; DOM-based XSS is executed entirely in the browser without server round-trip.
Payload syntax varies by context: HTML context allows tags and attributes; attribute context may require escaping quotes; JavaScript context needs different escaping. Use alert(1) or similar safe payloads for detection; never use destructive or data-exfiltrating scripts. For full detection methodology, see our XSS detection guide.
Use Responsibly
- Authorization: Only test systems you own or have written permission to test
- Safe payloads: Use alert(1) or similar; avoid destructive scripts
- Evidence: Document findings for remediation
Payload Types and Contexts
Script-based payloads use <script> tags; they work when input is rendered in HTML body. Event-handler payloads use onload, onerror, onclick, etc.: <img src=x onerror=alert(1)> bypasses filters that block script tags. SVG payloads like <svg onload=alert(1)> often work in HTML5 contexts. Data URI payloads can encode JavaScript in href or src attributes.
When filters block angle brackets, try payloads with encoding or alternate syntax. HTML entities, URL encoding, and Unicode can bypass weak filters. Test in different contexts: input fields, URL parameters, headers, and cookies. Each context may require different payload variants.
Common Payload Examples
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)><body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>These payloads help confirm vulnerability. Automated scanners like Vulnify's website vulnerability scanner use similar payloads in a controlled way. See our XSS detection guide for full testing methodology. For comprehensive payload lists, refer to authoritative sources like OWASP or PayloadsAllTheThings.
Testing Workflow
Identify all input points: search boxes, forms, URL parameters, cookies. Test each with a simple payload like <script>alert(1)</script>. If it fails, try event handlers. Document where the payload appears in the response (reflected vs stored). Run an automated scan for broader coverage; Vulnify's full website scanner tests multiple parameters and payload variants.
Testing Checklist
- Identify input points (forms, URL params, headers)
- Test with script tags and event handlers
- Check for reflected vs stored contexts
- Run automated XSS test for coverage
Frequently Asked Questions
Where can I learn to detect XSS?
See our XSS detection guide for step-by-step detection methods, context analysis, and prevention guidance.
Can I use these on any site?
No. Only on systems you own or have explicit permission to test. Unauthorized testing is illegal and can cause harm.
What tools automate XSS testing?
Vulnify's website vulnerability scanner includes XSS tests. OWASP ZAP, Burp Suite, and XSStrike also automate XSS detection for authorized use.