When you hear "XSS payload," it can sound scary or advanced. But at its core, an XSS payload is just a small piece of JavaScript that the browser ends up running because of a mistake in the website's code.

You don't need a huge cheat sheet to create one. You just need a simple way of thinking.

What is an XSS payload?

  • XSS (Cross‑Site Scripting) happens when a website takes user input and puts it into a page without handling it safely.
  • An XSS payload is the code you inject so that, when the page loads, the browser executes your JavaScript.

Example of a classic payload:

<script>alert(1)</script>

If you see the alert, it means you turned a simple input field into JavaScript execution.

Step 1: See where your input appears

Before you write anything clever, test a simple string like:

TEST123

Then check the page:

  • Does TEST123 appear in normal text?
  • <p>Hello, TEST123</p>
  • Does it appear inside an attribute?
  • <a href="TEST123">Link</a>
  • Does it appear inside a script tag as text?
  • <script>var name = "TEST123";</script>

This is called the context. It tells you what type of payload will work.

Step 2: Use a simple payload that matches the context

If your input is in plain HTML

Example:

<p>Hello, YOUR_INPUT</p>

Try:

<img src=x onerror=alert(1)>

Why it works:

  • The browser tries to load x as an image.
  • It fails, triggers onerror, and runs alert(1).

If your input is inside an HTML attribute

Example:

<a href="YOUR_INPUT">Click</a>

Try to break out of the quotes and add an event:

" onclick=alert(1) x="

Result:

<a href="" onclick=alert(1) x="">Click</a>

Now, when someone clicks the link, your JavaScript runs.

If your input is inside a JavaScript string

Example:

<script>
  var msg = "YOUR_INPUT";
</script>

Use a string break:

";alert(1);//

Result:

javascript
var msg = "";alert(1);//";

You:

  • Close the string ("),
  • Run alert(1),
  • Comment out the rest (//).

Step 3: Start with alert(1), then upgrade

Your first goal is just: make anything execute.

  • alert(1) is perfect for this.
  • It proves that your logic is correct and the site is vulnerable.

After that, you can replace alert(1) with something more powerful, for example:

  • Steal cookies (if not HttpOnly).
  • Read content from the page.
  • Send a request as the victim (like a hidden action).

But the structure of your payload (how you break out and where you inject) stays the same.

Step 4: If it fails, look closely

If your payload does not work:

  • Check the source or DOM:
  • Is < turned into <?
  • Is your input cut off?
  • Are some words removed?

Then adapt:

  • Try another tag (svg, img, button) or another event (onload, onclick).
  • Try a different way to break the string or attribute.
  • Keep the idea, change the shape.

The simple mindset

Creating an XSS payload is not random guessing. It's:

  1. Find where your input appears.
  2. Pick a payload shape that fits that spot.
  3. Start with alert(1) to prove execution.
  4. Upgrade the JavaScript once it works.
  5. If it fails, observe and adjust.

Once you think this way, XSS payloads become much easier……..and you won't need to rely on huge copy‑paste lists anymore.