ok so like
I’m working on this boring-as-hell CMS and found an XSS vector but I wanna make it fun.
I’ve already done the usual alert(1), keylogger inject, cookie steal, blah blah.
I want something DUMB. something PETTY. something that makes the sysadmin feel it.
hit me with your cursed, cursed payloads.
bonus points if it includes anime, TTS, or summoning vibes 
I injected a payload once that replaced every image on the page with random Shrek PNGs from a public S3 bucket.
it crashed the helpdesk and the intern thought they were hacked by DreamWorks
10/10 would do again 
<input style=x type="hidden" onsecuritypolicyviolation="alert(1)">
One of my go-tos for emotional damage:
new Audio("https://www.mycursedcdn.biz/audio/mosquito.mp3").play()
Embed it in an invisible iframe so it auto-loops when they open their ticket dashboard. It’s subtle, but it breaks them.
One-liner.
document.body.innerHTML = "<h1>your app is mine now 🖤</h1>"
Classic. Clean. Cruel.
Used XSS once to create a fake modal that mimicked their internal MFA prompt
They typed creds. Twice.
Then I redirected them to a gif of me waving 
Art.
That image came from TheRCEMan! Love this guy!
And this one is this Gareth guy. Also great source!
