Generate context-aware XSS payloads with WAF bypass variants and filter evasion from your terminal.
Part of OffSecKit | Browser version | Unified CLI
This tool is part of the OffSecKit CLI toolkit:
pip install offseckit# Generate XSS payloads for HTML body context
osk xss gen
# Generate payloads for double-quoted attribute injection
osk xss gen -c attr-double
# Cookie theft payloads with Cloudflare WAF bypass
osk xss gen -c html -a cookie --waf cloudflare
# URL-encoded payloads for JS string context
osk xss gen -c js-single -e url
# Filter out blocked characters
osk xss gen -c html --blocked "<>\"\'"
# Show polyglot payloads
osk xss polyglots
# List all injection contexts, encodings, and WAF profiles
osk xss contexts
osk xss encodings
osk xss wafs| Flag | Description | Default |
|---|---|---|
-c, --context |
Injection context (html, attr-double, attr-single, attr-unquoted, js-single, js-double, js-template, url, event) | html |
-a, --action |
Payload action (alert, console, cookie, redirect, fetch) | alert |
--custom-js |
Custom JavaScript to execute | -- |
-e, --encoding |
Encoding method (none, url, double-url, html-entities, hex, unicode, fromcharcode, base64) | none |
--waf |
WAF bypass profile (cloudflare, aws-waf, akamai, modsecurity) | -- |
--blocked |
Characters to filter out of results | -- |
| Context | Description |
|---|---|
html |
HTML body — direct tag injection |
attr-double |
Inside double-quoted attribute |
attr-single |
Inside single-quoted attribute |
attr-unquoted |
Inside unquoted attribute value |
js-single |
Inside JS single-quoted string |
js-double |
Inside JS double-quoted string |
js-template |
Inside JS template literal |
url |
Inside URL/href attribute |
event |
Inside inline event handler |
- OffSecKit CLI — full toolkit (
pip install offseckit) - Browser version — use in your browser
- XSS Cheat Sheet — full guide
MIT