finds.dev← search

// the find

s0md3v/AwesomeXSS

★ 5,127 · JavaScript · MIT · updated Oct 2024

Awesome XSS stuff

A reference collection of XSS payloads, bypass techniques, and learning resources maintained by s0md3v. It covers DOM sinks/sources, context-specific injection, WAF bypasses, encoding tricks, and links to challenges and tooling. Aimed at bug bounty hunters and security researchers who want a quick-reference cheat sheet rather than a framework.

The context-breaking section is genuinely useful — it gives you concrete probing steps and expected outputs for each context type, not just a dump of payloads. The confirm-variant list and the polyglot breakdown are both practically oriented: you understand why they work, not just that they work. The encoding table is the kind of thing you actually want to have open in a tab. The probing methodology walks through a real decision tree for figuring out what's filtered.

Hasn't been touched since late 2024 and shows its age — some of the linked tools (JShell, XSStrike under the old UltimateHackers org) have moved or stagnated. The DOM XSS section is thin: a source/sink list but no explanation of how to trace data flow through modern SPA frameworks where the actual attack surface has largely migrated. There's no coverage of newer vectors like prototype pollution leading to XSS, or mXSS in sanitizer bypasses. Three tools listed in Awesome Tools is embarrassingly sparse for a repo with 5k stars.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →