Skip to content

Use Free hosting for XSS payloads flies under the radar of many, but it’s pretty common among static-site developers. I find it to be the best place for hosting my XSS payloads. It’s free, easy, they provide SSL, and you can deploy scripts in few seconds.

Table of Contents

What is

Let’s say that you have found a nice little XSS, and you’ve managed to write a nice JavaScript payload to perform a full account takeover. The problem is, you need somewhere to host the payload. It can’t be over plain HTTP because otherwise you will face mixed-content errors. You can use Ngrok, but that means you need to keep your home computer on until your bug gets triaged which is not ideal. If you post it to Github pages then everyone can see notifications when you add the script, which gives away your PoC and tells the world which host is vulnerable.

I have been searching for the perfect way to do this for a long time, and I’ve finally found it.! This blog post will show you how to set up to deploy your JavaScript payloads in seconds.

Step 1: Installation

  • First you will need to install NodeJS, which you can download here:
  • Run the following command to install the surge CLI tool
npm install --global surge 

That’s it, you’ve installed surge.

Step 2: Deploying Your Payload

Create an empty directory and navigate to it:

mkdir mypayload
cd mypayload 

Create your JavaScript payload (or any static website).

echo "alert(1)" > payload.js 

Run “surge” to deploy all files in the current directory, which should just be payload.js if you have been following along.


The first time you run surge, it will ask for your email and a password. Once you’ve set that up it won’t ask you again.

The surge command usually takes a few seconds. Once it’s done, your payload will be accessible at the subdomain that you specified. In this case, I just used the automatically chosen one, which happened to be

I should say that Surge isn’t just for XSS payloads, it is very good at hosting full static sites.

If you enjoyed this, follow me on my socials!

You might be interested in reading these too: